bittorrent_user

Explanation

The bittorrent_user CCM creates a context label for any internal host that has been observed communicating with a host running BitTorrent tracker software on a TCP port commonly associated with that type of server. This list of BitTorrent trackers refreshes every few days, but the IPs remain fairly consistent. You can use this IP reputation list in your own queries by adding dstiprep.categories == file_sharing_bittorrent_tracker; please note that these hosts tend to run many services that might be legitimate, so there might be false positives if specific ports are not specified.

The label created by this CCM should only last 30 minutes from the last observed activity. The reason for this is that the CCM was designed to work in tandem with the bittorrent NDM and trigger a detection event when a host is seen communicating with a BitTorrent tracker as well as communicating on ports commonly associated with BitTorrent file transfers.

What to Look For

Please refer to the bittorrent_tracker_internal_external detection for more information.