Page 1 of 1

detect visit to torrent site

Posted: Fri Feb 02, 2018 11:05 am
by solar77
I've been trying to use some of the L7 rules to catch torrent downloading on our network, however had to stop as some of the games use P2P to update. I am trying an alternative which is to add common torrent website to an address list and then catch traffic going to thoese address in Mangle

in address list, I have
add list=TorrentSite
add list=TorrentSite
add list=TorrentSite
add list=TorrentSite
add list=TorrentSite
add list=TorrentSite

and in mangle:
add action=add-src-to-address-list address-list=Torrent_user_Stage4 address-list-timeout=1w chain=prerouting \
    comment="Add torrent user by Torrent Address List \"TorrentSite\"" connection-state=new \
    dst-address-list=TorrentSite log=yes log-prefix="/////Site==="

my quesstion is. I've been watching log, the destination IP address does not match any IP in my Address List. They are mostly belong to Cloudfront. Is this becaue the torrent sites are all hiding behind CloudFront? if that's the case why they can trigger this mangle rule?

Re: detect visit to torrent site

Posted: Fri Feb 02, 2018 5:43 pm
by TAD
try this and tel us if ok
/ip firewall layer7-protocol
add name=L7-All-Torrent regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|en\
nt protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_ha\
sh=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x04\\x17\\x27\

/ip firewall mangle
add action=add-src-to-address-list address-list="Torrent_SV lists" \
address-list-timeout=10m chain=forward comment="Torrent_SV lists" \
connection-mark=Torrent-Dw-Conn in-interface=Wan
add action=add-dst-to-address-list address-list="Torrent_local users lists" \
address-list-timeout=10m chain=forward comment=\
"Torrent_local users lists" connection-mark=Torrent-Dw-Conn in-interface=\
add action=mark-connection chain=forward comment=Torrent--Dw-Conn \
in-interface=Wan layer7-protocol=L7-All-Torrent new-connection-mark=\
Torrent-Dw-Conn passthrough=yes
add action=mark-packet chain=forward comment=Torrent--Dw-Conn \
connection-mark=Torrent-Dw-Conn new-packet-mark=Torrent-Dw-Pkt \
add action=mark-connection chain=prerouting comment=Torrent--Up-Conn \
in-interface=bridge layer7-protocol=L7-All-Torrent new-connection-mark=\
Torrent-Up-Conn passthrough=yes
add action=mark-packet chain=forward comment=Torrent-Up-Pkt connection-mark=\
Torrent-Up-Conn new-packet-mark=Torrent-Up-Pkt passthrough=no