Snort mailing list archives
Re: Stopping outbound Kazaa
From: Gustavo Beltrami Rossi <rossi () rec homeip net>
Date: 14 Feb 2003 01:07:33 -0200
Travis, I'm testing the software at a 512k cable pipe. I have disabled all default snort rules and I'm just using the kazaa and gnutella sigs. No problem until now. I'm planing to try snort inline for this configuration, what do you think? And for the sigs specialists, I've two doubts: - Is there any other p2p sigs besides kazaa and gnutella? Like edonkey, winmx, icq file transfer, aim file transfer, others? - Is it possible to catch a sig on multiple packets of a stream? Like I said before, something like: pkt1 -> get /get pkt2 -> server ok to trigger an alert. -- Rossi On Thu, 2003-02-13 at 21:54, Travis S. wrote:
Concerning the comment about monitoring a specific port... the new version of Kazaa (which is what composes the majority of our traffic) will go straight to port 80 if it's default port is blocked. On the idea to generate filters based on snort logs... that's a good idea, but the most difficult part is classifying traffic in my opinion - especially if you're dealing with a very large pipe where it's possible that you won't catch 100% of the packets in a given flow. When you get this software into production, I would be interested to know how it works for you. For a while I was looking at using the logs to generate a static route table, routing all traffic to a null interface that dealt with a Kazaa remote computer. This was too forceful of a rule, however, as it would blacklist all traffic from those computers. I am in the process of getting a machine up to use flexresp and see if we can kill outbound connections of file transfers from our network - we'll see how well that works. --Travis ---------- Original Message ---------------------------------- From: Gustavo Beltrami Rossi <rossi () rec homeip net> Date: Mon, 10 Feb 2003 11:52:53 -0200| On Thu, Feb 06, 2003 at 12:40:35PM -0500, Travis S. wrote: | > On a large 1 gbps full-duplex internet pipe, I want to prevent | outside users from downloading files on Kazaa, gnutella, etc from our | network. On the other hand, I don't want to stop our users from | downloading these files from the outside. | > | > Basically the idea is to manage the uncontrolled outbound stream so | we have spare - right now it's pegged 100% usage. | > | > Has anybody figured out clever ways to accomplish this using snort | or any other package? Obviously I would prefer a free solution, so | it would be great if Snort could do this. I'm working on a project to limit the bandwidth of p2p applications using snort sigs and altq (OpenBSD). The idea is to monitor the snorts alerts of p2p traffic sigs and then generate on the fly filters of altq. I'm now finishing the development of that interconection software (snort->altq), and then I'll start collecting sigs of p2p softwares. In that fase, anybody knows if is it possible to catch a sig across multiples packets on the same stream? If it is, please let me know how. Something like that: host1 -> host2 : GET /GET/ (pkt 1) host2 -> host1 : SERVER OK (pkt 2) I'm using snort 1.9 with stream4 enabled. Thanks in advance, Rossi. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stopping outbound Kazaa Travis S. (Feb 06)
- Re: Stopping outbound Kazaa twig les (Feb 06)
- Re: Stopping outbound Kazaa Brian (Feb 07)
- Re: Stopping outbound Kazaa Gustavo Beltrami Rossi (Feb 10)
- <Possible follow-ups>
- Re: Stopping outbound Kazaa Travis S. (Feb 06)
- Re: Stopping outbound Kazaa Travis S. (Feb 13)
- Re: Stopping outbound Kazaa Erek Adams (Feb 13)
- Re: Stopping outbound Kazaa twig les (Feb 13)
- Re: Stopping outbound Kazaa Gustavo Beltrami Rossi (Feb 14)
- Re: Stopping outbound Kazaa Erek Adams (Feb 13)
- RE: Stopping outbound Kazaa Bob McDowell (Feb 14)