Wednesday, July 4, 2012

Bittorrent: Detection Mechanisms

Bittorrent is a Peer to Peer(P2P) protocol used to share files and data in internet. In this article we are going to see what are the different mechanisms which can be used to detect and block Bittorrent communication across network.

Below snapshot shows HTTP request which Bittorrent Client uses to communicate with Bittorrent Servers. In the request we can see different parameters like client id, port number.


We can observe that Bittorrent client uses different User Agent request headers like BTWebClient, Bittorrent etc.



UDP is using Source port as 24615, which is being communicated to Bittorrent Server as HTTP Request.


So we can detect or block Bittorrent based on HTTP Request URI or User-Agent header strings or UDP protocol communication.

Below are few Signatures which we can use to detect Bittorrent.

alert udp any any -> any any ( msg: "Bit Torrent UDP"; content:"41 02"; offset:0; depth:2; content:"38"; offset:13;depth:1; content:"08"; offset:21;depth:1; sid:8888881; rev: 1; )
alert udp any any -> any any ( msg: "Bit Torrent Protocol"; content:"|13|bittorrent|20|protocol";  offset:0; sid:8888882; rev: 1; )
alert udp any any -> any any ( msg: "Bit Torrent UDP Communication"; content:"d1|3a|ad2|3a|id20|3a|"; sid:8888883; rev: 1; )  
 

Below Signature triggers and alerts when the content is seen in HTTP Request URI
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP Request"; content:"info_hash=";  pcre:"/announce\?info_hash=/Ui"; sid:8888884; rev: 1; )


Observed following User-Agent strings as part of HTTP Requests
        User-Agent: BitTorrent/7610(27328)
        User-Agent: BTWebClient/7610(27328)
which can be detected using following Signatures
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP User Agent 1"; content:"User-Agent: BitTorrent";  sid:8888885; rev: 1; ) 
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP User Agent 2"; content:"User-Agent: BTWebClient";  sid:8888886; rev: 1; ) 

Posts related to Snort IDS/IPS which might be of interest to you.
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html
http://darshanams.blogspot.in/2010/06/snort-preprocessors-and-alerts.html
http://darshanams.blogspot.in/2012/05/installing-snort-from-source-as-ips.html

To know about Google Talk Jabber protocol communication
http://darshanams.blogspot.in/2008/11/deciphering-google-talk-jabber.html

For Zebra/Bittorrent protocol communication
http://darshanams.blogspot.in/2009/03/i-was-just-checking-my-mails.html

P.S Signatures given above are neither tested nor fine tuned. Just an 
idea how to detect Bit Torrent communication.
Posted by at
Labels: , ,

11 comments:

  1. cloudshinepro.comNovember 6, 2020 at 3:25 PM

    For a long time me & my friend were searching for informative blogs about detection, but now I am in the right place guys, you have made a room in my heart. Oracle fusion financials training

    ReplyDelete
  2. JoshFebruary 8, 2021 at 10:15 AM

    Andrology doctor in chennai
    Infertility specialist in chennai
    Sexologist in chennai

    ReplyDelete
  3. Trupp GlobalMarch 4, 2021 at 6:45 PM

    Thankyou the sharing great information, We are one of the best call center outsourcing vendors in the United States. At Trupp Global, we are completely dedicated to your business growth. We provide top notch services that can enhance the sales along with customer satisfaction levels.
    Business Process Outsourcing Services

    ReplyDelete
  4. AddonsApril 24, 2021 at 11:23 AM

    small business seo services in los angeles
    ecommerce seo services in los angeles
    b2b seo services in los angeles
    enterprise seo services in los angeles
    professional seo services in los angeles

    ReplyDelete
  5. jefrynoe191June 29, 2021 at 1:53 PM

    giacca da prestigiatore
    triciclo usato milano
    risparmiare batteria iphone ios 12
    maglia termica nuoto bambina
    shein camicie donna cameriera
    maquina para coser zapatillas
    venta de bicicletas para ejercicio
    sujetador media copa abierto ético
    nike academy16 knt tracksuit 2
    bañador neopreno mujer oysho
    camiseta escote redondo
    adidas rock climbing
    rompecabezas de obras de arte para arma
    reloj con números romanos para niños
    abrigo aviador mujer abdomen
    gucci forocoches
    sonic 3 and knuckles juego online
    short de bain islamique
    stihl klamotten
    brabus rocket 900 amazon
    new balance icarus
    sonnenbrille herren mit seitenschutz
    hoodie pepe jeans cyan
    shorts fitness feminino
    melhores marcas de mochilas masculinas
    quadri da disegnare amazon
    aharry potter x vans
    culle e passeggini per neonati amazon
    camisa da ferroviária
    galocha rosa feminina
    deichmann bolsos
    bolso de mano de hombre guess entusiasta
    tenda da sole spiaggia amazon
    nike pegasus 94
    Nike Air Force 270

