Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort and Kazaa 2.0

From: "Sam Evans" <sam () neuroflux com>
Date: Tue, 22 Oct 2002 19:03:13 -0600
Based on what we have seen, it no longer uses the 1214 port for it's
traffic.  (Although, it does use it sometimes.. )  Wierd.

Anyway, we have come up with a rule that seems to work very well for the new
Kazaa.   YMMV though..

This is for snort 1.8.7 (but should work for 1.9.0).

alert tcp any any -> any any (msg: "P2P Kazaa File Transfer"; content:
"X-Kazaa"; rev: 1;)

What we have seen, is that even though the new Kazaa doesn't use the
standard 1214, the protocol still utilizes the X-Kazaa tag for it's
transfers.  While this rule will not alert you as to when someone is
searching for a file, it will alert when someone initiates a transfer
session.  (Multiple times quite possibly, depending on the packet).

Through a resp: rst_snd in there, and you've blocked Kazaa 2.0 (at least in
our experience).

-Sam

----- Original Message -----
From: "Vicente" <vi_joel () yahoo com>
To: <snort-users () lists sourceforge net>
Sent: Monday, October 21, 2002 1:57 PM
Subject: [Snort-users] Snort and Kazaa 2.0



Hi,

Sorry about the last, empty mesg.
I want to know if someone could help me to block kazaa
2.0 traffic, using snort or iptables. This new version
seems to use a lot os different port numbers and I
can't block it.

Thank's

--
Vicente

_______________________________________________________________________
Yahoo! GeoCities
Tudo para criar o seu site: ferramentas fáceis de usar, espaço de sobra e

acessórios.

http://br.geocities.yahoo.com/


-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.


http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: