Snort mailing list archives
P2P Gnutella Signature does a more precise or final version of the signature exist?
From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil>
Date: Tue, 11 May 2004 18:33:38 -0400
googling I found the GET rule: alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:misc-activity; sid:1432; rev:3;) that alerts on everything. I also found a rule: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;) Has anyone implemented a rule based on the url contained in this message? http://www.cs.ucr.edu/~tkarag/papers/tech.pdf Does a signature exist in the snort rule database that is more precise than the first two rules mentioned in this email? Thank you, Raymond
Current thread:
- P2P Gnutella Signature does a more precise or final version of the signature exist? Jacob, Raymond A Jr (May 11)