[Snort-sigs] P2P GNUTella GET causes lots of false positives

Hey Folks,

I'm new to snort, so sorry if this has been covered recently. SID 1432 regarding p2p networks seems weird to me.

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;)

If I am reading this correctly, than any packet containing "GET" headed out of my network, destined for any port other than 80 will trigger this rule.

Won't this cause a false positive with every HTTP GET request to any external server with non-standard ports?

For example:
http://www.nhc.rtp.nc.us:8080/

Simply hitting that URL, causes the rule to fire.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

Thanks folks,
Shane