Re: Could someone test a rule for me please?

["Joel Esler (jesler)" <jesler () cisco com>]

Could it be a checksum issue?


On Jul 9, 2014, at 4:09 PM, Charlie Egan <chas5873 () gmail com<mailto:chas5873 () gmail com>> wrote:

Hi guys,

I've had a friend test my initial rule (the one in the first post), and unfortunately it's not providing him with any 
alerts (unless he's done something wrong!). I know there's the rule that you posted Joel, and after doing some 
googling, I've realised it's been in the community rule set for about ten years!

I'm curious to know however why my initial rule isn't working, since I included the search for the content BitTorrent 
protocol paired with |0000 0000| - I'm a bit confused because looking at my Wireshark image I uploaded to tinypic in 
one of the above posts, that made me assume it would work.

I'd really appreciate if someone could explain what was wrong with my rule as I'm currently doing a fairly important 
project and need to understand this to be honest!

Cheers guys,

Charlie


On Mon, Jul 7, 2014 at 1:39 PM, Charlie Egan <chas5873 () gmail com<mailto:chas5873 () gmail com>> wrote:
Ah that makes sense now! Cheers for that Joel, appreciate it.


On Mon, Jul 7, 2014 at 1:37 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:
|13| means “look for 13, in hex (as opposed to ascii)”  In Bitorrent, this is the Protocol Name Length field.  Which is 
always set to 19. (|13| in hex).  Then "protocol name" = “BitTorrent Protocol”.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team



On Jul 7, 2014, at 6:43 AM, Charlie Egan <chas5873 () gmail com<mailto:chas5873 () gmail com>> wrote:

Sorry to be a pain guys, could somebody get back to me regarding my last query?

Cheers,

Charlie


On Thu, Jul 3, 2014 at 11:39 AM, Charlie Egan <chas5873 () gmail com<mailto:chas5873 () gmail com>> wrote:
No worries Nathan!

Joel, I'm curious to what the |13| means in the content section? I can't figure it out when looking at the stream 
content image I uploaded above from Wireshark.

Your rule looks a lot better than mine, with the extra depth which I've just read up about, so thanks for that.

Out of curiousity though, would my initial rule have worked without giving out any false positives?

Cheers


On Wed, Jul 2, 2014 at 7:17 PM, lists () packetmail net<mailto:lists () packetmail net> <lists () packetmail 
net<mailto:lists () packetmail net>> wrote:
On 07/02/2014 12:56 PM, Joel Esler (jesler) wrote:
> I think Nathan may have missed the “BitTorrent protocol” part.

Without a doubt, I completely missed it.  I profusely apologize Charlie.






------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!