Snort, P2P rule and 1432 Alert....
I was wondering if anyone else was getting "false positives" on the P2P rule (1432). I have commented out the 1432 part out of of the p2p.rules and it has gone away. I want to make sure I have not shot myself in the foot. Thanks
|
I want to make sure I have not shot myself in the foot.
SID 1432 only triggers on a content string "GET " on the each established TCP conn. except port HTTP. If other applications use "GET "'s this rule easily triggers FP's. It's rather weak, so I don't think you'll be shooting yourself in any extremity of choice. |
All times are GMT -5. The time now is 12:54 AM. |