Snort mailing list archives
Re: how to block P2P with snort
From: Sylvain BERTRAND <sbertran () metz supelec fr>
Date: Thu, 01 Apr 2004 13:22:56 +0200
http://sourceforge.net/projects/iptables-p2p/ is excellent, no need to look further... even if l7-filter looks amazing The P2P match for iptables can detect most of the P2P protos around, except a few (Soulseek, maybe others...).
This and the classic portblocking rules should be enough. Sylvain PS: I know this was not "snort related", but I tought it my help some of us Ravi wrote:
Sylvain, Blocking P2P traffic is difficult job for snort. - Some P2P applications uses TCP, if not switches to UDP- Even some applications started using encryption to communicate,and snort cant intrepret encrytped packets. But signatures can be written to block the traffic before encryption takes place. Hmm, giving a chance to lot of false positives.I think anamoly detection can help to block p2p. There are some open source tools some working with iptables to block p2p. YOu may would like to look into this tools: - http://l7-filter.sourceforge.net/ - http://sourceforge.net/projects/iptables-p2p/You can also block using squid as transparent proxy. Configure the ACL and it will work fine if the p2p uses http protocol. I have not used them yet, so let me know which is best in action.Cheers, -Ravi ROCSYS Technologies Ltd., http://www.rocsys.com
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: how to block P2P with snort Ravi (Mar 31)
- Re: how to block P2P with snort Sylvain BERTRAND (Apr 01)
- snort tables (mysql) Cesar (May 19)