[Snort-sigs] BIttorrent Signature updates

Matthew Jonkman matt at ...2436...
Thu Jul 8 06:27:23 EDT 2004


I've update Chich Thierrys Bittorrent rules a bit. I've seen and had a 
number of falses reported, especially in backup streams from things like 
veritas, etc.

I've added port ranges to them.

alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"BLEEDING-EDGE P2P 
BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:12; 
flags:PA; classtype:policy-violation; sid:2000334; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6999 (msg:"BLEEDING-EDGE 
P2P BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:12; 
flags:PA; classtype:policy-violation; sid:2000357; rev:1;)

I think this will eliminate the falses. Please let me know if this makes 
them ineffective.

Matt




More information about the Snort-sigs mailing list