LinuxQuestions.org - Snort, P2P rule and 1432 Alert....

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Snort, P2P rule and 1432 Alert.... (https://www.linuxquestions.org/questions/linux-security-4/snort-p2p-rule-and-1432-alert-66831/)

shelby

06-20-2003 09:46 AM

Snort, P2P rule and 1432 Alert....

I was wondering if anyone else was getting "false positives" on the P2P rule (1432). I have commented out the 1432 part out of of the p2p.rules and it has gone away. I want to make sure I have not shot myself in the foot. Thanks

unSpawn

06-20-2003 02:10 PM

I want to make sure I have not shot myself in the foot.

SID 1432 only triggers on a content string "GET " on the each established TCP conn. except port HTTP. If other applications use "GET "'s this rule easily triggers FP's. It's rather weak, so I don't think you'll be shooting yourself in any extremity of choice.

All times are GMT -5. The time now is 12:54 AM.