Snort mailing list archives
Could someone test a rule for me please?
From: Charlie Egan <chas5873 () gmail com>
Date: Wed, 2 Jul 2014 18:20:19 +0100
Hi guys, I'm trying to test out a rule, however I can't test it out since the only computer that I have access to Snort on is at my University campus. The rule is to detect the BitTorrent P2P handshake, and unfortunately the P2P ports on the campus are blocked so I have no way of testing it - torrents just get stuck on the 'connecting to peers' stage. My laptops broken as of a couple of weeks ago and I unfortunately can't test it out anywhere else. The rule is; alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent handshake"; flow:to_server,established; content:"BitTorrent protocol|0000 0000|"; classtype:policy-violation; sid:1000006; rev:1;) Here's a link to an ubuntu torrent (just so it's all kept legal) if you need a torrent to test it with; http://releases.ubuntu.com/12.04/ubuntu-12.04.4-alternate-amd64.iso.torrent It would be much appreciated if someone could help me out with this, as I'm working on a University project and this is a key element to it. If Snort doesn't detect the rule, possibly the |0000 0000| section should be changed to |00000000|? I'm still fairly new to snort and I'm trying to get my head around analyzing the packets in Wireshark, but I'm fairly confident that this rule should work. If it does, a print screen of the alert would be greatly appreciated - it really would help me out a lot. Cheers guys Charlie
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Could someone test a rule for me please? Charlie Egan (Jul 02)
- Re: Could someone test a rule for me please? lists () packetmail net (Jul 02)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 02)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 02)
- Re: Could someone test a rule for me please? lists () packetmail net (Jul 02)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 03)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 07)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 07)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 07)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 09)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 09)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 02)
- Re: Could someone test a rule for me please? lists () packetmail net (Jul 02)