[Snort-sigs] BIttorrent Signature updates

Matthew Watchinski mwatchinski at ...435...
Thu Jul 8 10:46:01 EDT 2004


Another update you my wish to make is to remove the flags:PA and replace 
that with the flow keyword and appropriate value.  Using flags:PA is 
deprecated.

Cheers,
-matt

Matthew Jonkman wrote:

> I've update Chich Thierrys Bittorrent rules a bit. I've seen and had a 
> number of falses reported, especially in backup streams from things 
> like veritas, etc.
>
> I've added port ranges to them.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"BLEEDING-EDGE P2P 
> BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:12; 
> flags:PA; classtype:policy-violation; sid:2000334; rev:2;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6999 (msg:"BLEEDING-EDGE 
> P2P BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; 
> depth:12; flags:PA; classtype:policy-violation; sid:2000357; rev:1;)
>
> I think this will eliminate the falses. Please let me know if this 
> makes them ineffective.
>
> Matt
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
> self defense, top technical experts, no vendor pitches, unmatched 
> networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list