#
# $Id: emerging-p2p.rules $
# Emerging Threats P2P rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2010, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#Matt Jonkman, from spywarelp data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0)"; flow:to_server,established; content:"User-Agent\: ABC/ABC"; nocase; classtype:trojan-activity; reference:url,pingpong-abc.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_ABC_Torrent_client; sid:2003475; rev:4;)

#Submitted by Marcamone
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares traffic"; flow:established,to_server; content:"|0d 0a|User-Agent\: Ares"; reference:url,www.aresgalaxy.org; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001059; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Ares; sid:2001059; rev:7;)

#by Jeff Kell. Depth is correct, it's got 2 byte sway to compensate for 36 or 38 byte offset
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares over UDP"; content:"Ares "; offset:36; depth:7; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003437; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Ares; sid:2003437; rev:3;)

#by Christopher Campesi
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET P2P Ares Server Connection"; flow:established,to_server; dsize:<70; content:"r|be|bloop|00|dV"; content:"Ares|00 0a|"; distance:16; classtype:policy-violation; reference:url,aresgalaxy.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008591; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Ares; sid:2008591; rev:3;)

#by Will Metcalf
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Azureus P2P Client User-Agent"; flow:to_server,established; content:"|0d 0a|User-Agent\: Azureus"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2007799; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Azureus; sid:2007799; rev:2;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BTSP)"; flow:to_server,established; content:"|0d 0a|User-Agent\: BTSP/"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2011713; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BTSP; sid:2011713; rev:2;)

#from spyware LP data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x)"; flow:to_server,established; content:"User-Agent\: BearShare "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006371; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BearShare; sid:2006371; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P BearShare P2P Gnutella Client HTTP Request "; flow:to_server,established; uricontent:"/gnutella/"; nocase; uricontent:"?client=BEAR"; nocase; uricontent:"&version="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006379; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BearShare; sid:2006379; rev:4;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BitComet)"; flow:to_server,established; content:"|0d 0a|User-Agent\: BitComet/"; classtype:policy-violation; reference:url,www.bitcomet.com; reference:url,doc.emergingthreats.net/2011710; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_BitComet; sid:2011710; rev:2;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BitTornado)"; flow:to_server,established; content:"|0d 0a|User-Agent\: BitTornado/"; classtype:policy-violation; reference:url,www.bittornado.com; reference:url,doc.emergingthreats.net/2011702; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittornado; sid:2011702; rev:2;)

# By Chich Thierry
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent peer sync"; flow: established; content:"|0000000d0600|"; offset: 0; depth: 6; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2000334; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; offset: 0; depth: 8; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000357; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2000357; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"ET P2P BitTorrent Announce"; flow: to_server,established; content:"/announce"; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000369; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2000369; rev:6;)

#from spyware LP data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Bittorrent"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006372; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2006372; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client HTTP Request "; flow:to_server,established; uricontent:"/trackerphp/announce.php?"; nocase; uricontent:"?port="; nocase; uricontent:"&peer_id="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006375; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2006375; rev:4;)

#by Will Metcalf
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P possible torrent download"; flow:to_server,established; uricontent:".torrent"; nocase; pcre:"/(\.torrent)$/Ui"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2007727; rev:4;)


#Trackerless torrents, by David Bianco
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1\:ad2\:id20\:"; depth:12; nocase; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2008581; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT find_node request"; content:"d1\:ad2\:id20\:"; nocase; depth:12; content:"6\:target20\:"; nocase; distance:20; depth:11; content:"e1\:q9\:find_node1\:"; nocase; distance:20; depth:17; content:"e1\:q9\:find_node1\:"; distance:20; depth:17; nocase; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008582; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2008582; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT nodes reply"; content:"d1\:rd2\:id20\:"; nocase; depth:12; content:"5\:nodes"; nocase; distance:20; depth:7; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2008583; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT get_peers request"; content:"d1\:ad2\:id20\:"; nocase; depth:12; content:"9\:info_hash20\:"; nocase; distance:20; depth:14; content:"e1\:q9\:get_peers1\:"; nocase; distance:20; depth:17; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008584; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2008584; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT announce_peers request"; content:"d1\:ad2\:id20\:"; nocase; depth:14; content:"e1\:q13\:announce_peer1\:"; nocase; distance:55; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic; sid:2008585; rev:3;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Blizzard Downloader 2.x)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Blizzard Downloader 2."; classtype:policy-violation; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/2011708; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Blizzard; sid:2011708; rev:2;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Deluge 1"; classtype:policy-violation; reference:url,deluge-torrent.org; reference:url,doc.emergingthreats.net/2011704; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Deluge; sid:2011704; rev:2;)

