Rule:  

--
Sid:

2180

--
Summary:

This event is generated when a BitTorrent client connects to a tracker 
to gain access to a BitTorrent network.  

--
Impact:

Possible violation of policy and abuse of network resources.

--
Detailed Information:
BitTorrent is a peer-to-peer application used for simultaneous downloads
of large files.  BitTorrent is designed to allow multiple peers to 
download large files simultaneously without using extraneous bandwidth 
from a centralized server.

BitTorrent's centralized server, called a tracker, refers peers to each 
other. This rule looks for a request sent to a BitTorrent tracker from a
peer.

--
Attack Scenarios:

A user downloaded a BitTorrent client and attempts to download files 
from a BitTorrent network.

--
Ease of Attack:

Unix, Windows, and MacOS clients are publicly available for BitTorrent.

--
False Positives:

Other web-based applications could use similar URLs and parameters.

--
False Negatives:

The URL path "/announce" is hardcoded in the BitTorrent tracker.  If the
URL was changed in the tracker, then this rule would not generate an 
event.

--
Corrective Action:

If this is a violation of network policy, take appropriate steps to 
prevent further violations.

--
Contributors:

Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>

-- 
Additional References:

Bittorrent Protocol Specification
http://bitconjurer.org/BitTorrent/protocol.html

Wikipedia
http://en.wikipedia.org/wiki/BitTorrent

--