SIEM - How to Detect Torrent Communication


Torrent like applications are under scrutiny in almost all corporate networks. These applications are often termed as a villain. This is due to the fact of their association with the downloading of copyrighted content. Contents like software, music and movies. It is therefore, necessary to detect if anyone is using torrent. This can be done in various ways using SIEM.

1. Look for the well known TCP port for Torrent traffic i.e. 6881-6889 (and 6969 for the tracker port).
2. Use NextGen Firewall which can detect if any torrent application is being run.
e.g. in Firewall like CyberOAM you can see the fields application, user, source_address etc.

<30>date=2018-08-01 time=16:07:03 timezone="CET" device_name="CR7" device_id=CR7-JU log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=30 fw_rule_id=7 user_name="Alice" user_gp="DW" iap=1 ips_policy_id=0 appfilter_policy_id=1 application="Torrent Clients P2P" in_interface="PortC.6" out_interface="PortB_ppp" src_mac=00: 0:00: 0:00: 0 src_ip=1.0.1.1 src_country_code= dst_ip=1.2.2.2 dst_country_code=MEX protocol="UDP" src_port=25332 dst_port=6888 sent_pkts=1 recv_pkts=0 sent_bytes=131 recv_bytes=0 tran_src_ip=198.192.0.69 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype="" dir_disp="" connevent="Stop" connid="3684982860" vconnid=""

Create a rule as follows

If dst_port=(6881-6889) OR dst_port=6969 OR application=*torrent* trigger an alert to get following interesting fields as a notifications

Interesting Fields
dst_port
src_ip
dst_ip
user
application
sent_bytes
recv_bytes

Comments

Popular posts from this blog

Windows - Event ID 4625 - An Account Failed to Logon

Windows - Event ID 4771 - Kerberos pre-authentication failed

Windows - Event ID 4624 - An Account was Successfully Logged on