[Snort-sigs] BIttorrent Signature updates

Matthew Jonkman matt at ...2436...
Fri Jul 9 07:22:03 EDT 2004


Ya, please do submit the second one.

I'll move them both to your rules since the port exclusions aren't going 
to be useful.

Thanks

Matt

Chich Thierry wrote:

> Matthew Jonkman wrote:
> 
>> We can exclude a range of ports that are contiguous, just not a bunch 
>> of individual ports, or a range and a separate port.
>>
>> What I understood about the bt protocol the clients connect to a 
>> server on ports in the range in the rule below though. But what I read 
>> certainly wasn't authoritative. Are you seeing different in practice?
>>
> Indeed.  For instance:
> #0-(2-35384)      P2P BitTorrent probable 2 2004-07-09 15:58:46    
> 172.30.92.175:4148    81.185.73.110:23458  TCP        #7-(2-35377)   
> [snort] P2P BitTorrent transfer 2004-07-09 15:58:00  
> 172.30.92.175:4353    81.53.98.22:1804   TCP   #8-(2-35376)    [snort] 
> P2P BitTorrent transfer    2004-07-09 15:57:59 172.30.92.175:4349      
> 82.254.233.70:31832   TCP   #22-(2-35362)    P2P BitTorrent probable    
> 2004-07-09 15:54:09   172.30.92.175:3966     82.65.67.25:7500    TCP
> 
> 
> P2P are not very respectful of conventions.
> 
> Thierry
> PS: "P2P BitTorrent probable" is the same rule than "BLEEDING-EDGE P2P 
> BitTorrent peer sync".
> "P2P BitTorrent probable 2" is a new rule I can submit, if it is of 
> interest.
> 
>> I see the change in the rule below was a different depth. I'll update 
>> the bleeding edge rule with that too.
> 
> 
> Yes. The 6 first octets must be "0000000d0600", and only them.
> 
>>
>>
>> Matt
>>
>> Chich Thierry wrote:
>>
>>> Nigel Houghton wrote:
>>>
>>>> On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
>>>>  
>>>>
>>>>> I've update Chich Thierrys Bittorrent rules a bit. I've seen and 
>>>>> had a number of falses reported, especially in backup streams from 
>>>>> things like veritas, etc.
>>>>>
>>>>> I've added port ranges to them.
>>>>>
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"BLEEDING-EDGE 
>>>>> P2P BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; 
>>>>> depth:12; flags:PA; classtype:policy-violation; sid:2000334; rev:2;)
>>>>>
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6999 
>>>>> (msg:"BLEEDING-EDGE P2P BitTorrent peer sync"; 
>>>>> content:"|0000000d0600|"; offset:0; depth:12; flags:PA; 
>>>>> classtype:policy-violation; sid:2000357; rev:1;)
>>>>>
> 

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list