[Snort-sigs] new rule

Joel Esler jesler at ...435...
Mon Apr 29 10:52:08 EDT 2013

On Apr 27, 2013, at 5:50 AM, Chukhaltsetseg Shijirbaatar <sh_chukha at ...3802.....> wrote:

> # to detect torrent metafile download
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "P2P torrent metafile download";
> content:"|64 38 3a|announce"; flow:established; classtype:policy-violation; sid:1100011; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent handshake";
> flow:to_server,established; content:"BitTorrent protocol|0000 0000|"; classtype:policy-violation;
> sid:1100012; rev:1;)

You may want to look into sids: 2180 and 2181.  These sids are freely available in both the registered ruleset and the community ruleset here:

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130429/e1e8c32d/attachment.html>

More information about the Snort-sigs mailing list