[Snort-sigs] Bit Torrent signature
bmc at ...95...
Tue Jun 17 06:56:08 EDT 2003
On Tue, Jun 17, 2003 at 08:48:05AM +0300, Jukka Juslin wrote:
> Does anybody have a signature for Bit Torrent? AFAIK, Bit Torrent is
> popular for transfers of DVD movies etc.
I haven't looked very deep into the protocol, but these should do you
for now. FYI, the second rule generates a TON of alerts when transferring
a files. Please test them out and let me know.
alert tcp any any -> any any (msg:"P2P BitTorrent tracker request";
flow:to_server,established; content:"GET"; offset:0; depth:4;
content:"/announce"; distance:1; content:"info_hash="; offset:4;
alert tcp any any -> any 6881:6889 (msg:"P2P BitTorrent data transfer";
flow:to_server,established; content:"|13|BitTorrent protocol";
More information about the Snort-sigs