can you please elaborate methodology you outlined on detection of Bittorrent encrypted connections? do you have plans to provide this support in free IntroPro IPS software?
Thanks Ravi On 10/9/07, Srinivasa Addepalli <[EMAIL PROTECTED]> wrote: > > Hi, > > Older versions of Bit Torrent clients use TCP based transfer for downloading > and uploading pieces. Later versions of clients support multiple methods for > data transfer. Web seeding is one method which we see commonly. We also see > Azureus client using UDP based data transfer. In addition, if peers support > cryptography, then the connections (TCP or UDP) are encrypted. > > It is difficult to detect encrypted connections using typical pattern > matching. First two packets of the connection exchange DH pairs to get > symmetric key. This symmetric key is used to encrypt rest of stream. First > two packets are even padded with random data of random length to avoid > detection by any traffic enforcers. This is done very cleverly and it had > been very successful. We believe that Traffic Heuristics combined with some > intelligence of tracker connections is one way to detect these encrypted > connections. > > By the way, IntruPro-IPS has signatures for detecting 'web seeding' and > 'UDP' based data transfer connections in addition to TCP based connections. > These signatures were added recently and you may like to get latest version > of signature set. > > Srini > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Ravi Chunduru > Sent: Sunday, October 07, 2007 9:27 AM > To: [email protected] > Subject: bittorrent file transfer - rate limit > > i am trying to use IntroPro-IPS to limit bittorrent traffic to 20% of > my bandwidth. > > it is able to detect file transfer traffic in many cases using rules > given as part of product distribution. if i use bittorrent (downloaded > from www.bittorrent.com) i could see that this p2p traffic is not > exceeding 20% limit (100kbps). but if i use other client application > such as azureus or uTorrent, i find that bittorrent data traffic is > not recognized for some torrents. > > this product has facility to add new rules to detect application > traffic. i tried to add new rules with patterns from bleedingthreats > and l7 filters and results are same. does anybody have right patterns > to detect all kinds of bittorrent file transfer connections? > > thanks > Ravi > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in > tro_sfw > to learn more. > ------------------------------------------------------------------------ > > > ******************************************************************************** > This email message (including any attachments) is for the sole use of the > intended recipient(s) > and may contain confidential, proprietary and privileged information. Any > unauthorized review, > use, disclosure or distribution is prohibited. If you are not the intended > recipient, > please immediately notify the sender by reply email and destroy all copies of > the original message. > Thank you. > > Intoto Inc. > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