#by markmc
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Direct Connect Traffic (client-server)"; flow:from_client,established; content:"$MyINFO"; offset:0; depth:7; classtype:policy-violation; reference:url,en.wikipedia.org/wiki/Direct_connect_file-sharing_application; reference:url,doc.emergingthreats.net/bin/view/Main/2002814; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Direct_Connect; sid:2002814; rev:3;)

# By Chich Thierry
#alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k connection to server"; flow: to_server,established; content:"|e3|"; offset: 0; depth: 1; content:"|00000001|"; offset: 2; depth: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000330; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2000330; rev:8;)
alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k request part"; flow: to_server,established; content:"|e3|"; offset: 0; depth: 1; content:"|00000047|"; offset: 2; depth: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000332; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2000332; rev:8;)
alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k file request answer"; flow: to_server,established; content:"|e3|"; offset: 0; depth: 1; content:"|00000059|"; offset: 2; depth: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000333; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2000333; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; offset: 0; depth: 6; threshold: type limit, track by_dst, count 1 , seconds 600; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2000340; rev:8;)

#Submitted by Sam Evans
alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey File Status"; flow: to_server,established; content:"|e3 14|"; offset: 0; depth: 2; classtype: policy-violation; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001296; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2001296; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey File Status Request"; flow: to_server,established; content:"|e3 11|"; offset: 0; depth: 2; classtype: policy-violation; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2001297; rev:8;)
alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey Server Status Request"; content:"|e3 96|"; offset: 0; depth: 2; classtype: policy-violation; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001298; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2001298; rev:7;)
alert udp $HOME_NET 4660:4799 -> $EXTERNAL_NET any (msg:"ET P2P eDonkey Server Status"; content:"|e3 97|"; offset: 0; depth: 2; classtype: policy-violation; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001299; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2001299; rev:7;)

#Matt Jonkman
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey IP Request"; dsize:4; content:"|e3 1b|"; depth:2; flowbits:set,BEedk.ip.requestect; flowbits:noalert; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003308; rev:4;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey IP Reply"; flowbits:isset,BEedk.ip.requestect; dsize:<20; content:"|e3 1c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003309; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003309; rev:4;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey IP Query End"; dsize:<20; content:"|e3 1d|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003316; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003316; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003310; rev:3;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File ACK"; dsize:<20; content:"|e3 0d|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003311; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003311; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Connect Request"; dsize:25; content:"|e3 0a|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003312; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003312; rev:3;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Connect Reply and Server List"; dsize:>200; content:"|e3 0b|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003313; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003313; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Search Request (by file hash)"; dsize:19; content:"|e3 0e 14|"; depth:3; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003314; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003314; rev:3;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Search Reply"; dsize:>200; content:"|e3 0f|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003315; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003317; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Get Sources Request (by hash)"; dsize:19; content:"|e3 9a|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003318; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Search Request (search by name)"; dsize:>5; content:"|e3 98|"; depth:2; content:"|01|"; within:3; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003319; rev:3;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Search Results"; dsize:>21; content:"|e3 99|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003320; rev:3;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server Message"; flow:established; dsize:>10; content:"|e3|"; depth:1; content:"|38|"; offset:4; within:5; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003321; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003321; rev:4;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server List"; flow:established; dsize:>12; content:"|e3|"; depth:1; content:"|32|"; offset:4; within:5; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003322; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003322; rev:3;)
alert tcp $HOME_NET 4660:4799 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Client to Server Hello"; flow:established; dsize:>5; content:"|e3|"; depth:1; content:"|01|"; offset:4; within:5; content:"|02 01 00 01|"; distance:26; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003323; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003323; rev:3;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server Status"; flow:established; dsize:14; content:"|e3 09 00 00 00 34|"; depth:6; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003324; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003324; rev:3;)

