[Snort-sigs] P2P Kazaa Traffic

Brian bmc at ...95...
Sun Jul 13 11:10:17 EDT 2003


On Thu, Jul 10, 2003 at 02:03:14PM -0500, Jacob Hurley wrote:
> i am interested in how to create signatures for bittorrent as well, but i will also need to grab some actual payloads for the 'content' keywords.  i can add to the discussion by mentioning that it starts out by standard web traffic when you choose to download the .torrent file.  past that the bittorrent client takes over and uses port 6881:6889 to grab the file.  also, while you are downloading the file, other 'peers' downloading the file will attempt to connect to your machine (ports 6881:6889 as well) and add to your transfers downstream and upstream.  (with bittorrent, the more people grabbing the file - the better) it really is a nifty tool to distribute files quickly.

FYI, I pushed out torrent sigs I've been testing.  Check em out.

http://www.snort.org/snort-db/sid.html?sid=2180
http://www.snort.org/snort-db/sid.html?sid=2181

-b




More information about the Snort-sigs mailing list