[Snort-sigs] P2P Kazaa Traffic
sam at ...219...
Fri Jul 11 07:19:17 EDT 2003
Here's the message that I believe Jukka is referring to, regarding
the BitTorrent signature:
I haven't looked very deep into the protocol, but these should do you
for now. FYI, the second rule generates a TON of alerts when transferring
a files. Please test them out and let me know.
alert tcp any any -> any any (msg:"P2P BitTorrent tracker request";
flow:to_server,established; content:"GET"; offset:0; depth:4;
content:"/announce"; distance:1; content:"info_hash="; offset:4;
alert tcp any any -> any 6881:6889 (msg:"P2P BitTorrent data transfer";
flow:to_server,established; content:"|13|BitTorrent protocol";
On Fri, 11 Jul 2003, Jukka Juslin wrote:
> What do you mean by "adding to the transfer downstream or upstream"? I
> tried to understand from the BitTorrent documentation, that you are
> supposed to download the same file (or parts of it) from many hosts at the
> same time? So, it looks life, if you catch persons looking for the
> .torrent file, you can see from the actual file he/she downloaded what is
> he/she planning to do.
> There are BitTorrent signatures already. If you search from the archives
> with my name, you find the email where somebody was sending those to me.
> On Thu, 10 Jul 2003, Jacob Hurley wrote:
> ->i am interested in how to create signatures for bittorrent as well, but i will also need to grab some actual payloads for the 'content' keywords. i can add to the discussion by mentioning that it starts out by standard web traffic when you choose to download the .torrent file. past that the bittorrent client takes over and uses port 6881:6889 to grab the file. also, while you are downloading the file, other 'peers' downloading the file will attempt to connect to your machine (ports 6881:6889 as well) and add to your transfers downstream and upstream. (with bittorrent, the more people grabbing the file - the better) it really is a nifty tool to distribute files quickly.
> ->-----Original Message-----
> ->From: Wes Young [mailto:wyoung at ...1639...]
> ->Sent: Thursday, July 10, 2003 8:10 AM
> ->To: jtjuslin at ...1151...
> ->Cc: snort-sigs at lists.sourceforge.net
> ->Subject: Re: [Snort-sigs] P2P Kazaa Traffic
> ->I haven't looked into bit torrent yet, only used it a few times, no packet captures.....even so, I don't think it authenticates, it just spams the file out on a certain port. It turns your comp into a p2p server, so all you need to do is look for incomming traffic on whatever port it uses.
> ->Again, like I said, I haven't used it much. I will try to snag some captures this weekend and post them. See if we can't find atleast the negotiation attempts when they connect. I hate it on my network, its an upstream hog. Great tool, but only good at night when everyone is asleep.
> ->>>> Jukka Juslin <jtjuslin at ...1151...> 07/10 2:39 AM >>>
> ->I think this would be a good idea! The KaZaa filter produces a lot of
> ->alerts otherwise.
> ->It is interesting to see from some KaZaa packet captures, what movies are
> ->being downloaded (to verify). I can't do the same anymore with BitTorrent,
> ->because it seems to be that the transfer is somehow encrypted. Am I right?
> ->On Wed, 9 Jul 2003, Wes Young wrote:
> ->->Will this just capture the login attempt??? or all kazaa Traffic?
> ->->If not, is there a way to just capture login attempts (to cut down on logs)
> ->->Just curious, haven't looked to far into it. Thanks!
> ->->>>> Sam Evans <sam at ...219...> 07/09 1:18 PM >>>
> ->->It could, and I will work on that. The thing we've noticed with the rule
> ->->is that it will capture the user's Kazaa name, as well as the supernode
> ->->they are connected to. Not sure if limiting to the first 64bytes will get
> ->->all that, but I'll tinker with it.
> ->->On Wed, 9 Jul 2003, Chris Baker wrote:
> ->->> -----BEGIN PGP SIGNED MESSAGE-----
> ->->> Hash: SHA1
> ->->> On Wed, Jul 09, 2003 at 10:31:33AM -0400, Sam Evans wrote:
> ->->> > Rule:
> ->->> > alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa Traffic";\
> ->->> > content: "X-Kazaa"; flow:to_server;)
> ->->> >
> ->->> This kind of rule will usually be ignored by most users since it
> ->->> searches the full payload. Can this been tightened down a bit? Maybe
> ->->> within the first 64 bytes?
> ->->> -----BEGIN PGP SIGNATURE-----
> ->->> Version: GnuPG v1.2.2 (SunOS)
> ->->> iD8DBQE/DC9jbKHg1qAf3vIRAmL/AJoDERpVyVTaart98Y/L1CmRfP6aCwCg5eQa
> ->->> HQh2I5GZN94ElZVkMFTTerw=
> ->->> =4EmS
> ->->> -----END PGP SIGNATURE-----
> ->This SF.Net email sponsored by: Parasoft
> ->Error proof Web apps, automate testing & more.
> ->Download & eval WebKing and get a free book.
> ->Snort-sigs mailing list
> ->Snort-sigs at lists.sourceforge.net
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs