No subject

Thu Nov 23 16:34:03 EST 2017

the web (80, 8080 if you proxy, etc) you can see the name of the
torrent.  But I am not positive yet if you are able to get this
information during the actual download of the file (with the bittorrent
client).  And just watching www traffic might not be enough (for
instance, I wondering if one could name it something like
barnys-playground.torrent - but it actually contains info
HARDCORE-XXX.avi for the download by bittorrent)  ((that would be bad))

I will try to locate those posts you are speaking of, and also try to
get some decent packet captures this weekend (honestly, I hope it's
difficult to detect)   ;)


-----Original Message-----
From: Jukka Juslin [mailto:jtjuslin at ...1151...]=20
Sent: Friday, July 11, 2003 3:09 AM
To: Jacob Hurley
Cc: snort-sigs at
Subject: RE: [Snort-sigs] P2P Kazaa Traffic


What do you mean by "adding to the transfer downstream or upstream"? I
tried to understand from the BitTorrent documentation, that you are
supposed to download the same file (or parts of it) from many hosts at
same time? So, it looks life, if you catch persons looking for the
.torrent file, you can see from the actual file he/she downloaded what
he/she planning to do.

There are BitTorrent signatures already. If you search from the archives
with my name, you find the email where somebody was sending those to me.


On Thu, 10 Jul 2003, Jacob Hurley wrote:

->i am interested in how to create signatures for bittorrent as well,
but i will also need to grab some actual payloads for the 'content'
keywords.  i can add to the discussion by mentioning that it starts out
by standard web traffic when you choose to download the .torrent file.
past that the bittorrent client takes over and uses port 6881:6889 to
grab the file.  also, while you are downloading the file, other 'peers'
downloading the file will attempt to connect to your machine (ports
6881:6889 as well) and add to your transfers downstream and upstream.
(with bittorrent, the more people grabbing the file - the better) it
really is a nifty tool to distribute files quickly.
->-----Original Message-----
->From: Wes Young [mailto:wyoung at ...1639...]
->Sent: Thursday, July 10, 2003 8:10 AM
->To: jtjuslin at ...1151...
->Cc: snort-sigs at
->Subject: Re: [Snort-sigs] P2P Kazaa Traffic
->I haven't looked into bit torrent yet, only used it a few times, no
packet captures.....even so, I don't think it authenticates, it just
spams the file out on a certain port. It turns your comp into a p2p
server, so all you need to do is look for incomming traffic on whatever
port it uses.
->Again, like I said, I haven't used it much. I will try to snag some
captures this weekend and post them. See if we can't find atleast the
negotiation attempts when they connect. I hate it on my network, its an
upstream hog. Great tool, but only good at night when everyone is
->>>> Jukka Juslin <jtjuslin at ...1151...> 07/10 2:39 AM >>>
->I think this would be a good idea! The KaZaa filter produces a lot of
->alerts otherwise.
->It is interesting to see from some KaZaa packet captures, what movies
->being downloaded (to verify). I can't do the same anymore with
->because it seems to be that the transfer is somehow encrypted. Am I
->On Wed, 9 Jul 2003, Wes Young wrote:
->->Will this just capture the login attempt??? or all kazaa Traffic?
->->If not, is there a way to just capture login attempts (to cut down
on logs)
->->Just curious, haven't looked to far into it. Thanks!
->->>>> Sam Evans <sam at ...219...> 07/09 1:18 PM >>>
->->It could, and I will work on that.  The thing we've noticed with the
->->is that it will capture the user's Kazaa name, as well as the
->->they are connected to.  Not sure if limiting to the first 64bytes
will get
->->all that, but I'll tinker with it.
->->On Wed, 9 Jul 2003, Chris Baker wrote:
->->> Hash: SHA1
->->> On Wed, Jul 09, 2003 at 10:31:33AM -0400, Sam Evans wrote:
->->> > Rule:
->->> > alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa
->->> > content: "X-Kazaa"; flow:to_server;)
->->> >
->->> This kind of rule will usually be ignored by most users since it
->->> searches the full payload. Can this been tightened down a bit?
->->> within the first 64 bytes?
->->> -----BEGIN PGP SIGNATURE-----
->->> Version: GnuPG v1.2.2 (SunOS)
->->> iD8DBQE/DC9jbKHg1qAf3vIRAmL/AJoDERpVyVTaart98Y/L1CmRfP6aCwCg5eQa
->->> HQh2I5GZN94ElZVkMFTTerw=3D
->->> =3D4EmS
->->> -----END PGP SIGNATURE-----
->This SF.Net email sponsored by: Parasoft
->Error proof Web apps, automate testing & more.
->Download & eval WebKing and get a free book.
->Snort-sigs mailing list
->Snort-sigs at

More information about the Snort-sigs mailing list