[Snort-sigs] BIttorrent Signature updates

Matthew Jonkman matt at ...2436...
Fri Jul 9 07:45:16 EDT 2004

Here's what we have now then:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P 
BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:6; 
flow:established; classtype:policy-violation; 
reference:url,bitconjurer.org/BitTorrent/protocol.html; sid:2000334; rev:5;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P 
BitTorrent Traffic"; 
content:"|0000400907000000|"; offset:0; depth:8; flow:established; 
classtype:policy-violation; sid:2000357; rev:1;)

These should be good.

Thanks Chich for your work on this.


Chich Thierry wrote:

> Matthew Jonkman wrote:
>> We can exclude a range of ports that are contiguous, just not a bunch 
>> of individual ports, or a range and a separate port.
>> What I understood about the bt protocol the clients connect to a 
>> server on ports in the range in the rule below though. But what I read 
>> certainly wasn't authoritative. Are you seeing different in practice?
> Indeed.  For instance:
> #0-(2-35384)      P2P BitTorrent probable 2 2004-07-09 15:58:46    
>  TCP        #7-(2-35377)   
> [snort] P2P BitTorrent transfer 2004-07-09 15:58:00  
>   TCP   #8-(2-35376)    [snort] 
> P2P BitTorrent transfer    2004-07-09 15:57:59      
>   TCP   #22-(2-35362)    P2P BitTorrent probable    
> 2004-07-09 15:54:09    TCP
> P2P are not very respectful of conventions.
> Thierry
> PS: "P2P BitTorrent probable" is the same rule than "BLEEDING-EDGE P2P 
> BitTorrent peer sync".
> "P2P BitTorrent probable 2" is a new rule I can submit, if it is of 
> interest.

More information about the Snort-sigs mailing list