[Snort-users] p2p traffic detect (torrents)

Berk Gulenler gulenler at ...15881...
Wed Oct 31 11:15:44 EDT 2012


I have to say that your rule is not the best way. I just tried to fix 
your rule. That rule can cause lot of false-positives like urls have 
.torrent in it.

On 31/10/2012 17:03, Berk Gulenler wrote:
> Hi,
>
> I'm not rule expert but u can try this.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "torrent";
> content:"HTTP/"; content:"torrent"; flow:established,to_server;
> classtype:policy-violation; sid:1100021; rev:1;)
>
>
> On 31/10/2012 16:29, Dmitry Korzhevin wrote:
>> Guys, can you please advice best way to detect torrents? For now i use
>> only one rule in my /etc/snort/snort.conf configuration file:
>>
>> /etc/snort/rules/local.rules:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "torrent";
>> content:"GET"; content:"torrent"; sid:1100021; rev:1;)
>>
>> But i don't think it is best of snort can do to detect torrents.. I
>> downloaded latest snortrules-snapshot-2931.tar.gz file from site
>> snort.org using my oinkcode, i see, archive have some king of p2p.rules
>> files..
>>
>> How should i need to connect this p2p.rules to my snort?
>>
>>
>>
>> Best Regards,
>> Dmitry
>>
>> ---
>> Dmitry KORZHEVIN
>> System Administrator
>> STIDIA S.A. - Luxembourg
>>
>> e: dmitry.korzhevin at ...15907...
>> m: +38 093 874 5453
>> w: http://www.stidia.com
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>>
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>

-- 
Berk Gulenler
System Administrator
Bogazici University Computer Center

Phone: +90 212 359 47 16
Fax:    +90 212 257 50 21
E-mail: gulenler at ...15881...




More information about the Snort-users mailing list