[Oisf-users] Inspecting torrent traffic

Kerry Milestone km4 at sanger.ac.uk
Thu Aug 16 08:45:03 UTC 2012

There is a good chance that you could get a look at the metadata, but because
the payload is encrypted unless you MITM you won't be able to tell what a file
actually is. 

The problem I think with detecting this within suricata, is that there is often
a side channel with the traffic so you will need to inspect a couple of streams
or somehow know which packets coming from various hosts in a swarm belong to a
stream - almost akin to requiring the entire fileset before you can inspect it.

Detecting a pdf renamed as a docx is a matter of magic bytes and is fairly
trivial - so long as you can see said bytes and let libmagic do it's thing.

You're best bet may be to ensure that the private tracker only allows for
'verified' torrents.  Torrents files once established are fairly authoritative
and hard to fake and it could be a case of inspecting the actual torrent file
hash which you could probably get in the clear via HTTP against a list of know
good hashes rather than inspecting the actual p2p traffic.  Your tracker should
only accept connections from peers for torrents that it is aware of, and you
can't just 'insert' or change a file in a validated torrent file without
creating a new hash - which then you could potentially alert on.

On 15/08/12 19:19, C. L. Martinez wrote:
> Hi all,
>  Due to some requeriments in our infrastructure, I need to publish a
> private torrent tracker to share files (most of all are only docs, but
> sometimes I can need to share software).
>  AFAIK, torrent traffic is encrypted like for example ssl, correct?? I
> need to avoid abnormal traffic to this private tracker  and for
> example to detect an .pdf file inserted in a .docx. Is it possible to
> accomplish these tasks with suricata? Can I register torrent conns
> like suricata does with http traffic?.
> Thanks.
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

.- Kerry Milestone                  -.
.- Principle Network Engineer       -.
.- Wellcome Trust Sanger Institute  -.
.-                                  -.
.- http://www.sanger.ac.uk          -.
.- +44 (0)1223 492320               -.

 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 

More information about the Oisf-users mailing list