Re: how to block P2P with snort

[Sylvain BERTRAND <sbertran () metz supelec fr>]

http://sourceforge.net/projects/iptables-p2p/ is excellent, no need to 
look further... even if l7-filter looks amazing
The P2P match for iptables can detect most of the P2P protos around, 
except a few (Soulseek, maybe others...).
This and the classic portblocking rules should be enough.

Sylvain

PS: I know this was not "snort related", but I tought it my help some of us


Ravi wrote:

> Sylvain,
> Blocking P2P traffic is difficult job for snort.
>    - Some P2P applications uses TCP, if not switches to UDP
>    - Even some applications started using encryption to 
> communicate,and snort cant intrepret encrytped packets. But signatures 
> can be written to block the traffic before encryption takes place. 
> Hmm, giving a chance to lot of false positives.
>   I think anamoly detection can help to block p2p.
>
> There are some open source tools some working with iptables to block p2p.
> YOu may would like to look into this tools:
>    - http://l7-filter.sourceforge.net/
>   - http://sourceforge.net/projects/iptables-p2p/
> You can also block using squid as transparent proxy. Configure the ACL 
> and it will work fine if the p2p uses http protocol.    
> I have not used them yet, so let me know which is best in action.
>
> Cheers,
> -Ravi
> ROCSYS Technologies Ltd.,
> http://www.rocsys.com





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users