No subject


Thu Nov 23 16:34:03 EST 2017


the web (80, 8080 if you proxy, etc) you can see the name of the
torrent.  But I am not positive yet if you are able to get this
information during the actual download of the file (with the bittorrent
client).  And just watching www traffic might not be enough (for
instance, I wondering if one could name it something like
barnys-playground.torrent - but it actually contains info
HARDCORE-XXX.avi for the download by bittorrent)  ((that would be bad))

I will try to locate those posts you are speaking of, and also try to
get some decent packet captures this weekend (honestly, I hope it's
difficult to detect)   ;)

Cya,
jacobh


-----Original Message-----
From: Jukka Juslin [mailto:jtjuslin at ...1151...]=20
Sent: Friday, July 11, 2003 3:09 AM
To: Jacob Hurley
Cc: snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] P2P Kazaa Traffic


Hi,

What do you mean by "adding to the transfer downstream or upstream"? I
tried to understand from the BitTorrent documentation, that you are
supposed to download the same file (or parts of it) from many hosts at
the
same time? So, it looks life, if you catch persons looking for the
.torrent file, you can see from the actual file he/she downloaded what
is
he/she planning to do.

There are BitTorrent signatures already. If you search from the archives
with my name, you find the email where somebody was sending those to me.

Jukka


On Thu, 10 Jul 2003, Jacob Hurley wrote:

->
->
->i am interested in how to create signatures for bittorrent as well,
but i will also need to grab some actual payloads for the 'content'
keywords.  i can add to the discussion by mentioning that it starts out
by standard web traffic when you choose to download the .torrent file.
past that the bittorrent client takes over and uses port 6881:6889 to
grab the file.  also, while you are downloading the file, other 'peers'
downloading the file will attempt to connect to your machine (ports
6881:6889 as well) and add to your transfers downstream and upstream.
(with bittorrent, the more people grabbing the file - the better) it
really is a nifty tool to distribute files quickly.
->
->jacob
->
->
->
->-----Original Message-----
->From: Wes Young [mailto:wyoung at ...1639...]
->Sent: Thursday, July 10, 2003 8:10 AM
->To: jtjuslin at ...1151...
->Cc: snort-sigs at lists.sourceforge.net
->Subject: Re: [Snort-sigs] P2P Kazaa Traffic
->
->
->I haven't looked into bit torrent yet, only used it a few times, no
packet captures.....even so, I don't think it authenticates, it just
spams the file out on a certain port. It turns your comp into a p2p
server, so all you need to do is look for incomming traffic on whatever
port it uses.
->
->Again, like I said, I haven't used it much. I will try to snag some
captures this weekend and post them. See if we can't find atleast the
negotiation attempts when they connect. I hate it on my network, its an
upstream hog. Great tool, but only good at night when everyone is
asleep.
->
->>>> Jukka Juslin <jtjuslin at ...1151...> 07/10 2:39 AM >>>
->
->Hi,
->
->I think this would be a good idea! The KaZaa filter produces a lot of
->alerts otherwise.
->
->It is interesting to see from some KaZaa packet captures, what movies
are
->being downloaded (to verify). I can't do the same anymore with
BitTorrent,
->because it seems to be that the transfer is somehow encrypted. Am I
right?
->
->Jukka
->
->On Wed, 9 Jul 2003, Wes Young wrote:
->
->->Will this just capture the login attempt??? or all kazaa Traffic?
->->If not, is there a way to just capture login attempts (to cut down
on logs)
->->Just curious, haven't looked to far into it. Thanks!
->->
->->wes
->->
->->>>> Sam Evans <sam at ...219...> 07/09 1:18 PM >>>
->->It could, and I will work on that.  The thing we've noticed with the
rule
->->is that it will capture the user's Kazaa name, as well as the
supernode
->->they are connected to.  Not sure if limiting to the first 64bytes
will get
->->all that, but I'll tinker with it.
->->
->->
->->
->->On Wed, 9 Jul 2003, Chris Baker wrote:
->->
->->> -----BEGIN PGP SIGNED MESSAGE-----
->->> Hash: SHA1
->->>
->->> On Wed, Jul 09, 2003 at 10:31:33AM -0400, Sam Evans wrote:
->->> > Rule:
->->> > alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa
Traffic";\
->->> > content: "X-Kazaa"; flow:to_server;)
->->> >
->->>
->->> This kind of rule will usually be ignored by most users since it
->->> searches the full payload. Can this been tightened down a bit?
Maybe
->->> within the first 64 bytes?
->->> -----BEGIN PGP SIGNATURE-----
->->> Version: GnuPG v1.2.2 (SunOS)
->->>
->->> iD8DBQE/DC9jbKHg1qAf3vIRAmL/AJoDERpVyVTaart98Y/L1CmRfP6aCwCg5eQa
->->> HQh2I5GZN94ElZVkMFTTerw=3D
->->> =3D4EmS
->->> -----END PGP SIGNATURE-----
->->>
->->>
->
->
->
->-------------------------------------------------------
->This SF.Net email sponsored by: Parasoft
->Error proof Web apps, automate testing & more.
->Download & eval WebKing and get a free book.
->www.parasoft.com/bulletproofapps
->_______________________________________________
->Snort-sigs mailing list
->Snort-sigs at lists.sourceforge.net
->https://lists.sourceforge.net/lists/listinfo/snort-sigs
->




More information about the Snort-sigs mailing list