Rule: -- Sid: 2180 -- Summary: This event is generated when a BitTorrent client connects to a tracker to gain access to a BitTorrent network. -- Impact: Possible violation of policy and abuse of network resources. -- Detailed Information: BitTorrent is a peer-to-peer application used for simultaneous downloads of large files. BitTorrent is designed to allow multiple peers to download large files simultaneously without using extraneous bandwidth from a centralized server. BitTorrent's centralized server, called a tracker, refers peers to each other. This rule looks for a request sent to a BitTorrent tracker from a peer. -- Attack Scenarios: A user downloaded a BitTorrent client and attempts to download files from a BitTorrent network. -- Ease of Attack: Unix, Windows, and MacOS clients are publicly available for BitTorrent. -- False Positives: Other web-based applications could use similar URLs and parameters. -- False Negatives: The URL path "/announce" is hardcoded in the BitTorrent tracker. If the URL was changed in the tracker, then this rule would not generate an event. -- Corrective Action: If this is a violation of network policy, take appropriate steps to prevent further violations. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> -- Additional References: Bittorrent Protocol Specification http://bitconjurer.org/BitTorrent/protocol.html Wikipedia http://en.wikipedia.org/wiki/BitTorrent --