Snort mailing list archives
Re: Stopping outbound Kazaa
From: twig les <twigles () yahoo com>
Date: Thu, 6 Feb 2003 11:37:07 -0800 (PST)
There are 2 kazaa rules that I know of offhand, sid:1383 and sid:1699. Unfortunately these require dst port 1214 so they can be avoided. Without knowing anything about your infrastructure or corporate environment it's hard to find a solution, although to be honest if this is a work environment and you're out of bandwidth I'd simply kill all Kazaa, up or down. Especially since it's normally the "You've Got Mail" crowd downloading things and not virus-scanning them before execution. Not to mention the heinous MPAA/RIAA(TM ... probably) plot to punish copyright thieves :). The only way I can think of to stop Kazaa is thru bandwidth monitoring and policy. Send out a new policy based on filesharing being a no-no and then watch the bandwidth consumption and figure who has got a suspicious stream of traffic (30-60kps for 16 hours straight coming from a desktop in finance to the internet). QoS on the router(s) may help but I don't know your environment. You could simply kick the end-user traffic to a lower priority. So in essence, no, I haven't figured out a clever way to do this with free stuff. But I'm feeling quite chatty today so I hope this helps. --- "Travis S." <security () starfieldsw com> wrote:
On a large 1 gbps full-duplex internet pipe, I want to prevent outside users from downloading files on Kazaa, gnutella, etc from our network. On the other hand, I don't want to stop our users from downloading these files from the outside. Basically the idea is to manage the uncontrolled outbound stream so we have spare - right now it's pegged 100% usage. Has anybody figured out clever ways to accomplish this using snort or any other package? Obviously I would prefer a free solution, so it would be great if Snort could do this. --Travis ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stopping outbound Kazaa Travis S. (Feb 06)
- Re: Stopping outbound Kazaa twig les (Feb 06)
- Re: Stopping outbound Kazaa Brian (Feb 07)
- Re: Stopping outbound Kazaa Gustavo Beltrami Rossi (Feb 10)
- <Possible follow-ups>
- Re: Stopping outbound Kazaa Travis S. (Feb 06)
- Re: Stopping outbound Kazaa Travis S. (Feb 13)
- Re: Stopping outbound Kazaa Erek Adams (Feb 13)
- Re: Stopping outbound Kazaa twig les (Feb 13)
- Re: Stopping outbound Kazaa Gustavo Beltrami Rossi (Feb 14)
- Re: Stopping outbound Kazaa Erek Adams (Feb 13)
- RE: Stopping outbound Kazaa Bob McDowell (Feb 14)