Question regarding a rule

[Charlie Egan <chas5873 () gmail com>]

Hi guys,

I'm having a bit of trouble with a rule that I'm playing around with to
detect torrent usage.

alert tcp any any -> any any (msg: "P2P torrent metafile download";
content:"|38 64 61|"; flow:established; classtype:policy-violation;
sid:1000001;
rev:1;)

After examining the hex dumps from multiple torrents, I noticed that they
all begin with 38 64 61, so that's where I managed to get that content
from.


When I run Snort and download the torrent though, it doesn't alert me
straight away, however gives me about 20 alerts about 3 - 4 minutes later.

Does anyone have any idea what could be causing this?

Cheers,

Charlie

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!