[Snort-sigs] Could someone test a rule for me please?

Charlie Egan chas5873 at ...2420...
Wed Jul 2 13:20:19 EDT 2014


Hi guys,

I'm trying to test out a rule, however I can't test it out since the only
computer that I have access to Snort on is at my University campus. The
rule is to detect the BitTorrent P2P handshake, and unfortunately the P2P
ports on the campus are blocked so I have no way of testing it - torrents
just get stuck on the 'connecting to peers' stage. My laptops broken as of
a couple of weeks ago and I unfortunately can't test it out anywhere else.

The rule is;

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent
handshake"; flow:to_server,established; content:"BitTorrent protocol|0000
0000|"; classtype:policy-violation; sid:1000006; rev:1;)

Here's a link to an ubuntu torrent (just so it's all kept legal) if you
need a torrent to test it with;

http://releases.ubuntu.com/12.04/ubuntu-12.04.4-alternate-amd64.iso.torrent

It would be much appreciated if someone could help me out with this, as I'm
working on a University project and this is a key element to it. If Snort
doesn't detect the rule, possibly the |0000 0000| section should be changed
to |00000000|? I'm still fairly new to snort and I'm trying to get my head
around analyzing the packets in Wireshark, but I'm fairly confident that
this rule should work.

If it does, a print screen of the alert would be greatly appreciated - it
really would help me out a lot.

Cheers guys

Charlie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140702/416a1c36/attachment.html>


More information about the Snort-sigs mailing list