okay.
Thank you for detailed explanation.
Ravi
On 10/9/07, Srinivasa Addepalli <srao@intoto.com> wrote:
Hi,
Older versions of Bit Torrent clients use TCP based transfer for downloading
and uploading pieces. Later versions of clients support multiple methods for
data transfer. Web seeding is one method which we see commonly. We also see
Azureus client using UDP based data transfer. In addition, if peers support
cryptography, then the connections (TCP or UDP) are encrypted.
It is difficult to detect encrypted connections using typical pattern
matching. First two packets of the connection exchange DH pairs to get
symmetric key. This symmetric key is used to encrypt rest of stream. First
two packets are even padded with random data of random length to avoid
detection by any traffic enforcers. This is done very cleverly and it had
been very successful. We believe that Traffic Heuristics combined with some
intelligence of tracker connections is one way to detect these encrypted
connections.
By the way, IntruPro-IPS has signatures for detecting 'web seeding' and
'UDP' based data transfer connections in addition to TCP based connections.
These signatures were added recently and you may like to get latest version
of signature set.
Srini
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Ravi Chunduru
Sent: Sunday, October 07, 2007 9:27 AM
To: focus-ids@securityfocus.com
Subject: bittorrent file transfer - rate limit
i am trying to use IntroPro-IPS to limit bittorrent traffic to 20% of
my bandwidth.
it is able to detect file transfer traffic in many cases using rules
given as part of product distribution. if i use bittorrent (downloaded
from www.bittorrent.com) i could see that this p2p traffic is not
exceeding 20% limit (100kbps). but if i use other client application
such as azureus or uTorrent, i find that bittorrent data traffic is
not recognized for some torrents.
this product has facility to add new rules to detect application
traffic. i tried to add new rules with patterns from bleedingthreats
and l7 filters and results are same. does anybody have right patterns
to detect all kinds of bittorrent file transfer connections?
thanks
Ravi
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------
********************************************************************************
This email message (including any attachments) is for the sole use of the
intended recipient(s)
and may contain confidential, proprietary and privileged information. Any
unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient,
please immediately notify the sender by reply email and destroy all copies of
the original message.
Thank you.
Intoto Inc.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
