Re: how to block P2P with snort

[Charles Lacroix <chuck () linuxquebec com>]

On Wednesday 31 March 2004 12:50, Sylvain BERTRAND wrote:
> Hi everyone,
>
> I'm new on this ML (first day), and i already use Snort to monitor
> stuff. I assume this question has already been asked but I can't find
> any good answer: how to block P2P with snort? I'm currently using
> rules/p2p.rules but it's not enough (250 broadband users behind my fw...
> all of them students who want to leech a lot). What do you suggest?
> Sincerely,
>
> Sylvain BERTRAND

Hi there, i am also working on a similar project.

Use swatch to monitor your alert log file, then parse
the alert with some perl script that will generate you
iptables rules to block what ever you want.

On my side, i decided to completely block the user from
accessing web, and at the same time, send an email to
the admin so that he can manually unblock the user later
on after they had a talk with the boss.

But from what i can see, generating more complexe iptables rules
could be better. You could block only src_addr going to dest_addr
taken from your alert file. This way it would block current connections
and not affect the rest of the connection. unfortunatly, you will have
to build some sort of mecanisme to clean up your iptables rules after
a while. 


Later
Charles












-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users