    ReplyDelete
  6. linlin123July 12, 2021 at 1:35 PM

    nike shirt langarm
    moufles millet expedition 8000 m
    hüte damen sommer
    diffuseur par nébulisation à froid amazon
    bijoux pas cher or blanc amazon
    sacoche lv district
    polo simulator
    cappotto burberry bimba amazon
    schubkarre gestell amazon
    nike off white foam rose
    jeansjacke mädchen 164
    nike cortez prm
    beutel zipper amazon
    nike tanjun damen weiß 44
    scarpe pirelli uomo impedire
    polo ralph lauren jeanshemd damen
    risparmiare batteria iphone ios 12
    style année 80 femme
    Nike Air Force 270
    kimono en jean
    pantaloni puma femei pollice Linea di metallo
    naketano anker jacke schwierig
    venta de tenis nike en tijuana
    blazer basicos mujer
    adidas adizero ace boost 7
    masque d horreur a imprimer
    new balance icarus
    sandália rasteira bottero
    berghaus mens raincoat
    calça laranja adidas
    béret a pompon bretelles uniforme
    gucci sandale plastique
    costumi interi amazon
    skechers shoes for men online
    gants si assault factory pilot noir oakley
    venda de cortina
    adidas stan smith safety shoes
    niveau à laser amazon surligner escorte
    sims 4 nike shoes kids

    ReplyDelete
  7. fang1234July 12, 2021 at 1:59 PM

    casquette ford Immigration
    chaussure carla moreau
    triciclo usato milano
    chaussures de sécurité facom
    foot locker nike react element
    scatola protezione stagna
    nike metcon 5 rojas
    zapatillas de agua niña
    veste velour carhartt
    damen lack schnürer
    cappotto rosso scarpe nike
    fiore garofano amazon
    nike presto extreme pas cher
    nike pegasus 94
    shorts fitness feminino
    nike t shirt tumblr
    quadri da disegnare amazon
    chinelo slide da melissa
    tenis all star feminino branco couro
    calzoncillos puma hombre
    veste per battesimo amazon
    nike air force modelo agotado
    cartera levis hombre
    filtre pour aspirateur samsung sc4780
    autoradio gps vdo
    nike tribute veste
    soldes chaussures homme caterpillar hiver cafétéria
    amazon sandalias reef
    chanclas new balance niña
    kit de creation de bracelets utilisation
    wc suspendu mural amazon
    foulard en soie homme
    all star converse star player
    paragliding přilby
    nike anzug nba rot
    camisa da ferroviária
    tapie adidas credit lyonnais
    gucci handbags uk
    air force 1 nike outfit men basket

    ReplyDelete
  8. balabalaJuly 17, 2021 at 5:52 AM

    borse gabs etnico
    zapatillas running galaxy 4 azul marino mujer adidas
    nike air max 97 silber
    ladies summer shorts
    bolsas para comprimir equipaje
    table basse marbre noir pied doré
    guanti da sci gialli
    stratic koffer monogramm
    sellerie moto strasbourg
    deichmann bolsos
    aharry potter x vans
    adidas cal surf
    timberland herren 3 eye
    adidas yeezy semi frozen yellow on feet
    cappello fisi kappa tazza
    nike free run 5.0 new
    smartphone kleine abmessungen amazon
    adidas originals panna scarpe uomo basse
    sandalias rosa palo tacon ancho giro
    bermuda femme en lin dor
    vetements sisley ligne
    s oliver catie bell bottom
    cerchietto che si chiude capelli
    short de bain islamique
    zapatos de charol mujer con taco
    blazer bebe 2 anos
    rückgaberecht adidas
    camiseta con falda corta
    tende doccia milano amazon
    shein camicie donna cameriera
    bañador neopreno mujer oysho
    sudadera nike vintage
    giacca da prestigiatore
    sandalias courofeito a mao
    grossista condizionatori
    piumini daunenstep amazon
    zapatillas cruyff mujer
    valentine gauthier chaussures

    ReplyDelete
  9. qweJuly 30, 2021 at 2:08 PM

    adidas personalised shoes
    nike shox feminino modelo novo
    camisa cuadros franela mujer
    tenis oakley flak infantil
    sac a main desigual beige
    maje robe
    nike neuheiten damen
    aharry potter x vans
    kimono long femme grande taille
    air jordan 4 lightning
    hama stiftplatte einhorn amazon
    zaini eastpak ragazza
    gucci sandale plastique
    nike presto extreme pas cher
    adidas stan smith safety shoes
    adidas stabil x junior
    nike sb zoom mogan mid 2 6.0
    schubkarre gestell amazon
    skechers shoes for men online
    robe voile manche longue

    ReplyDelete
  10. qweJuly 30, 2021 at 2:08 PM

    valentine gauthier chaussures
    sacoche lv district
    sandalias agua cerradas
    scarpe nike air force modelli nuovi
    maglia termica nuoto bambina
    shein camicie donna cameriera
    abrigo aviador mujer abdomen
    gucci forocoches
    sonic 3 and knuckles juego online
    new balance icarus
    sudadera nike vintage
    sandalias de esparto mujer
    nike air jordan sale deutschland
    zapatillas nike lunarglide 8 precio
    chaussette pull and bear
    adidas noir doré
    nike hypervenom all black
    zapatillas de mujer bimba y lola
    pantalon homme the kooples
    lovely jane robe
    polo shirt juventus
    leggings mit spitzenabschluss
    pantoufle charentaise homme
    tumbona terraza ikea
    nike sb stefan janoski beige

    ReplyDelete
  11. UnknownMarch 1, 2022 at 2:52 PM

    Je vous laisse lire cet article sur Jean Jacques Perrut

    ReplyDelete

Subscribe to: Post Comments (Atom)