步骤一:定义服务
set service "BitComet_Handshake" protocol tcp src-port 0-65535 dst-port 1025-65535
set service "http8080" protocol tcp src-port 0-65535 dst-port 8080-8080
步骤二:定义追踪查询的签名
set attack "CS:BT-TRACK:1" http-url-variable-parsed ".*\[p_w_uploadid\].*" severity info 9bm set attack "CS:BT-TRACK:2" stream256 ".*\[announce\].*" severity info
set attack "CS:BT-TRACK:3" http-url-parsed ".*\[torrent\].*" severity info
定义一些签名,匹配HTTP下载"*.torrent" file的请求。
定义的签名将会应用到HTTP或用户定义的HTTP服务端口,比如TCP的8080端口。
步骤三:定义握手协议的签名
set attack "CS:Bitcomet:HandShake" stream256 ".*\[BitTorrent protocol\].*" severity info
定义模块化的BT握手协议***签名
步骤四: 定义应用于策略的追踪可疑的***组
set attack group "CS:Bitcomet:Track" =Cj0*uJ
set attack group "CS:Bitcomet:Track" add "CS:BT-TRACK:2"
set attack group "CS:Bitcomet:Track" add "CS:BT-TRACK:3"
set attack group "CS:Bitcomet:Track" add "CS:BT-TRACK:1"
步骤五: 定义应用于策略的握手协议***组
set attack group "CS:BitComet:HandShake"
set attack group "CS:BitComet:HandShake" add "CS:Bitcomet:HandShake" lhemLet8iI
步骤六: 创建基于标准的HTTP服务的追踪查询策略
set policy id 3 from "Trust" to "Untrust" "Any" "Any" "HTTP" permit log
set policy id 3 attack "CS:Bitcomet:Track" action close
set policy id 3 exit
步骤七: 创建基于自定义的HTTP服务的追踪查询策略
set policy id 4 from "Trust" to "Untrust" "Any" "Any" "http8080" permit
set policy id 4 attack "CS:Bitcomet:Track" action close UL
set policy id 4 application "http"
set policy id 4 5
exit
步骤八: 创建握手协议策略
"_GB>$5
set policy id 5 from "Trust" to "Untrust" "Any" "Any" "BitComet_Handshake" permit
set policy id 5 application "TALK"
set policy id 5 attack "CS:BitComet:HandShake" action close "
set policy id 5
exit
set service "BitComet_Handshake" protocol tcp src-port 0-65535 dst-port 1025-65535
set service "http8080" protocol tcp src-port 0-65535 dst-port 8080-8080
步骤二:定义追踪查询的签名
set attack "CS:BT-TRACK:1" http-url-variable-parsed ".*\[p_w_uploadid\].*" severity info 9bm set attack "CS:BT-TRACK:2" stream256 ".*\[announce\].*" severity info
set attack "CS:BT-TRACK:3" http-url-parsed ".*\[torrent\].*" severity info
定义一些签名,匹配HTTP下载"*.torrent" file的请求。
定义的签名将会应用到HTTP或用户定义的HTTP服务端口,比如TCP的8080端口。
步骤三:定义握手协议的签名
set attack "CS:Bitcomet:HandShake" stream256 ".*\[BitTorrent protocol\].*" severity info
定义模块化的BT握手协议***签名
步骤四: 定义应用于策略的追踪可疑的***组
set attack group "CS:Bitcomet:Track" =Cj0*uJ
set attack group "CS:Bitcomet:Track" add "CS:BT-TRACK:2"
set attack group "CS:Bitcomet:Track" add "CS:BT-TRACK:3"
set attack group "CS:Bitcomet:Track" add "CS:BT-TRACK:1"
步骤五: 定义应用于策略的握手协议***组
set attack group "CS:BitComet:HandShake"
set attack group "CS:BitComet:HandShake" add "CS:Bitcomet:HandShake" lhemLet8iI
步骤六: 创建基于标准的HTTP服务的追踪查询策略
set policy id 3 from "Trust" to "Untrust" "Any" "Any" "HTTP" permit log
set policy id 3 attack "CS:Bitcomet:Track" action close
set policy id 3 exit
步骤七: 创建基于自定义的HTTP服务的追踪查询策略
set policy id 4 from "Trust" to "Untrust" "Any" "Any" "http8080" permit
set policy id 4 attack "CS:Bitcomet:Track" action close UL
set policy id 4 application "http"
set policy id 4 5
exit
步骤八: 创建握手协议策略
"_GB>$5
set policy id 5 from "Trust" to "Untrust" "Any" "Any" "BitComet_Handshake" permit
set policy id 5 application "TALK"
set policy id 5 attack "CS:BitComet:HandShake" action close "
set policy id 5
exit
源帖地址: [url]http://bbs.junipers.cn/viewthread.php?tid=7242[/url]
转载于:https://blog.51cto.com/zhouy/96396