[Snort-sigs] Could someone test a rule for me please?

Jamie Riden jamie.riden at ...2420...
Wed Jul 9 16:25:20 EDT 2014

On 2 July 2014 18:20, Charlie Egan <chas5873 at ...2420...> wrote:
> Hi guys,
> I'm trying to test out a rule, however I can't test it out since the only
> computer that I have access to Snort on is at my University campus. The rule
> is to detect the BitTorrent P2P handshake, and unfortunately the P2P ports
> on the campus are blocked so I have no way of testing it - torrents just get
> stuck on the 'connecting to peers' stage. My laptops broken as of a couple
> of weeks ago and I unfortunately can't test it out anywhere else.
> The rule is;
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent
> handshake"; flow:to_server,established; content:"BitTorrent protocol|0000
> 0000|"; classtype:policy-violation; sid:1000006; rev:1;)

Looks like

|13|BitTorrent protocol|0000000000000000|

should match to me, given the spec. I don't have time to do a pcap
test right now I'm sorry - maybe in an hour or two.

"pstrlen: string length of <pstr>, as a single raw byte
pstr: string identifier of the protocol
reserved: eight (8) reserved bytes. All current implementations use
all zeroes. Each bit in these bytes can be used to change the behavior
of the protocol. An email from Bram suggests that trailing bits should
be used first, so that leading bits may be used to change the meaning
of trailing bits.
info_hash: 20-byte SHA1 hash of the info key in the metainfo file.
This is the same info_hash that is transmitted in tracker requests.
peer_id: 20-byte string used as a unique ID for the client. This is
usually the same peer_id that is transmitted in tracker requests (but
not always e.g. an anonymity option in Azureus).

In version 1.0 of the BitTorrent protocol, pstrlen = 19, and pstr =
"BitTorrent protocol"."

Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...

More information about the Snort-sigs mailing list