Snort mailing list archives
Re: Snort and Kazaa 2.0
From: "Sam Evans" <sam () neuroflux com>
Date: Tue, 22 Oct 2002 19:03:13 -0600
Based on what we have seen, it no longer uses the 1214 port for it's traffic. (Although, it does use it sometimes.. ) Wierd. Anyway, we have come up with a rule that seems to work very well for the new Kazaa. YMMV though.. This is for snort 1.8.7 (but should work for 1.9.0). alert tcp any any -> any any (msg: "P2P Kazaa File Transfer"; content: "X-Kazaa"; rev: 1;) What we have seen, is that even though the new Kazaa doesn't use the standard 1214, the protocol still utilizes the X-Kazaa tag for it's transfers. While this rule will not alert you as to when someone is searching for a file, it will alert when someone initiates a transfer session. (Multiple times quite possibly, depending on the packet). Through a resp: rst_snd in there, and you've blocked Kazaa 2.0 (at least in our experience). -Sam ----- Original Message ----- From: "Vicente" <vi_joel () yahoo com> To: <snort-users () lists sourceforge net> Sent: Monday, October 21, 2002 1:57 PM Subject: [Snort-users] Snort and Kazaa 2.0
Hi, Sorry about the last, empty mesg. I want to know if someone could help me to block kazaa 2.0 traffic, using snort or iptables. This new version seems to use a lot os different port numbers and I can't block it. Thank's -- Vicente _______________________________________________________________________ Yahoo! GeoCities Tudo para criar o seu site: ferramentas fáceis de usar, espaço de sobra e
acessórios.
http://br.geocities.yahoo.com/ ------------------------------------------------------- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now.
http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and Kazaa 2.0 Vicente (Oct 22)
- Re: Snort and Kazaa 2.0 Sam Evans (Oct 22)
- Re: Snort and Kazaa 2.0 Frank Knobbe (Oct 22)
- Re: Snort and Kazaa 2.0 Sam Evans (Oct 22)
- Re: Snort and Kazaa 2.0 Frank Knobbe (Oct 22)
- Re: Snort and Kazaa 2.0 Sam Evans (Oct 22)