[Snort-sigs] BIttorrent Signature updates

Matthew Jonkman matt at ...2436...
Fri Jul 9 07:45:16 EDT 2004


Here's what we have now then:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P 
BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:6; 
flow:established; classtype:policy-violation; 
reference:url,bitconjurer.org/BitTorrent/protocol.html; sid:2000334; rev:5;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P 
BitTorrent Traffic"; 
reference:url,bitconjurer.org/BitTorrent/protocol.html; 
content:"|0000400907000000|"; offset:0; depth:8; flow:established; 
classtype:policy-violation; sid:2000357; rev:1;)


These should be good.

Thanks Chich for your work on this.

Matt

Chich Thierry wrote:

> Matthew Jonkman wrote:
> 
>> We can exclude a range of ports that are contiguous, just not a bunch 
>> of individual ports, or a range and a separate port.
>>
>> What I understood about the bt protocol the clients connect to a 
>> server on ports in the range in the rule below though. But what I read 
>> certainly wasn't authoritative. Are you seeing different in practice?
>>
> Indeed.  For instance:
> #0-(2-35384)      P2P BitTorrent probable 2 2004-07-09 15:58:46    
> 172.30.92.175:4148    81.185.73.110:23458  TCP        #7-(2-35377)   
> [snort] P2P BitTorrent transfer 2004-07-09 15:58:00  
> 172.30.92.175:4353    81.53.98.22:1804   TCP   #8-(2-35376)    [snort] 
> P2P BitTorrent transfer    2004-07-09 15:57:59 172.30.92.175:4349      
> 82.254.233.70:31832   TCP   #22-(2-35362)    P2P BitTorrent probable    
> 2004-07-09 15:54:09   172.30.92.175:3966     82.65.67.25:7500    TCP
> 
> 
> P2P are not very respectful of conventions.
> 
> Thierry
> PS: "P2P BitTorrent probable" is the same rule than "BLEEDING-EDGE P2P 
> BitTorrent peer sync".
> "P2P BitTorrent probable 2" is a new rule I can submit, if it is of 
> interest.
> 




More information about the Snort-sigs mailing list