Snort mailing list archives
Re: how to block P2P with snort
From: Charles Lacroix <chuck () linuxquebec com>
Date: Wed, 31 Mar 2004 16:27:54 -0500
On Wednesday 31 March 2004 16:05, you wrote:
Charles Lacroix wrote:On Wednesday 31 March 2004 12:50, Sylvain BERTRAND wrote:Hi everyone, I'm new on this ML (first day), and i already use Snort to monitor stuff. I assume this question has already been asked but I can't find any good answer: how to block P2P with snort? I'm currently using rules/p2p.rules but it's not enough (250 broadband users behind my fw... all of them students who want to leech a lot). What do you suggest? Sincerely, Sylvain BERTRANDHi there, i am also working on a similar project. Use swatch to monitor your alert log file, then parse the alert with some perl script that will generate you iptables rules to block what ever you want. On my side, i decided to completely block the user from accessing web, and at the same time, send an email to the admin so that he can manually unblock the user later on after they had a talk with the boss. But from what i can see, generating more complexe iptables rules could be better. You could block only src_addr going to dest_addr taken from your alert file. This way it would block current connections and not affect the rest of the connection. unfortunatly, you will have to build some sort of mecanisme to clean up your iptables rules after a while. Later CharlesMy problem is not really to decide what I should block on the user's side when I detect P2P trafic. I already use a home made perl script that parses the /var/log/snort/alert file and automatically inserts a rule to disconnect the user. So I can afford to cut the user off the Internet, and even come to his place and check out his computer. The real problem for me is that most of the P2P trafic isn't detected by snort default P2P rules. And I wan wondering if there were an unofficial set of rules that would block most of the P2P trafic (false positives are ok!). Sylvain
Oh sorry, well for exp rules, i know i saw a few about eDonkey/eMule in the sigs mailling list, and i made some for Direct Connect but if you find a site with lots of these rules, i would be really interested in trying them out too. Charles ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to block P2P with snort Sylvain BERTRAND (Mar 31)
- Re: how to block P2P with snort Charles Lacroix (Mar 31)
- Re: how to block P2P with snort Sylvain BERTRAND (Mar 31)
- Re: how to block P2P with snort Charles Lacroix (Mar 31)
- Re: how to block P2P with snort Sylvain BERTRAND (Mar 31)
- Re: how to block P2P with snort Charles Lacroix (Mar 31)