Snort mailing list archives
Newbie question on gnutella rule
From: "Chris Hoover" <revoohc () sermonaudio com>
Date: Thu, 11 Dec 2003 15:59:13 -0600
I am having a problem with one of the Gnutella rules. It appears to be labeling all of the connections to my proxy server as gnutella hits (proxy uses port 8080). Please help me correct this since I definetly want to sniff for p2p traffic on my companies network. I am trying to understand why this rule is doing this and how to correct it. Thanks for any help, chris Snort rule 1432 (P2P GNUTella GET) alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;) ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- a couple of questions Giannakis Eleftherios (Dec 11)
- Re: a couple of questions Matt Kettler (Dec 11)
- Re: a couple of questions Giannakis Eleftherios (Dec 12)
- Newbie question on gnutella rule Chris Hoover (Dec 13)
- Re: Newbie question on gnutella rule Josh Berry (Dec 13)
- Re: Newbie question on gnutella rule Michael Boman (Dec 13)
- Re: a couple of questions Matt Kettler (Dec 11)
- <Possible follow-ups>
- RE: a couple of questions DeBerry, Casey (Dec 11)