#by philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Enhanced CTorrent 3.x)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Enhanced-CTorrent/dnh3"; classtype:policy-violation; reference:url,www.rahul.net/dholmes/ctorrent; reference:url,doc.emergingthreats.net/2011703; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_EnhancedCtorrent; sid:2011703; rev:2;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (FDM 3.x)"; flow:to_server,established; content:"|0d 0a|User-Agent\: FDM 3.x"; classtype:policy-violation; reference:url,www.freedownloadmanager.org; reference:url,doc.emergingthreats.net/2011712; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_FDM; sid:2011712; rev:2;)

# Submitted by Pedro Quintanilha on 2005-11-07
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET P2P MS Foldershare Login Detected"; flow:established,to_client; content:"|0b|FolderShare|30 81 9f 30|"; nocase; offset: 392; depth: 18; reference:url,www.foldershare.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002673; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Foldershare; sid:2002673; rev:4;)

#From Cooljay
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella Connect"; flow: established,to_server; content:"GNUTELLA CONNECT/"; nocase; offset: 0; depth: 17; classtype: policy-violation; reference:url,www.gnutella.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001664; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Gnutella; sid:2001664; rev:5;)

#by Jeff Kell
# Looking for Gnucleus/GnucDNA UDP Ultrapeer handshakes
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P GnucDNA UDP Ultrapeer Traffic"; content:"SCP@|83|DNA@"; threshold: type both,track by_src,count 10,seconds 600; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002760; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Gnutella; sid:2002760; rev:3;)
# Looking for Gnucleus/GnucDNA running Ultrapeer
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella TCP Ultrapeer Traffic"; flow: established,to_server; content:"GNUTELLA"; offset:0; depth:8; content:"X-Ultrapeer\: True"; nocase; threshold: type both,track by_src,count 5,seconds 3600; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002761; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Gnutella; sid:2002761; rev:3;)

#by Matt Jonkman
alert tcp any 1024: -> any 1024: (msg:"ET P2P Gnutella TCP Traffic"; flow: established,to_server; content:"GNUTELLA"; offset:0; depth:8; content:"200 OK|0d 0a|"; within:15; threshold: type both,track by_src,count 5,seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2007801; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Gnutella; sid:2007801; rev:2;)

#Thanks to Kevin Kolk
alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET P2P iroffer IRC Bot help message"; flow: from_server,established; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth: 500; classtype: trojan-activity; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000338; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Iroffer_IRC_Bot; sid:2000338; rev:5;)
alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET P2P iroffer IRC Bot offered files advertisement"; flow: from_server,established; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; depth: 500; classtype: trojan-activity; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000339; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Iroffer_IRC_Bot; sid:2000339; rev:5;)

#By Bob Grabowsky
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Kazaa over UDP"; content:"KaZaA"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: policy-violation; reference:url,www.kazaa.com/us/index.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001796; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Kazaa; sid:2001796; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P KazaaClient P2P Traffic"; flow: established; content:"Agent\: KazaaClient"; nocase; classtype: policy-violation; reference:url,www.kazaa.com/us/index.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001812; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Kazaa; sid:2001812; rev:6;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent/3.x.x)"; flow:to_server,established; content:"|0d 0a|User-Agent\: KTorrent/3"; classtype:policy-violation; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011700; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Ktorrent; sid:2011700; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent 2.x)"; flow:to_server,established; content:"|0d 0a|User-Agent\: ktorrent/2"; classtype:policy-violation; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011711; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Ktorrent; sid:2011711; rev:2;)

#by Christopher Campesi
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P KuGoo P2P Connection"; dsize:<30; content:"|64|"; offset:0; depth:1; content:"|70|"; distance:5; content:"|50 37|"; distance:4; classtype:policy-violation; reference:url,koogoo.com; reference:url,doc.emergingthreats.net/2009966; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_KuGoo; sid:2009966; rev:2;)

#By Bob Grabowsky
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"User-Agent\: LimeWire"; nocase; classtype: policy-violation; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001808; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Limewire; sid:2001808; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"Server\: LimeWire"; nocase; classtype: policy-violation; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007800; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Limewire; sid:2007800; rev:3;)

#Depth and offset added by Jeff Kell
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Limewire P2P UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Limewire; sid:2001809; rev:6;)
alert udp $HOME_NET 6345:6349 -> $EXTERNAL_NET 6345:6349 (msg:"ET P2P UDP traffic - Likely Limewire"; threshold: type threshold,track by_src,count 40, seconds 300; classtype: policy-violation; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001841; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Limewire; sid:2001841; rev:7;)

