Re: Feature #3086 app_proto for Torrent Traffic

AaronB · July 14, 2020, 2:06am

Hi,

For this feature of fixing the app_proto for torrent traffic which was showing up as “failed”, I’m wondering about the scope.

This seems to only happen for bittorrent dht protocol traffic over UDP, which is on random ports between 1024-65535.

Since this is a new app layer protocol for Suricata, for this ticket do we just want to simply detect this UDP traffic and label the app_proto as ‘bittorrent’/‘bittorrent_dht’ or should other fields e.g. error codes also be extacted and logged from the bittorrent dht protocol? And is it ok to probe for the bittorrent dht protocol on all ports between 1024-65535 by default?

Thanks!

vjulien · July 14, 2020, 6:01am

I think adding “just” protocol detection is fine, although doing a full parser is of course even nicer

I don’t know much about BT, so not sure what detection should look like. In general the ProbingParser is a bit of a last resort effort as its a bit of code running on a packet each flow, so potentially its expensive, esp if we’d have multiple probing parsers.

We’d be happy to test an implementation and submit it to some trex testing so we know exactly how expensive it is.

Topic		Replies	Views
[Dev] New AppLayer Detection on TCP Protocol Developers	3	932	December 4, 2020
App-layer-protocol and detecting non-encrypted traffic Rules	2	1232	February 17, 2022
Re: Feature #1478 Developers	1	430	July 10, 2020
Issue on SSH keywords matching Developers rules	3	290	September 27, 2021
Suspicious traffic that I don't understand	2	48	April 24, 2024

Re: Feature #3086 app_proto for Torrent Traffic

Related Topics