[Snort-sigs] BIttorrent Signature updates

Chich Thierry thierry.chich at ...2579...
Fri Jul 9 07:16:10 EDT 2004


Matthew Jonkman wrote:

> We can exclude a range of ports that are contiguous, just not a bunch 
> of individual ports, or a range and a separate port.
>
> What I understood about the bt protocol the clients connect to a 
> server on ports in the range in the rule below though. But what I read 
> certainly wasn't authoritative. Are you seeing different in practice?
>
Indeed.  For instance:
#0-(2-35384)      P2P BitTorrent probable 2 2004-07-09 15:58:46    
172.30.92.175:4148    81.185.73.110:23458  TCP        
#7-(2-35377)   [snort] P2P BitTorrent transfer 2004-07-09 15:58:00  
172.30.92.175:4353    81.53.98.22:1804   TCP   
#8-(2-35376)    [snort] P2P BitTorrent transfer    2004-07-09 15:57:59 
172.30.92.175:4349      82.254.233.70:31832   TCP   
#22-(2-35362)    P2P BitTorrent probable    2004-07-09 15:54:09   
172.30.92.175:3966     82.65.67.25:7500    TCP
 

P2P are not very respectful of conventions.

Thierry
PS: "P2P BitTorrent probable" is the same rule than "BLEEDING-EDGE P2P 
BitTorrent peer sync".
"P2P BitTorrent probable 2" is a new rule I can submit, if it is of 
interest.

> I see the change in the rule below was a different depth. I'll update 
> the bleeding edge rule with that too.

Yes. The 6 first octets must be "0000000d0600", and only them.

>
>
> Matt
>
> Chich Thierry wrote:
>
>> Nigel Houghton wrote:
>>
>>> On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
>>>  
>>>
>>>> I've update Chich Thierrys Bittorrent rules a bit. I've seen and 
>>>> had a number of falses reported, especially in backup streams from 
>>>> things like veritas, etc.
>>>>
>>>> I've added port ranges to them.
>>>>
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"BLEEDING-EDGE 
>>>> P2P BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; 
>>>> depth:12; flags:PA; classtype:policy-violation; sid:2000334; rev:2;)
>>>>
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6999 
>>>> (msg:"BLEEDING-EDGE P2P BitTorrent peer sync"; 
>>>> content:"|0000000d0600|"; offset:0; depth:12; flags:PA; 
>>>> classtype:policy-violation; sid:2000357; rev:1;)
>>>>





More information about the Snort-sigs mailing list