#by Christopher Campesi
alert udp $EXTERNAL_NET 41170 -> $HOME_NET any (msg:"ET P2P Manolito Connection (1)"; dsize:<48; content:"|3d 4a d9|"; depth:3; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009097; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Manolito; sid:2009097; rev:2;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 41170 (msg:"ET P2P Manolito Ping"; dsize:<24; content:"|3d|"; depth:1; content:"|d9|"; distance:1; content:"|ed bb|"; distance:13; threshold: type limit, track by_src, seconds 300, count 1; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009098; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Manolito; sid:2009098; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Morpheus Install"; flow: to_server,established; uricontent:"/morpheus/morpheus.exe"; nocase; reference:url,www.morpheus.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001035; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Morpheus; sid:2001035; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Morpheus Install ini Download"; flow: to_server,established; uricontent:"/morpheus/morpheus_sm.ini"; nocase; reference:url,www.morpheus.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Morpheus; sid:2001036; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Morpheus Update Request"; flow: to_server,established; uricontent:"/gwebcache/gcache.asg?hostfile="; nocase; reference:url,www.morpheus.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001037; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Morpheus; sid:2001037; rev:7;)

#by Jack Pepper
alert udp $HOME_NET 8247 -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape UDP Session"; threshold: type both, count 2, seconds 60, track by_src; reference:url,msmvps.com/blogs/bradley/archive/2009/01/20/peer-to-peer-on-cnn.aspx; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009986; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Octoshape; sid:2009986; rev:2;)

# Scott Lazzari and Stephen Nesman
alert udp $HOME_NET any -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape P2P streaming media"; content:"POST / HTTP/1."; depth:64; content:"Oshtcp-streamtype\:"; threshold: type limit, track by_src, count 1, seconds 600; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010008; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Octoshape; sid:2010008; rev:3;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Opera/10.x)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Opera BitTorrent, Opera/"; classtype:policy-violation; reference:url,www.opera.com; reference:url,doc.emergingthreats.net/2011701; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Opera; sid:2011701; rev:2;)

# By Chich Thierry
alert udp any any -> any any (msg: "ET P2P Overnet (Edonkey) Server Announce"; content:"|00000203006c6f63|"; offset: 36; content:"|006263703a2f2f|"; distance: 1; classtype: policy-violation; reference:url,www.overnet.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000335; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Overnet_Traffic; sid:2000335; rev:7;)

#by dxp
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Pando Client User-Agent Detected (Mozilla/4.0 (Windows\; U) Pando/1.xx)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (Windows\; U) Pando/"; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2008625; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Pando; sid:2008625; rev:3;)

#
alert tcp any any -> any any (msg:"ET P2P Phatbot Control Connection"; flow: established; content:"Wonk-"; content:"|00|#waste|00|"; within: 15; reference:url,www.lurhq.com/phatbot.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000015; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Phatbot_Control_Connection; sid:2000015; rev:6;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Client User-Agent (Shareaza 2.x)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Shareaza 2."; classtype:policy-violation; reference:url,shareaza.sourceforge.net; reference:url,doc.emergingthreats.net/2011707; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Sharazaa; sid:2011707; rev:2;)

#Submitted by marcamone
alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"ET P2P Soulseek traffic (1)"; flow: established; classtype: policy-violation; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001185; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Soulseek; sid:2001185; rev:8;)
alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"ET P2P Soulseek traffic (2)"; flow: established; classtype: policy-violation; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001186; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Soulseek; sid:2001186; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET P2P Soulseek"; flow: established; content:"slsknet"; classtype: policy-violation; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001188; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Soulseek; sid:2001188; rev:7;)

#Submitted by Matt Jonkman
alert tcp $EXTERNAL_NET 2234 -> $HOME_NET any (msg:"ET P2P Soulseek Filesearch Results"; flow: from_server,established; content:"|09 00 00 00 78|"; classtype: policy-violation; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001187; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Soulseek; sid:2001187; rev:6;)

