[Snort-sigs] Could someone test a rule for me please?
chas5873 at ...2420...
Wed Jul 2 13:20:19 EDT 2014
I'm trying to test out a rule, however I can't test it out since the only
computer that I have access to Snort on is at my University campus. The
rule is to detect the BitTorrent P2P handshake, and unfortunately the P2P
ports on the campus are blocked so I have no way of testing it - torrents
just get stuck on the 'connecting to peers' stage. My laptops broken as of
a couple of weeks ago and I unfortunately can't test it out anywhere else.
The rule is;
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent
handshake"; flow:to_server,established; content:"BitTorrent protocol|0000
0000|"; classtype:policy-violation; sid:1000006; rev:1;)
Here's a link to an ubuntu torrent (just so it's all kept legal) if you
need a torrent to test it with;
It would be much appreciated if someone could help me out with this, as I'm
working on a University project and this is a key element to it. If Snort
doesn't detect the rule, possibly the |0000 0000| section should be changed
to |00000000|? I'm still fairly new to snort and I'm trying to get my head
around analyzing the packets in Wireshark, but I'm fairly confident that
this rule should work.
If it does, a print screen of the alert would be greatly appreciated - it
really would help me out a lot.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs