Re: Stopping outbound Kazaa

[Erek Adams <erek () snort org>]

On Thu, 13 Feb 2003, Travis S. wrote:

> Concerning the comment about monitoring a specific port... the new
> version of Kazaa (which is what composes the majority of our traffic)
> will go straight to port 80 if it's default port is blocked.

Yep...  Just like the AOL IM Client.  God, that thing is evil.  Just fire
it up in a testlab off of the net and sniff the traffic.  It uses damned
near every "well known" port to get out.  :-(

> For a while I was looking at using the logs to generate a static route
> table, routing all traffic to a null interface that dealt with a Kazaa
> remote computer.  This was too forceful of a rule, however, as it would
> blacklist all traffic from those computers.  I am in the process of
> getting a machine up to use flexresp and see if we can kill outbound
> connections of file transfers from our network - we'll see how well that
> works.

Honestly, I think you were on the right track with the null route.  If you
did something like "ip route <kaza_server_IP> <netmask> null0" that would
stop anyone from connecting to it...

If that's not useable, then consider using something like SnortSam to add
an outbound ACL to your router.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users