Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Include details of payload in log message?

From: Toby Riddell <toby.riddell () prevtec com>
Date: Sun, 12 Jun 2016 06:54:47 -0400
Hi,

I want to detect activity by bittorrent clients on my home network. When
they start they open a port from the Internet using UPnP IGD, a sample
payload is:

<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/";
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";>
<s:Body>
  <u:AddPortMapping
xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
    <NewRemoteHost></NewRemoteHost>
    <NewExternalPort>8999</NewExternalPort>
    <NewProtocol>TCP</NewProtocol>
    <NewInternalPort>8999</NewInternalPort>
    <NewInternalClient>192.168.1.30</NewInternalClient>
    <NewEnabled>1</NewEnabled>
    <NewPortMappingDescription>qBittorrent v3.3.4 at 192.168.1.30:8999
</NewPortMappingDescription>
    <NewLeaseDuration>0</NewLeaseDuration>
  </u:AddPortMapping>
</s:Body>
</s:Envelope>

I want to match AddPortMapping and insert the NewPortMappingDescription
(whether it is qBittorent or some other BT client) into the message. Is
this possible using Snort alone? Is there an add-on to Snort that will do
it for me?

(Google's bringing up nothing so I'm hopeful the mailing list can help :-))

Thanks.

Toby

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: