[Snort-sigs] BIttorrent Signature updates

Matthew Jonkman matt at ...2436...
Thu Jul 8 07:53:10 EDT 2004

Thanks for looking at it. I had a reference that mentioned that 
bittorrent 2, as well as some existing clients will go to 6999 as well. 
So I figured I'd get ahead of the game. :)

Had a few references in bt2 devel sites, as well as this:


Nigel Houghton wrote:

> On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
>>I've update Chich Thierrys Bittorrent rules a bit. I've seen and had a 
>>number of falses reported, especially in backup streams from things like 
>>veritas, etc.
>>I've added port ranges to them.
>>alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"BLEEDING-EDGE P2P 
>>BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:12; 
>>flags:PA; classtype:policy-violation; sid:2000334; rev:2;)
>>alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6999 (msg:"BLEEDING-EDGE 
>>P2P BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:12; 
>>flags:PA; classtype:policy-violation; sid:2000357; rev:1;)
> Here is the port information from the Bittorrent protocol [0]:
>   The port number this peer is listening on. Common behavior is
> 	for a downloader to try to listen on port 6881 and if
> 	that port is taken try 6882, then 6883, etc. and give up
> 	after 6889.
> Not sure where you got your port information from, but it would seem your 
> port range is a little generous. I might go for a rule to seek out
> connections to a listener on my home net, that might focus things a little
> more.
> [0] http://bitconjurer.org/BitTorrent/protocol.html
>>I think this will eliminate the falses. Please let me know if this makes 
>>them ineffective.
> -------------------------------------------------------------
> Nigel Houghton       Research Engineer        Sourcefire Inc.
>                  Vulnerability Research Team
> "Dude, dolphins are intelligent and friendly!" -- Wendy
> "Intelligent and friendly on rye bread, with some mayonaise." -- Cartman

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Snort-sigs mailing list