Below snapshot shows HTTP request which Bittorrent Client uses to communicate with Bittorrent Servers. In the request we can see different parameters like client id, port number.
We can observe that Bittorrent client uses different User Agent request headers like BTWebClient, Bittorrent etc.
UDP is using Source port as 24615, which is being communicated to Bittorrent Server as HTTP Request.
So we can detect or block Bittorrent based on HTTP Request URI or User-Agent header strings or UDP protocol communication.
Below are few Signatures which we can use to detect Bittorrent.
alert udp any any -> any any ( msg: "Bit Torrent UDP"; content:"41 02"; offset:0; depth:2; content:"38"; offset:13;depth:1; content:"08"; offset:21;depth:1; sid:8888881; rev: 1; )
alert udp any any -> any any ( msg: "Bit Torrent Protocol"; content:"|13|bittorrent|20|protocol"; offset:0; sid:8888882; rev: 1; )
alert udp any any -> any any ( msg: "Bit Torrent UDP Communication"; content:"d1|3a|ad2|3a|id20|3a|"; sid:8888883; rev: 1; )
Below Signature triggers and alerts when the content is seen in HTTP Request URI
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP Request"; content:"info_hash="; pcre:"/announce\?info_hash=/Ui"; sid:8888884; rev: 1; )
Observed following User-Agent strings as part of HTTP Requests
User-Agent: BitTorrent/7610(27328)
User-Agent: BTWebClient/7610(27328)
which can be detected using following Signatures
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP User Agent 1"; content:"User-Agent: BitTorrent"; sid:8888885; rev: 1; )
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP User Agent 2"; content:"User-Agent: BTWebClient"; sid:8888886; rev: 1; )
Posts related to Snort IDS/IPS which might be of interest to you.
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html
http://darshanams.blogspot.in/2010/06/snort-preprocessors-and-alerts.html
http://darshanams.blogspot.in/2012/05/installing-snort-from-source-as-ips.html
To know about Google Talk Jabber protocol communication
http://darshanams.blogspot.in/2008/11/deciphering-google-talk-jabber.html
For Zebra/Bittorrent protocol communication
http://darshanams.blogspot.in/2009/03/i-was-just-checking-my-mails.html
P.S Signatures given above are neither tested nor fine tuned. Just an
idea how to detect Bit Torrent communication.
idea how to detect Bit Torrent communication.
For a long time me & my friend were searching for informative blogs about detection, but now I am in the right place guys, you have made a room in my heart. Oracle fusion financials training
ReplyDeleteAndrology doctor in chennai
ReplyDeleteInfertility specialist in chennai
Sexologist in chennai
Thankyou the sharing great information, We are one of the best call center outsourcing vendors in the United States. At Trupp Global, we are completely dedicated to your business growth. We provide top notch services that can enhance the sales along with customer satisfaction levels.
ReplyDeleteBusiness Process Outsourcing Services
small business seo services in los angeles
ReplyDeleteecommerce seo services in los angeles
b2b seo services in los angeles
enterprise seo services in los angeles
professional seo services in los angeles
giacca da prestigiatore
ReplyDeletetriciclo usato milano
risparmiare batteria iphone ios 12
maglia termica nuoto bambina
shein camicie donna cameriera
maquina para coser zapatillas
venta de bicicletas para ejercicio
sujetador media copa abierto ético
nike academy16 knt tracksuit 2
bañador neopreno mujer oysho
camiseta escote redondo
adidas rock climbing
rompecabezas de obras de arte para arma
reloj con números romanos para niños
abrigo aviador mujer abdomen
gucci forocoches
sonic 3 and knuckles juego online
short de bain islamique
stihl klamotten
brabus rocket 900 amazon
new balance icarus
sonnenbrille herren mit seitenschutz
hoodie pepe jeans cyan
shorts fitness feminino
melhores marcas de mochilas masculinas
quadri da disegnare amazon
aharry potter x vans
culle e passeggini per neonati amazon
camisa da ferroviária
galocha rosa feminina
deichmann bolsos
bolso de mano de hombre guess entusiasta
tenda da sole spiaggia amazon
nike pegasus 94
Nike Air Force 270
nike shirt langarm
ReplyDeletemoufles millet expedition 8000 m
hüte damen sommer
diffuseur par nébulisation à froid amazon
bijoux pas cher or blanc amazon
sacoche lv district
polo simulator
cappotto burberry bimba amazon
schubkarre gestell amazon
nike off white foam rose
jeansjacke mädchen 164
nike cortez prm
beutel zipper amazon
nike tanjun damen weiß 44
scarpe pirelli uomo impedire
polo ralph lauren jeanshemd damen
risparmiare batteria iphone ios 12
style année 80 femme
Nike Air Force 270
kimono en jean
pantaloni puma femei pollice Linea di metallo
naketano anker jacke schwierig
venta de tenis nike en tijuana
blazer basicos mujer
adidas adizero ace boost 7
masque d horreur a imprimer
new balance icarus
sandália rasteira bottero
berghaus mens raincoat
calça laranja adidas
béret a pompon bretelles uniforme
gucci sandale plastique
costumi interi amazon
skechers shoes for men online
gants si assault factory pilot noir oakley
venda de cortina
adidas stan smith safety shoes
niveau à laser amazon surligner escorte
sims 4 nike shoes kids
Thank you for your excellent work! Your post provides an in-depth info of all the steps. bus rental Dubai
ReplyDeletegamsat organic chemistry
ReplyDeleteThis is a great article thanks for sharing this informative information. I will visit your blog regularly for some latest post.프리덤출장피쉬아로마
ReplyDelete프리덤출장피쉬아로마
프리덤출장피쉬아로마
정선출장피쉬아로마
평창출장피쉬아로마
영월출장피쉬아로마