IDS +utorrent encrypted torrents

[jbrukardt]

Good afternoon,

I have a question regarding uTorrent's encrypted torrent mode, and how this will affect the ids on my network. Open ones are already blocked through a snort rule, but i have a feeling that encrypted ones wont be. Can anyone confirm this, and if they arent blocked how could i modify the rule to make them blocked.

 

[jbrukardt]

Any ideas?

 

[Boscoh]

Block all encrypted traffic out of the network...if you need SSL, I suppose you'd need to allow that. If uTorrent uses SSL for it's transfers, then it'll probably look a lot like HTTPS traffic.

I dont think the actual stream is encrypted, just the headers. To that end, I've heard of ISP's injecting EOF (end of file) statements into the data streams, which will jack up BitTorrent into thinking that the file is downloaded - or something to that affect. Maybe that'll give you a place to start looking.

 

[Boscoh]

You could also distinguish that traffic in the number of new connections opened. SSL is not going to open 40 connections over the span of a few seconds, neither will any form of VPN.

 

[ZoT]

the above is true, but that is something hard to put into a rule of some sorts.