Community discussions

 
solar77
Member
Member
Topic Author
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

detect visit to torrent site

Fri Feb 02, 2018 11:05 am

I've been trying to use some of the L7 rules to catch torrent downloading on our network, however had to stop as some of the games use P2P to update. I am trying an alternative which is to add common torrent website to an address list and then catch traffic going to thoese address in Mangle

in address list, I have
add address=thehiddenbay.ws list=TorrentSite
add address=tpbduck.com list=TorrentSite
add address=piratenbaai.ch list=TorrentSite
add address=thepirate-proxy.nl list=TorrentSite
add address=tpb.network list=TorrentSite
add address=piratebay.website list=TorrentSite
...
...

and in mangle:
add action=add-src-to-address-list address-list=Torrent_user_Stage4 address-list-timeout=1w chain=prerouting \
    comment="Add torrent user by Torrent Address List \"TorrentSite\"" connection-state=new \
    dst-address-list=TorrentSite log=yes log-prefix="/////Site==="

my quesstion is. I've been watching log, the destination IP address does not match any IP in my Address List. They are mostly belong to Cloudfront. Is this becaue the torrent sites are all hiding behind CloudFront? if that's the case why they can trigger this mangle rule?
MTCNA MTCTCE UEWA
 
TAD
just joined
Posts: 12
Joined: Tue Mar 13, 2012 12:17 pm

Re: detect visit to torrent site

Fri Feb 02, 2018 5:43 pm

Hi
try this and tel us if ok
/ip firewall layer7-protocol
add name=L7-All-Torrent regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|en\
tertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|b\
itunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|megano\
va|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits|\\x13bittorre\
nt protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_ha\
sh=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x04\\x17\\x27\
\\x10\\x19\\x80'7P\\).*\$"

/ip firewall mangle
add action=add-src-to-address-list address-list="Torrent_SV lists" \
address-list-timeout=10m chain=forward comment="Torrent_SV lists" \
connection-mark=Torrent-Dw-Conn in-interface=Wan
add action=add-dst-to-address-list address-list="Torrent_local users lists" \
address-list-timeout=10m chain=forward comment=\
"Torrent_local users lists" connection-mark=Torrent-Dw-Conn in-interface=\
Wan
add action=mark-connection chain=forward comment=Torrent--Dw-Conn \
in-interface=Wan layer7-protocol=L7-All-Torrent new-connection-mark=\
Torrent-Dw-Conn passthrough=yes
add action=mark-packet chain=forward comment=Torrent--Dw-Conn \
connection-mark=Torrent-Dw-Conn new-packet-mark=Torrent-Dw-Pkt \
passthrough=no
add action=mark-connection chain=prerouting comment=Torrent--Up-Conn \
in-interface=bridge layer7-protocol=L7-All-Torrent new-connection-mark=\
Torrent-Up-Conn passthrough=yes
add action=mark-packet chain=forward comment=Torrent-Up-Pkt connection-mark=\
Torrent-Up-Conn new-packet-mark=Torrent-Up-Pkt passthrough=no

Who is online

Users browsing this forum: MSN [Bot] and 124 guests