[Snort-sigs] BIttorrent Signature updates

Chich Thierry thierry.chich at ...2579...
Fri Jul 9 01:16:06 EDT 2004

Nigel Houghton wrote:

>On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
>>I've update Chich Thierrys Bittorrent rules a bit. I've seen and had a 
>>number of falses reported, especially in backup streams from things like 
>>veritas, etc.
>>I've added port ranges to them.
>>alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"BLEEDING-EDGE P2P 
>>BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:12; 
>>flags:PA; classtype:policy-violation; sid:2000334; rev:2;)
>>alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6999 (msg:"BLEEDING-EDGE 
>>P2P BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:12; 
>>flags:PA; classtype:policy-violation; sid:2000357; rev:1;)

The problem is that bittorrent is using arbitrary ports. A lot of things
is not seen if you limit it.

However, I have done a little mistake, due to my lack of experience about
snort rules. It can be written more accurately:
alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P BitTorrent peer 

I don't have false positives. However, there is a lack in snort rules. I 
read that it is not possible to exclude a group of ports (by something like

alert tcp $HOME_NET any -> $EXTERNAL_NET !$DATA_PORT

Such a possibility could permit to resolve this kind of problem (and for instance, 
reduce the false positives with the shellcode rules).


>Here is the port information from the Bittorrent protocol [0]:
>  The port number this peer is listening on. Common behavior is
>	for a downloader to try to listen on port 6881 and if
>	that port is taken try 6882, then 6883, etc. and give up
>	after 6889.
>Not sure where you got your port information from, but it would seem your 
>port range is a little generous. I might go for a rule to seek out
>connections to a listener on my home net, that might focus things a little
>[0] http://bitconjurer.org/BitTorrent/protocol.html
>>I think this will eliminate the falses. Please let me know if this makes 
>>them ineffective.
>Nigel Houghton       Research Engineer        Sourcefire Inc.
>                 Vulnerability Research Team
>"Dude, dolphins are intelligent and friendly!" -- Wendy
>"Intelligent and friendly on rye bread, with some mayonaise." -- Cartman
>This SF.Net email sponsored by Black Hat Briefings & Training.
>Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
>digital self defense, top technical experts, no vendor pitches, 
>unmatched networking opportunities. Visit www.blackhat.com
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list