Snort mailing list archives

Previous By Date Next
Previous By Thread Next

P2P Gnutella Signature does a more precise or final version of the signature exist?

From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil>
Date: Tue, 11 May 2004 18:33:38 -0400
googling I found the GET rule:

 alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; 
  flow:to_server,established; content:"GET "; offset:0; depth:4; 
  classtype:misc-activity; sid:1432; rev:3;) 

 that alerts on everything.

I also found a rule: 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; 
   flow:to_server,established; content:"GNUTELLA OK"; depth:40; 
   classtype:policy-violation; sid:557; rev:6;) 

Has anyone implemented a rule based on the
url contained in this message?
http://www.cs.ucr.edu/~tkarag/papers/tech.pdf

Does a signature exist in the snort rule database that is more precise than the first two rules  mentioned
in this email?

Thank you,
Raymond
Previous By Date Next
Previous By Thread Next

Current thread: