[Oisf-users] Inspecting torrent traffic

C. L. Martinez carlopmart at gmail.com
Fri Aug 17 06:44:41 UTC 2012


On Thu, Aug 16, 2012 at 10:45 AM, Kerry Milestone <km4 at sanger.ac.uk> wrote:
>
>
> There is a good chance that you could get a look at the metadata, but because
> the payload is encrypted unless you MITM you won't be able to tell what a file
> actually is.
>
> The problem I think with detecting this within suricata, is that there is often
> a side channel with the traffic so you will need to inspect a couple of streams
> or somehow know which packets coming from various hosts in a swarm belong to a
> stream - almost akin to requiring the entire fileset before you can inspect it.
>
> Detecting a pdf renamed as a docx is a matter of magic bytes and is fairly
> trivial - so long as you can see said bytes and let libmagic do it's thing.
>
> You're best bet may be to ensure that the private tracker only allows for
> 'verified' torrents.  Torrents files once established are fairly authoritative
> and hard to fake and it could be a case of inspecting the actual torrent file
> hash which you could probably get in the clear via HTTP against a list of know
> good hashes rather than inspecting the actual p2p traffic.  Your tracker should
> only accept connections from peers for torrents that it is aware of, and you
> can't just 'insert' or change a file in a validated torrent file without
> creating a new hash - which then you could potentially alert on.
>
>
>
>
>
>
>

Many thanks Kerry, I will try your described approach ...



More information about the Oisf-users mailing list