[Snort-sigs] BIttorrent Signature updates

Nigel Houghton nigel at ...435...
Thu Jul 8 09:03:01 EDT 2004


On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
> 
> Yes, that does make it difficult. I'm not a bittorrent expert. But I'd 
> assume to change the local ports used you'd have to be talking to a 
> server that is also the same, no? Any bittorrenters out there?
> 
> What would be interesting is a packet dump using a set of ports outside 
> the defined range. And also one going through a proxy server, as the 
> references in the protocol imply is possible with some work.

Right, that information would indeed be very useful. 

What would be really interesting is a packet dump of the intial
connection between clients. That way you could concentrate on a rule to
detect that first client/client setup and alert on that since what follows
would be extraneous information.

i.e. We've seen the initial connection, so everything else is not a good
thing(tm) and we need to do something about it right now.

-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

"Dude, dolphins are intelligent and friendly!" -- Wendy
"Intelligent and friendly on rye bread, with some mayonaise." -- Cartman




More information about the Snort-sigs mailing list