[Snort-sigs] BIttorrent Signature updates
thierry.chich at ...2579...
Fri Jul 9 07:16:10 EDT 2004
Matthew Jonkman wrote:
> We can exclude a range of ports that are contiguous, just not a bunch
> of individual ports, or a range and a separate port.
> What I understood about the bt protocol the clients connect to a
> server on ports in the range in the rule below though. But what I read
> certainly wasn't authoritative. Are you seeing different in practice?
Indeed. For instance:
#0-(2-35384) P2P BitTorrent probable 2 2004-07-09 15:58:46
172.30.92.175:4148 22.214.171.124:23458 TCP
#7-(2-35377) [snort] P2P BitTorrent transfer 2004-07-09 15:58:00
172.30.92.175:4353 126.96.36.199:1804 TCP
#8-(2-35376) [snort] P2P BitTorrent transfer 2004-07-09 15:57:59
172.30.92.175:4349 188.8.131.52:31832 TCP
#22-(2-35362) P2P BitTorrent probable 2004-07-09 15:54:09
172.30.92.175:3966 184.108.40.206:7500 TCP
P2P are not very respectful of conventions.
PS: "P2P BitTorrent probable" is the same rule than "BLEEDING-EDGE P2P
BitTorrent peer sync".
"P2P BitTorrent probable 2" is a new rule I can submit, if it is of
> I see the change in the rule below was a different depth. I'll update
> the bleeding edge rule with that too.
Yes. The 6 first octets must be "0000000d0600", and only them.
> Chich Thierry wrote:
>> Nigel Houghton wrote:
>>> On 0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
>>>> I've update Chich Thierrys Bittorrent rules a bit. I've seen and
>>>> had a number of falses reported, especially in backup streams from
>>>> things like veritas, etc.
>>>> I've added port ranges to them.
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"BLEEDING-EDGE
>>>> P2P BitTorrent peer sync"; content:"|0000000d0600|"; offset:0;
>>>> depth:12; flags:PA; classtype:policy-violation; sid:2000334; rev:2;)
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6999
>>>> (msg:"BLEEDING-EDGE P2P BitTorrent peer sync";
>>>> content:"|0000000d0600|"; offset:0; depth:12; flags:PA;
>>>> classtype:policy-violation; sid:2000357; rev:1;)
More information about the Snort-sigs