#christopher Campesi
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 2240 (msg:"ET P2P SoulSeek P2P Server Connection"; flow:established,to_server; content:"|01 00 00 00|"; offset:4; depth:4; classtype:policy-violation; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/2008595; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Soulseek; sid:2008595; rev:5;)
alert tcp $EXTERNAL_NET 2240 -> $HOME_NET 1024: (msg:"ET P2P SoulSeek P2P Login Response"; flow:from_server,established; content:"|5c 01 00 00 01 00 00 00|"; offset:0; depth:8; classtype:policy-violation; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/2008611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Soulseek; sid:2008611; rev:4;)

#by Christopher Campesi
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P ThunderNetwork UDP Traffic"; dsize:<38; content:"|32 00 00 00|"; depth:4; content:"|00 00 00 00|"; distance:1; threshold:type limit, track by_src, count 1, seconds 300; classtype:policy-violation; reference:url,xunlei.com; reference:url,en.wikipedia.org/wiki/Xunlei; reference:url,doc.emergingthreats.net/2009099; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_ThunderNetwork; sid:2009099; rev:3;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Transmission/"; classtype:policy-violation; reference:url,www.transmissionbt.com; reference:url,doc.emergingthreats.net/2011699; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Transmission; sid:2011699; rev:2;)

#by Christopher Campesi
alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Vuze BT Connection"; flow:established; content:"|00 00|"; depth:2; content:"|05|AZVER|01|"; distance:5; depth:7; content:"appid"; within:10; threshold:type limit, track by_src, count 10, seconds 600; classtype:policy-violation; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010139; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze; sid:2010139; rev:4;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection"; dsize:<80; content:"|00 00 04|"; offset:8; depth:3; content:"|00 00 00 00 00|"; distance:6; depth:5; classtype:policy-violation; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010140; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze; sid:2010140; rev:2;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (2)"; dsize:94; content:"|00 00 04|"; offset:0; depth:3; content:"|00 00 00 00 00|"; distance:14; depth:5; content:"|ff ff ff ff 00 00 00 00 02 05 21|"; distance:8; depth:11; content:"|00 00 00 00 00 00|"; distance:25; depth:6; content:"|00 00|"; distance:20; depth:2; classtype:policy-violation; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010141; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze; sid:2010141; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET P2P Vuze BT UDP Connection (3)"; dsize:80; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; depth:5; content:"|02 05 21 04|"; distance:4; depth:4; threshold:type limit, track by_dst, count 10, seconds 600; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze; sid:2010142;rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET P2P Vuze BT UDP Connection (4)"; dsize:<300; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; depth:5; content:"|ff ff ff ff|"; distance:8; depth:4; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010143; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze; sid:2010143; rev:2;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (5)"; dsize:<20; content:"|00 00 04 17 27 10 19 80 00 00 00 00|"; offset:0; depth:12; classtype:policy-violation; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010144; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze; sid:2010144; rev:3;)

#by christopher campesi
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request"; dsize:35; content:"|e4 21|"; offset:0; depth:2; classtype:policy-violation; reference:url,emule-project.net; threshold: type limit, count 5, seconds 600, track by_src; reference:url,doc.emergingthreats.net/2009967; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009967; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request(2)"; dsize:35; content:"|e4 20|"; offset:0; depth:2; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009968; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009968; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Firewalled Request"; dsize:35; content:"|e4 50|"; offset:0; depth:2; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009969; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009969; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule Kademlia Hello Request"; dsize:<48; content:"|e4 11|"; offset:0; depth:2; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009970; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Hello Request (2)"; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:5;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Server Status Request"; dsize:44; content:"|8c 97|"; offset:0; depth:2; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009972; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009972; rev:3;)
alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Send Username"; flow:established; content:"|e3|"; offset:0; depth:1; content:"|00 00 00 01|"; depth:4; distance:1; byte_test:1,<,51,37; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url, emule-project.net; reference:url,doc.emergingthreats.net/2009973; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009973; rev:3;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (rTorrent)"; flow:to_server,established; content:"|0d 0a|User-Agent\: rtorrent/"; classtype:policy-violation; reference:url,libtorrent.rakshasa.no; reference:url,doc.emergingthreats.net/2011705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_rTorrent; sid:2011705; rev:2;)

#by Philipp Seidel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (uTorrent)"; flow:to_server,established; content:"|0d 0a|User-Agent\: uTorrent/"; classtype:policy-violation; reference:url,www.utorrent.com; reference:url,doc.emergingthreats.net/2011706; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_uTorrent; sid:2011706; rev:2;)