P2P Traffic

Good morning;

Can Bro detected P2P traffic, specially Bitorrent?


Ron Jenkins (Owner / Senior Architect)

RMJ Consulting, LLC.Bringing Companies and Solutions Together

11715 Bricksome Ave STE B-7

Baton Rouge, LA 70816

Toll: 855-448-5214

Direct. 225-448-5214 Ext #101

Fax. 225-448-5324

Cell. 225-931-1632

Email. rjenkins@rmjconsulting.net

Web. http://www.rmjconsulting.net

Log Siphon. http://www.logsiphon.com

Linkedin. www.linkedin.com/in/ronmjenkins/

Twitter: www.twitter.com/RMJConsulting

Facebook: www.facebook.com/rmjcsconsulting

RMJ Consulting’s Technology Corner. https://www.rmjconsulting.net/main/paper.php

Hi Ron,

it that what you are looking for:


I wrote an intel feed some time ago that fires a notice when primary trackers are used.

There may be a more technical way of performing it, but it worked great for me.


I'm not sure that the BitTorrent analyzer has been updated for Bro v2.X.

I have written a small signature based script to get an estimate of traffic volumes.


Good morning;

I see lots of protocol analyzers in the source, but not after complied and install.

How do I get all analyzers installed?


There are two parts to each analyzer - the traffic is parsed off the wire in the “core,” which is what you showed in your screenshot, and events are generated. Then, Bro scripts handle the events to generate logs, raise notices, etc. Bro scripts also determine which analyzer will be enabled for a certain TCP or UDP connection. Bro protocol analyzers exist in several different states - most protocol analyzers have both core and script layer code, and get enabled properly. It’s possible for an analyzer to be enabled, but not have any event handlers to actually do anything with the resulting data (I don’t think there are any examples of this right now). Finally, the core parsing code could be present, but the analyzer isn’t getting enabled, and there are no scripts either. Some analyzers fall into this third category (including bittorrent).

Everything in the screenshot should be getting compiled into Bro, and it’s available for you to use, but some may require you to write custom scripts to enable the analyzer or generate logs. To see which analyzers are available in your complied version of Bro, you can run:

% bro --print-plugins
Bro::ARP - ARP Parsing (built-in)
Bro::AYIYA - AYIYA Analyzer (built-in)
Bro::BackDoor - Backdoor Analyzer deprecated (built-in)
Bro::BitTorrent - BitTorrent Analyzer (built-in)
Bro::ConnSize - Connection size analyzer (built-in)
Bro::DCE_RPC - DCE-RPC analyzer (built-in)
Bro::DHCP - DHCP analyzer (built-in)
Bro::DNP3 - DNP3 UDP/TCP analyzers (built-in)

For example, if you want to enable the BitTorrent analyzer, you could write a dynamic-protocol detection signature for it like this:


signature dpd_bittorrent {
ip-proto == tcp
payload /\x13BitTorrent protocol.\x00.\x00\x00/
enable “bittorrent”

Then, in your site/local.bro, you could load this with “@load-sigs ./dpd.sig”. This should be enough to start seeing BitTorrent P2P connections have the service field of conn.log set to “bittorrent.” If you want to take this a step further, and start writing out a bittorrent.log file, you could then start handling the BitTorrent events: https://www.bro.org/sphinx-git/script-reference/proto-analyzers.html#bro-bittorrent


Great explanation!

Thank you!

Has any already set this to log to a file?


This might be a silly question, but why does Bro have scripts for analyzers supported by the core?


Where did you determine the payload part?

payload /\x13BitTorrent protocol.\x00.\x00\x00/


From the spec: http://www.bittorrent.org/beps/bep_0003.html

The peer wire protocol consists of a handshake followed by a never-ending stream of length-prefixed messages. The handshake starts with character ninteen (decimal) followed by the string ‘BitTorrent protocol’. … After the fixed headers come eight reserved bytes, which are all zero in all current implementations.

There are some extensions that are defined here: http://www.bittorrent.org/beps/bep_0000.html. I couldn’t find any extensions that used the 2nd, 4th or 5th extension bytes, so I hard-coded those to 0.