[Snort-sigs] BIttorrent Signature updates

Matthew Jonkman matt at ...2436...
Fri Jul 9 06:12:01 EDT 2004


We can exclude a range of ports that are contiguous, just not a bunch of 
individual ports, or a range and a separate port.

What I understood about the bt protocol the clients connect to a server 
on ports in the range in the rule below though. But what I read 
certainly wasn't authoritative. Are you seeing different in practice?

I see the change in the rule below was a different depth. I'll update 
the bleeding edge rule with that too.

Matt

Chich Thierry wrote:

> Nigel Houghton wrote:
> 
>> On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
>>  
>>
>>> I've update Chich Thierrys Bittorrent rules a bit. I've seen and had 
>>> a number of falses reported, especially in backup streams from things 
>>> like veritas, etc.
>>>
>>> I've added port ranges to them.
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"BLEEDING-EDGE P2P 
>>> BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:12; 
>>> flags:PA; classtype:policy-violation; sid:2000334; rev:2;)
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6999 
>>> (msg:"BLEEDING-EDGE P2P BitTorrent peer sync"; 
>>> content:"|0000000d0600|"; offset:0; depth:12; flags:PA; 
>>> classtype:policy-violation; sid:2000357; rev:1;)
>>>
> 
> The problem is that bittorrent is using arbitrary ports. A lot of things
> is not seen if you limit it.
> 
> However, I have done a little mistake, due to my lack of experience about
> snort rules. It can be written more accurately:
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P BitTorrent peer 
> sync";content:"|0000000d0600|";offset:0;depth:6;flags:PA;classtype:policy-violation;resp:rst_all;) 
> 
> 
> I don't have false positives. However, there is a lack in snort rules. I 
> have
> read that it is not possible to exclude a group of ports (by something like
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET !$DATA_PORT
> 
> Such a possibility could permit to resolve this kind of problem (and for 
> instance, reduce the false positives with the shellcode rules).
> 
> Thierry
> 
> 
> 
> 
> 
> 
> 
> 
>> Here is the port information from the Bittorrent protocol [0]:
>>
>>  The port number this peer is listening on. Common behavior is
>>     for a downloader to try to listen on port 6881 and if
>>     that port is taken try 6882, then 6883, etc. and give up
>>     after 6889.
>>
>> Not sure where you got your port information from, but it would seem 
>> your port range is a little generous. I might go for a rule to seek out
>> connections to a listener on my home net, that might focus things a 
>> little
>> more.
>>
>> [0] http://bitconjurer.org/BitTorrent/protocol.html
>>
>>  
>>
>>> I think this will eliminate the falses. Please let me know if this 
>>> makes them ineffective.
>>>
>>> Matt
>>>   
>>
>>
>> -------------------------------------------------------------
>> Nigel Houghton       Research Engineer        Sourcefire Inc.
>>                 Vulnerability Research Team
>>
>> "Dude, dolphins are intelligent and friendly!" -- Wendy
>> "Intelligent and friendly on rye bread, with some mayonaise." -- Cartman
>>
>>
>> -------------------------------------------------------
>> This SF.Net email sponsored by Black Hat Briefings & Training.
>> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
>> self defense, top technical experts, no vendor pitches, unmatched 
>> networking opportunities. Visit www.blackhat.com
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>  
>>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
> self defense, top technical experts, no vendor pitches, unmatched 
> networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list