Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how to block P2P with snort

From: Ravi <ravivsn () roc co in>
Date: Thu, 01 Apr 2004 10:52:00 +0530
Sylvain,
Blocking P2P traffic is difficult job for snort.
   - Some P2P applications uses TCP, if not switches to UDP
- Even some applications started using encryption to communicate,and snort cant intrepret encrytped packets. But signatures can be written to block the traffic before encryption takes place. Hmm, giving a chance to lot of false positives. I think anamoly detection can help to block p2p. 

There are some open source tools some working with iptables to block p2p.
YOu may would like to look into this tools:
   - http://l7-filter.sourceforge.net/
  - http://sourceforge.net/projects/iptables-p2p/
You can also block using squid as transparent proxy. Configure the ACL and it will work fine if the p2p uses http protocol. 
I have not used them yet, so let me know which is best in action.

Cheers,
-Ravi
ROCSYS Technologies Ltd.,
http://www.rocsys.com

Charles Lacroix wrote:


On Wednesday 31 March 2004 16:05, you wrote:

Charles Lacroix wrote:

On Wednesday 31 March 2004 12:50, Sylvain BERTRAND wrote:

Hi everyone,

I'm new on this ML (first day), and i already use Snort to monitor
stuff. I assume this question has already been asked but I can't find
any good answer: how to block P2P with snort? I'm currently using
rules/p2p.rules but it's not enough (250 broadband users behind my fw...
all of them students who want to leech a lot). What do you suggest?
Sincerely,

Sylvain BERTRAND

Hi there, i am also working on a similar project.

Use swatch to monitor your alert log file, then parse
the alert with some perl script that will generate you
iptables rules to block what ever you want.

On my side, i decided to completely block the user from
accessing web, and at the same time, send an email to
the admin so that he can manually unblock the user later
on after they had a talk with the boss.

But from what i can see, generating more complexe iptables rules
could be better. You could block only src_addr going to dest_addr
taken from your alert file. This way it would block current connections
and not affect the rest of the connection. unfortunatly, you will have
to build some sort of mecanisme to clean up your iptables rules after
a while.


Later
Charles

My problem is not really to decide what I should block on the user's
side when I detect P2P trafic. I already use a home made perl script
that parses the /var/log/snort/alert file and automatically inserts a
rule to disconnect the user. So I can afford to cut the user off the
Internet, and even come to his place and check out his computer. The
real problem for me is that most of the P2P trafic isn't detected by
snort default  P2P rules. And I wan wondering if there were an
unofficial set of rules that would block most of the P2P trafic (false
positives are ok!).

Sylvain
Oh sorry, well for exp rules, i know i saw a few about eDonkey/eMule in the sigs mailling list, and i made some for Direct Connect but 
if you find a site with lots of these rules, i would be really interested
in trying them out too.


Charles



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: