RE: P2P GUNTella GET?

[Gary Danko <GDanko () proflowers com>]

I have in my snort.conf:
var MAIL_SERVERS [x.x.x.x, x.x.x.x]

Then in my rule:
alert tcp !$MAIL_SERVERS any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:policy-violation; sid:1432; rev:4;)

This reports GUNTELLA GET on anything that isn't a mail server.

-----Original Message-----
From: Stevo [mailto:checkpoint () ozbergs com] 
Sent: Tuesday, August 05, 2003 11:40 AM
To: Gary Danko; snort-users () lists sourceforge net
Subject: Re: [Snort-users] P2P GUNTella GET?

So how would I modify this line to exclude my Exchange server??  I'm a Snort
newbie, so I'm still working these things out!

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GE
T "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;)

Stevo

----- Original Message -----
From: "Gary Danko" <GDanko () proflowers com>
To: "'Stevo'" <checkpoint () ozbergs com>; <snort-users () lists sourceforge net>
Sent: Tuesday, August 05, 2003 10:04 AM
Subject: RE: [Snort-users] P2P GUNTella GET?


> I get a lot of these too. Mine are mostly false positives. I have modified
> the rule to exlcude the servers that are sending false pos.
>
> -----Original Message-----
> From: Stevo [mailto:checkpoint () ozbergs com]
> Sent: Tuesday, August 05, 2003 9:45 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] P2P GUNTella GET?
>
> Hey Snort Gurus,
>
> I'm getting a bunch of these P2P GUNTella GET events in ACID which is
cool,
> but the source address is always my Exchange Server (x.x.x.15) and the
> destination is always the same (198.116.65.48 port 25)... what is causing
> this??  Is this something I should be worries about???  Below is the event
> from Acid:
>
> #15-(1-16307)    [snort] P2P GNUTella GET    2003-08-05 08:31:52
> x.x.x.15:37897  198.116.65.48:25   TCP
>
> Thanks
>
> Stevo
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users