Snort mailing list archives
Re: Could someone test a rule for me please?
From: Jamie Riden <jamie.riden () gmail com>
Date: Wed, 9 Jul 2014 21:25:20 +0100
On 2 July 2014 18:20, Charlie Egan <chas5873 () gmail com> wrote:
Hi guys, I'm trying to test out a rule, however I can't test it out since the only computer that I have access to Snort on is at my University campus. The rule is to detect the BitTorrent P2P handshake, and unfortunately the P2P ports on the campus are blocked so I have no way of testing it - torrents just get stuck on the 'connecting to peers' stage. My laptops broken as of a couple of weeks ago and I unfortunately can't test it out anywhere else. The rule is; alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent handshake"; flow:to_server,established; content:"BitTorrent protocol|0000 0000|"; classtype:policy-violation; sid:1000006; rev:1;)
Looks like |13|BitTorrent protocol|0000000000000000| should match to me, given the spec. I don't have time to do a pcap test right now I'm sorry - maybe in an hour or two. "pstrlen: string length of <pstr>, as a single raw byte pstr: string identifier of the protocol reserved: eight (8) reserved bytes. All current implementations use all zeroes. Each bit in these bytes can be used to change the behavior of the protocol. An email from Bram suggests that trailing bits should be used first, so that leading bits may be used to change the meaning of trailing bits. info_hash: 20-byte SHA1 hash of the info key in the metainfo file. This is the same info_hash that is transmitted in tracker requests. peer_id: 20-byte string used as a unique ID for the client. This is usually the same peer_id that is transmitted in tracker requests (but not always e.g. an anonymity option in Azureus). In version 1.0 of the BitTorrent protocol, pstrlen = 19, and pstr = "BitTorrent protocol"." -- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Could someone test a rule for me please?, (continued)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 02)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 02)
- Re: Could someone test a rule for me please? lists () packetmail net (Jul 02)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 03)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 07)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 07)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 07)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 09)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 09)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 02)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 02)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 09)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 09)
- Re: Could someone test a rule for me please? Jamie Riden (Jul 09)