[Snort-sigs] new rule

Joel Esler jesler at ...435...
Fri May 24 15:32:14 EDT 2013


On May 24, 2013, at 2:51 PM, Chukhaltsetseg Shijirbaatar <sh_chukha at ...3802.....> wrote:

> Alert tcp $HOME_NET 1024:65534 -> $EXTERNAL_NET 1024:65534 (msg: “P2P Bittorrent handshake”; flow: to_server, established; content: “Bittorrent protocol”; offset:0; depth:19; classtype: policy-violation; priority: 1; sid: 2000504; rev:1; )

This wouldn't be new to the ruleset:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; metadata:ruleset community; classtype:policy-violation; sid:2181; rev:8;)

has been in the ruleset now for about 10 years.  It's available for download in the community ruleset:  http://www.snort.org/snort-rules

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130524/537feddb/attachment.html>


More information about the Snort-sigs mailing list