[Emerging-Sigs] SIG: ET P2P DNS Query For Likely Torrent Tracker

Kevin Ross kevross33 at googlemail.com
Mon Oct 17 15:51:56 EDT 2011


alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET P2P DNS Query For
Torrent Tracker"; content:"|01 00 00 01 00 00 00 00 00 00 07|tracker";
depth:18; offset:2; classtype:policy-violation; reference:url,
http://en.wikipedia.org/wiki/BitTorrent_tracker; sid:1459991; rev:1;)

Good for detecting torrents when they start up and it gets the trackers.
Might be worth considering a limit on it though depending on people's
thoughts. Regards. Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111017/7f1d74a8/attachment.html


More information about the Emerging-sigs mailing list