[Snort-users] p2p traffic detect (torrents)

Peter Bates peter.bates at ...15381...
Wed Oct 31 11:07:46 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 31/10/2012 14:29, Dmitry Korzhevin wrote:
> Guys, can you please advice best way to detect torrents? For now i use only one rule in my /etc/snort/snort.conf configuration file:
> 
> /etc/snort/rules/local.rules:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "torrent"; content:"GET"; content:"torrent"; sid:1100021; rev:1;)
> 
> But i don't think it is best of snort can do to detect torrents.. I downloaded latest snortrules-snapshot-2931.tar.gz file from site snort.org using my oinkcode, i see, archive have some king of p2p.rules files..
> 
> How should i need to connect this p2p.rules to my snort?

The quickest way - copy pua-p2p.rules into your RULE_PATH (which looks
to be /etc/snort/rules from the above) and then:

include $RULE_PATH/pua-p2p.rules

in your snort.conf and restart Snort.

p2p.rules looks to be the old file before the category reshuffle.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQkT7CAAoJELhVoVpEMS6R9w0H/RTlmpuKB6ORkrfcl5rE27Is
gCPDY/sDOYpRF3fBJnoV1NpBi8ZCM2irbUFT24T76PafGx1vhuVN8RQU8UMqELiE
gwuDAh2os4tOQ0cMi+DGXyYuw9E1vUCa7GKgf1KzXjnQDC0LgW2xHCuSdQuU6CLn
I23OWiep9h4lo0HpRzeaJclJQHJAQH8NslUuDL/z5EWpHVbVAYSPB1Xb2ejZmydg
+kA55kS8Jff5ktpj3OiV0K9NXGJ7JB4SABu+Ov9AJUAaVAK2IyaG/WTg2isZSU1T
0XHIsBB34oLLkv2vzYEoXutVWas07Kx4HA5zrS7cv4QO01hieiC3zGEkYxr/4AQ=
=nHIH
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list