Rule:  

--
Sid:

2180

--
Summary:

This rule looks for a BitTorrent client connecting to a tracker to gain 
access to a BitTorrent network.  

--
Impact:

Possible violation of policy and abuse of network resources.

--
Detailed Information:

BitTorrent is a peer-to-peer application used for simultaneous downloads of
large files.  BitTorrent is designed to allow multiple peers to download large
files simultaneously without using extranious bandwith from a centralized 
server. 

BitTorrent's centralized server, called a tracker, refers peers to each other.
This rule looks for a request sent to a BitTorrent tracker from a peer.

--
Attack Scenarios:

A user downloaded a BitTorrent client and attempts to download files from a
BitTorrent network.

--
Ease of Attack:

Unix, Windows, and MacOS clients are publicly available for BitTorrent.

--
False Positives:

Other web-based applications could use similar URLs and parameters.

--
False Negatives:

The URL path "/announce" is hardcoded in the BitTorrent tracker.  If the URL
was changed in the tracker, then this rule would not trigger.

--
Corrective Action:

If this is a violation of network policy, take appropriate steps to prevent
further violations.

--
Contributors:

Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>

-- 
Additional References:
