[Snort-users] p2p traffic detect (torrents)

Joel Esler jesler at ...1935...
Wed Oct 31 11:02:00 EDT 2012


On Oct 31, 2012, at 10:29 AM, Dmitry Korzhevin <dmitry.korzhevin at ...15909....> wrote:

> Guys, can you please advice best way to detect torrents? For now i use only one rule in my /etc/snort/snort.conf configuration file:
> 
> /etc/snort/rules/local.rules:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "torrent"; content:"GET"; content:"torrent"; sid:1100021; rev:1;)
> 
> But i don't think it is best of snort can do to detect torrents.. I downloaded latest snortrules-snapshot-2931.tar.gz file from site snort.org using my oinkcode, i see, archive have some king of p2p.rules files..
> 
> How should i need to connect this p2p.rules to my snort?

Take a look in the pua-p2p.rules category.  You should see torrent rules in there.


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121031/fee95b0e/attachment.html>


More information about the Snort-users mailing list