Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: P2P GNUTella GET

From: Erek Adams <erek () snort org>
Date: Mon, 10 Mar 2003 13:00:38 -0500 (EST)
On Mon, 10 Mar 2003, Dave Thornburgh wrote:


I'm a little confused by Ken and Erek's responses.  I thought that
this rule is triggered by Gnutella traffic FROM Bishan's network TO an
external host.  In that case, the rule is to alert him that one of his
users is attempting to run Gnutella.  If I'm reading that right, then
what would be the point of blinding the rule to 8080 traffic?  At that
point, he may as well just comment out the rule altogether.  Am I
reading this whole thing wrong?


Actually, have another look at the rule:

  alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
  flow:to_server,established; content:"GET "; offset:0; depth:4;
  classtype:misc-activity; sid:1432;  rev:3;)

This rule matches on:

        TCP packet on any port leaving HOME_NET
            destined for not port 80 on EXTERNAL_NET
            that contains "GET " as the first 4 bytes of data
            and that is an established 'to server' stream.

Ok, so that means a normal HTTP GET request would do the same...  :)  And
as it so happens 203.199.70.225 _is_ running Apache on 8080.  :)

As for my suggestions on how to stop the alert from firing:  He's asking
how to 'ignore certain traffic, or hosts'.  You have two basic options:
BPF and Pass rules.  BPF's can be as complex as you want:

        not (dest host 203.199.70.225 and dest port 8080)

Or simple:

        not port 8080

Granted, I wouldn't use the last...  But, Hey!  It's up to you.  :)

Pass rules can give you a finer grain of control over things, but you're
taking a little bit of a trade off.  BPF drops the packet at the libpcap
layer--Snort never even sees it.  Pass rules, OTOH, get the packet into
Snort (tiny extra overhead), and then have to be parsed and matched (more
overhead) to ignore it.

And yes, you could comment out the rule.  *shrug*  It's all about what's
going to work best for you in your setup.

Isn't it amazing how much IDS setup and configuration is just like
Philosophy?  ;-)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: