[Snort-users] P2P Gnutella Signature does a more precise or final version of the signature exist?

This is a multi-part message in MIME format.

------_=_NextPart_001_01C437A8.010DFAF7
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

googling I found the GET rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";=20
flow:to_server,established; content:"GET "; offset:0; depth:4;=20
classtype:misc-activity; sid:1432; rev:3;)=20

that alerts on everything.

I also found a rule:=20
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client =
request";=20
flow:to_server,established; content:"GNUTELLA OK"; depth:40;=20
classtype:policy-violation; sid:557; rev:6;)=20

Has anyone implemented a rule based on the
url contained in this message?
http://www.cs.ucr.edu/~tkarag/papers/tech.pdf

Does a signature exist in the snort rule database that is more precise =
than the first two rules mentioned
in this email?

Thank you,
Raymond

------_=_NextPart_001_01C437A8.010DFAF7
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.6487.1">
<TITLE>P2P Gnutella Signature does a more precise or final version of =
the signature exist?</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">googling I found the GET rule:</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;alert tcp $HOME_NET any -&gt; =
$EXTERNAL_NET !80 (msg:&quot;P2P GNUTella GET&quot;; </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp; flow:to_server,established; =
content:&quot;GET &quot;; offset:0; depth:4; </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp; classtype:misc-activity; =
sid:1432; rev:3;) </FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;that alerts on everything.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I also found a rule: </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;alert tcp $HOME_NET any -&gt; =
$EXTERNAL_NET any (msg:&quot;P2P GNUTella client request&quot;; </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;&nbsp; =
flow:to_server,established; content:&quot;GNUTELLA OK&quot;; depth:40; =
</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;&nbsp; =
classtype:policy-violation; sid:557; rev:6;) </FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Has anyone implemented a rule based on =
the</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">url contained in this message?</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial"><A =
HREF=3D"http://www.cs.ucr.edu/~tkarag/papers/tech.pdf">http://www.cs.ucr.=
edu/~tkarag/papers/tech.pdf</A></FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Does a signature exist in the snort =
rule database that is more precise than the first two rules&nbsp; =
mentioned</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">in this email?</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thank you,</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Raymond</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C437A8.010DFAF7--


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg...rom=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users