Snort mailing list archives
Re: how to block P2P with snort
From: Ravi <ravivsn () roc co in>
Date: Thu, 01 Apr 2004 10:52:00 +0530
Sylvain, Blocking P2P traffic is difficult job for snort. - Some P2P applications uses TCP, if not switches to UDP- Even some applications started using encryption to communicate,and snort cant intrepret encrytped packets. But signatures can be written to block the traffic before encryption takes place. Hmm, giving a chance to lot of false positives. I think anamoly detection can help to block p2p.
There are some open source tools some working with iptables to block p2p. YOu may would like to look into this tools: - http://l7-filter.sourceforge.net/ - http://sourceforge.net/projects/iptables-p2p/You can also block using squid as transparent proxy. Configure the ACL and it will work fine if the p2p uses http protocol.
I have not used them yet, so let me know which is best in action. Cheers, -Ravi ROCSYS Technologies Ltd., http://www.rocsys.com Charles Lacroix wrote:
On Wednesday 31 March 2004 16:05, you wrote:Charles Lacroix wrote:On Wednesday 31 March 2004 12:50, Sylvain BERTRAND wrote:Hi everyone, I'm new on this ML (first day), and i already use Snort to monitor stuff. I assume this question has already been asked but I can't find any good answer: how to block P2P with snort? I'm currently using rules/p2p.rules but it's not enough (250 broadband users behind my fw... all of them students who want to leech a lot). What do you suggest? Sincerely, Sylvain BERTRANDHi there, i am also working on a similar project. Use swatch to monitor your alert log file, then parse the alert with some perl script that will generate you iptables rules to block what ever you want. On my side, i decided to completely block the user from accessing web, and at the same time, send an email to the admin so that he can manually unblock the user later on after they had a talk with the boss. But from what i can see, generating more complexe iptables rules could be better. You could block only src_addr going to dest_addr taken from your alert file. This way it would block current connections and not affect the rest of the connection. unfortunatly, you will have to build some sort of mecanisme to clean up your iptables rules after a while. Later CharlesMy problem is not really to decide what I should block on the user's side when I detect P2P trafic. I already use a home made perl script that parses the /var/log/snort/alert file and automatically inserts a rule to disconnect the user. So I can afford to cut the user off the Internet, and even come to his place and check out his computer. The real problem for me is that most of the P2P trafic isn't detected by snort default P2P rules. And I wan wondering if there were an unofficial set of rules that would block most of the P2P trafic (false positives are ok!). SylvainOh sorry, well for exp rules, i know i saw a few about eDonkey/eMule in the sigs mailling list, and i made some for Direct Connect butif you find a site with lots of these rules, i would be really interested in trying them out too. Charles ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: how to block P2P with snort Ravi (Mar 31)
- Re: how to block P2P with snort Sylvain BERTRAND (Apr 01)
- snort tables (mysql) Cesar (May 19)