Detect Torrent Communication with SIEM

Torrent like applications are under scrutiny in almost all corporate networks. These applications are often termed as a villain. This is due to the fact of their association with the downloading of copyrighted content. Contents like software, music and movies. It is therefore, necessary to detect if anyone is using torrent. This can be done in various ways using SIEM.

1. Look for the well known TCP port for Torrent traffic i.e. 6881-6889 (and 6969 for the tracker port).

2. Use NextGen Firewall which can detect if any torrent application is being run.

e.g. in Firewall like CyberOAM you can see the fields application, user, source_address etc.

<30>date=2018-08-01 time=16:07:03 timezone="CET" device_name="CR7" device_id=CR7-JU log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=30 fw_rule_id=7 user_name="Alice" user_gp="DW" iap=1 ips_policy_id=0 appfilter_policy_id=1 application="Torrent Clients P2P" in_interface="PortC.6" out_interface="PortB_ppp" src_mac=00: 0:00: 0:00: 0 src_ip=1.0.1.1 src_country_code= dst_ip=1.2.2.2 dst_country_code=MEX protocol="UDP" src_port=25332 dst_port=6888 sent_pkts=1 recv_pkts=0 sent_bytes=131 recv_bytes=0 tran_src_ip=198.192.0.69 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype="" dir_disp="" connevent="Stop" connid="3684982860" vconnid=""

Create a rule as follows

If dst_port=(6881-6889) OR dst_port=6969 OR application=*torrent* trigger an alert to get following interesting fields as a notifications

Interesting Fields

dst_port

src_ip

dst_ip

user

application

sent_bytes

recv_bytes