'Re: [Snort-sigs] new rule'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] new rule
From:       Joel Esler <jesler () sourcefire ! com>
Date:       2013-04-29 14:52:08
Message-ID: 27903512-7204-431D-A183-CC52BD48F9AE () sourcefire ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Apr 27, 2013, at 5:50 AM, Chukhaltsetseg Shijirbaatar <sh_chukha@yahoo.com> wrote:

> # to detect torrent metafile download
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "P2P torrent metafile download";
> content:"|64 38 3a|announce"; flow:established; classtype:policy-violation; \
> sid:1100011; rev:1;) 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent handshake";
> flow:to_server,established; content:"BitTorrent protocol|0000 0000|"; \
> classtype:policy-violation; sid:1100012; rev:1;)

You may want to look into sids: 2180 and 2181.  These sids are freely available in \
both the registered ruleset and the community ruleset here: \
http://www.snort.org/snort-rules

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire 


[Attachment #5 (unknown)]

<html><head><meta http-equiv="Content-Type" content="text/html \
charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; -webkit-line-break: after-white-space; "><div><div>On Apr 27, 2013, at 5:50 \
AM, Chukhaltsetseg Shijirbaatar &lt;<a \
href="mailto:sh_chukha@yahoo.com">sh_chukha@yahoo.com</a>&gt; wrote:</div><br \
class="Apple-interchange-newline"><blockquote type="cite"><div style="font-family: \
'times new roman', 'new york', times, serif; font-size: 16px; font-style: normal; \
font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: \
normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; \
white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; "># to detect torrent metafile download<br>alert tcp \
$HOME_NET any -&gt; $EXTERNAL_NET any (msg: "P2P torrent metafile \
download";<br>content:"|64 38 3a|announce"; flow:established; \
classtype:policy-violation; sid:1100011; rev:1;)</div><div style="font-family: 'times \
new roman', 'new york', times, serif; font-size: 16px; font-style: normal; \
font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: \
normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; \
white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; background-color: transparent; "><br></div><div \
style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; \
font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: \
normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; \
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: \
transparent; ">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"P2P BitTorrent \
handshake";<br>flow:to_server,established; content:"BitTorrent protocol|0000 0000|"; \
classtype:policy-violation;<br>sid:1100012; \
rev:1;)</div></blockquote></div><br><div>You may want to look into sids:&nbsp;2180 \
and 2181. &nbsp;These sids are freely available in both the registered ruleset and \
the community ruleset here:</div><div><a \
href="http://www.snort.org/snort-rules">http://www.snort.org/snort-rules</a></div><div><br></div><span \
style="font-size: 12px; font-family: 'Lucida Grande'; ">--</span><br><span \
style="font-size: 12px; font-family: 'Lucida Grande'; "><b>Joel \
Esler</b></span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; \
">Senior Research Engineer, VRT</span><br><span style="font-size: 12px; font-family: \
'Lucida Grande'; ">OpenSource Community Manager</span><br><div><span \
style="font-family: 'Lucida Grande'; font-size: 12px; \
">Sourcefire</span>&nbsp;</div></body></html>



------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic