[Snort-sigs] Bit Torrent signature

Brian bmc at ...95...
Tue Jun 17 06:56:08 EDT 2003

On Tue, Jun 17, 2003 at 08:48:05AM +0300, Jukka Juslin wrote:
> Does anybody have a signature for Bit Torrent? AFAIK, Bit Torrent is
> popular for transfers of DVD movies etc.

I haven't looked very deep into the protocol, but these should do you 
for now.  FYI, the second rule generates a TON of alerts when transferring
a files.  Please test them out and let me know.

alert tcp any any -> any any (msg:"P2P BitTorrent tracker request";
   flow:to_server,established; content:"GET"; offset:0; depth:4; 
   content:"/announce"; distance:1; content:"info_hash="; offset:4;
   content:"event=started"; offset:4;)

alert tcp any any -> any 6881:6889 (msg:"P2P BitTorrent data transfer"; 
   flow:to_server,established; content:"|13|BitTorrent protocol"; 
   offset:0; depth:20;)


More information about the Snort-sigs mailing list