[Emerging-Sigs] SIG: ET P2P DNS Query For Likely Torrent Tracker

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 19 11:53:40 EDT 2011


tracker.*.* I think is going to be a pretty common thing, not just related to torrents. 

Good idea, but I think we'll have too many falses to call it reliable, no?

Matt


On Oct 17, 2011, at 3:51 PM, Kevin Ross wrote:

> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET P2P DNS Query For Torrent Tracker"; content:"|01 00 00 01 00 00 00 00 00 00 07|tracker"; depth:18; offset:2; classtype:policy-violation; reference:url,http://en.wikipedia.org/wiki/BitTorrent_tracker; sid:1459991; rev:1;)
> 
> Good for detecting torrents when they start up and it gets the trackers. Might be worth considering a limit on it though depending on people's thoughts. Regards. Kevin


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list