Snort mailing list archives
Re: Question regarding a rule
From: Charlie Egan <chas5873 () gmail com>
Date: Thu, 26 Jun 2014 16:48:00 +0100
Thanks for that James, much appreciated, i'll have a good read! Cheers for the help On Thu, Jun 26, 2014 at 4:08 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2014-06-26 08:27, Charlie Egan wrote:Thats confusing to me James, since when I take a hex dump of the .torrent file, this is my output; http://i60.tinypic.com/20usdpu.png [8] 38 64 61 are the first bytes that appear, and Ive checked the hex dump for multiple torrent files and it seems to be consistent for all of them. Should I be putting the content section of the rule as |3864 61| instead of |38 64 61| ? Unfortunately I cant access my machine with Snort on at the moment, but will give it a try when I get a chance. Also could I ask how you got that output from the .pcap file? Sorry still new to all of this, I appreciate the responses! CheersCharlie, First read this: https://en.wikipedia.org/wiki/Endianness With that knowledge, the new rule is: alert tcp any any -> any any (msg:"P2P torrent metafile download"; content:"|64 38 3a 61|"; classtype:policy-violation; detection_filter: track by_dst, count 1, seconds 60; sid:1000001; rev:1;) Action Stats: Alerts: 1 ( 2.564%) Logged: 1 ( 2.564%) Passed: 0 ( 0.000%) lastly, check out the current torrent rules for Snort and Emerging Threats...that should help out a lot. James ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Question regarding a rule, (continued)
- Re: Question regarding a rule Y M (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule rmkml (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule James Lay (Jun 25)
- Re: Question regarding a rule Charlie Egan (Jun 25)
- Re: Question regarding a rule James Lay (Jun 25)
- Re: Question regarding a rule Charlie Egan (Jun 25)
- Message not available
- Re: Question regarding a rule Charlie Egan (Jun 26)
- Re: Question regarding a rule James Lay (Jun 26)
- Re: Question regarding a rule Charlie Egan (Jun 26)