[Snort-sigs] new rule

Chukhaltsetseg Shijirbaatar sh_chukha at ...144...
Sat Apr 27 05:50:42 EDT 2013

# to detect torrent metafile download
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "P2P torrent metafile download";
content:"|64 38 3a|announce"; flow:established; classtype:policy-violation; sid:1100011; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent handshake";
flow:to_server,established; content:"BitTorrent protocol|0000 0000|"; classtype:policy-violation;
sid:1100012; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130427/e6a65192/attachment.html>

More information about the Snort-sigs mailing list