Re: Feature #3086 app_proto for Torrent Traffic

AaronB · July 14, 2020, 2:06am

Hi,

For this feature of fixing the app_proto for torrent traffic which was showing up as “failed”, I’m wondering about the scope.

This seems to only happen for bittorrent dht protocol traffic over UDP, which is on random ports between 1024-65535.

Since this is a new app layer protocol for Suricata, for this ticket do we just want to simply detect this UDP traffic and label the app_proto as ‘bittorrent’/‘bittorrent_dht’ or should other fields e.g. error codes also be extacted and logged from the bittorrent dht protocol? And is it ok to probe for the bittorrent dht protocol on all ports between 1024-65535 by default?

Thanks!

vjulien · July 14, 2020, 6:01am

I think adding “just” protocol detection is fine, although doing a full parser is of course even nicer

I don’t know much about BT, so not sure what detection should look like. In general the ProbingParser is a bit of a last resort effort as its a bit of code running on a packet each flow, so potentially its expensive, esp if we’d have multiple probing parsers.

We’d be happy to test an implementation and submit it to some trex testing so we know exactly how expensive it is.

Topic		Replies	Views
How to block all traffic which matches BitTorrent-DHT? Help	7	1246	February 20, 2024
Application detection and duplicate TCP/SYN Help	6	1296	September 1, 2022
Suricata rules & the proxy protocol Help	4	1357	May 31, 2021
Suricata port agnostic protocol detection at higher speed 100+Gbps	5	202	April 16, 2024
Several app_proto in flows appears as failed Help	15	3625	October 6, 2020

Re: Feature #3086 app_proto for Torrent Traffic

Related topics