[Snort-sigs] Could someone test a rule for me please?

Joel Esler (jesler) jesler at ...3865...
Wed Jul 9 16:23:40 EDT 2014

Could it be a checksum issue?

On Jul 9, 2014, at 4:09 PM, Charlie Egan <chas5873 at ...2420...<mailto:chas5873 at ...2420...>> wrote:

Hi guys,

I've had a friend test my initial rule (the one in the first post), and unfortunately it's not providing him with any alerts (unless he's done something wrong!). I know there's the rule that you posted Joel, and after doing some googling, I've realised it's been in the community rule set for about ten years!

I'm curious to know however why my initial rule isn't working, since I included the search for the content BitTorrent protocol paired with |0000 0000| - I'm a bit confused because looking at my Wireshark image I uploaded to tinypic in one of the above posts, that made me assume it would work.

I'd really appreciate if someone could explain what was wrong with my rule as I'm currently doing a fairly important project and need to understand this to be honest!

Cheers guys,


On Mon, Jul 7, 2014 at 1:39 PM, Charlie Egan <chas5873 at ...2420...<mailto:chas5873 at ...2420...>> wrote:
Ah that makes sense now! Cheers for that Joel, appreciate it.

On Mon, Jul 7, 2014 at 1:37 PM, Joel Esler (jesler) <jesler at ...3865...<mailto:jesler at ...3865...>> wrote:
|13| means “look for 13, in hex (as opposed to ascii)”  In Bitorrent, this is the Protocol Name Length field.  Which is always set to 19. (|13| in hex).  Then "protocol name" = “BitTorrent Protocol”.

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Jul 7, 2014, at 6:43 AM, Charlie Egan <chas5873 at ...2420...<mailto:chas5873 at ...2420...>> wrote:

Sorry to be a pain guys, could somebody get back to me regarding my last query?



On Thu, Jul 3, 2014 at 11:39 AM, Charlie Egan <chas5873 at ...2420...<mailto:chas5873 at ...2420...>> wrote:
No worries Nathan!

Joel, I'm curious to what the |13| means in the content section? I can't figure it out when looking at the stream content image I uploaded above from Wireshark.

Your rule looks a lot better than mine, with the extra depth which I've just read up about, so thanks for that.

Out of curiousity though, would my initial rule have worked without giving out any false positives?


On Wed, Jul 2, 2014 at 7:17 PM, lists at ...3397...<mailto:lists at ...3397...> <lists at ...3397...<mailto:lists at ...3397...>> wrote:
On 07/02/2014 12:56 PM, Joel Esler (jesler) wrote:
> I think Nathan may have missed the “BitTorrent protocol” part.

Without a doubt, I completely missed it.  I profusely apologize Charlie.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140709/7efdfc5a/attachment.html>

More information about the Snort-sigs mailing list