set service "BitComet_Handshake" protocol tcp src-port 0-65535 dst-port 1025-65535
set service "http8080" protocol tcp src-port 0-65535 dst-port 8080-8080

步骤二：定义追踪查询的签名

set attack "CS:BT-TRACK:1" http-url-variable-parsed ".*\[p_w_uploadid\].*" severity info 9bm set attack "CS:BT-TRACK:2" stream256 ".*\[announce\].*" severity info

set attack "CS:BT-TRACK:3" http-url-parsed ".*\[torrent\].*" severity info

定义一些签名，匹配HTTP下载"*.torrent" file的请求。

定义的签名将会应用到HTTP或用户定义的HTTP服务端口，比如TCP的8080端口。

步骤三：定义握手协议的签名

set attack "CS:Bitcomet:HandShake" stream256 ".*\[BitTorrent protocol\].*" severity info

定义模块化的BT握手协议***签名

步骤四： 定义应用于策略的追踪可疑的***组
set attack group "CS:Bitcomet:Track" =Cj0*uJ  
set attack group "CS:Bitcomet:Track" add "CS:BT-TRACK:2"

set attack group "CS:Bitcomet:Track" add "CS:BT-TRACK:3"

set attack group "CS:Bitcomet:Track" add "CS:BT-TRACK:1"

步骤五： 定义应用于策略的握手协议***组

set attack group "CS:BitComet:HandShake"

set attack group "CS:BitComet:HandShake" add "CS:Bitcomet:HandShake" lhemLet8iI

步骤六： 创建基于标准的HTTP服务的追踪查询策略    
set policy id 3 from "Trust" to "Untrust"  "Any" "Any" "HTTP" permit log
set policy id 3 attack "CS:Bitcomet:Track" action close

set policy id 3 exit

步骤七： 创建基于自定义的HTTP服务的追踪查询策略
set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "http8080" permit
set policy id 4 attack "CS:Bitcomet:Track" action close UL  
set policy id 4 application "http"                                         
set policy id 4 5
exit

步骤八： 创建握手协议策略

"_GB>$5  
set policy id 5 from "Trust" to "Untrust"  "Any" "Any" "BitComet_Handshake" permit
set policy id 5 application "TALK"

set policy id 5 attack "CS:BitComet:HandShake" action close "
set policy id 5

exit