SIEM - How to Detect Torrent Communication
Torrent like applications are under scrutiny in almost all corporate networks. These applications are often termed as a villain. This is due to the fact of their association with the downloading of copyrighted content. Contents like software, music and movies. It is therefore, necessary to detect if anyone is using torrent. This can be done in various ways using SIEM.
1. Look for the well known TCP port for Torrent traffic i.e. 6881-6889 (and 6969 for the tracker port).
2. Use NextGen Firewall which can detect if any torrent application is being run.
e.g. in Firewall like CyberOAM you can see the fields application, user, source_address etc.
<30>date=2018-08-01 time=16:07:03 timezone="CET" device_name="CR7" device_id=CR7-JU log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=30 fw_rule_id=7 user_name="Alice" user_gp="DW" iap=1 ips_policy_id=0 appfilter_policy_id=1 application="Torrent Clients P2P" in_interface="PortC.6" out_interface="PortB_ppp" src_mac=00: 0:00: 0:00: 0 src_ip=22.214.171.124 src_country_code= dst_ip=126.96.36.199 dst_country_code=MEX protocol="UDP" src_port=25332 dst_port=6888 sent_pkts=1 recv_pkts=0 sent_bytes=131 recv_bytes=0 tran_src_ip=188.8.131.52 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype="" dir_disp="" connevent="Stop" connid="3684982860" vconnid=""
Create a rule as follows
If dst_port=(6881-6889) OR dst_port=6969 OR application=*torrent* trigger an alert to get following interesting fields as a notifications