[Snort-sigs] Re: [Snort-users] Stopping outbound Kazaa

Gustavo Beltrami Rossi rossi at ...1271...
Mon Feb 10 05:53:06 EST 2003


| On Thu, Feb 06, 2003 at 12:40:35PM -0500, Travis S. wrote:
| > On a large 1 gbps full-duplex internet pipe, I want to prevent
| outside users from downloading files on Kazaa, gnutella, etc from our
| network.  On the other hand, I don't want to stop our users from
| downloading these files from the outside.
| > 
| > Basically the idea is to manage the uncontrolled outbound stream so
| we have spare - right now it's pegged 100% usage.
| > 
| > Has anybody figured out clever ways to accomplish this using snort
| or any other package?  Obviously I would prefer a free solution, so
| it would be great if Snort could do this.

I'm working on a project to limit the bandwidth of p2p applications
using snort sigs and altq (OpenBSD). The idea is to monitor the snorts
alerts of p2p traffic sigs and then generate on the fly filters of altq.

I'm now finishing the development of that interconection software
(snort->altq), and then I'll start collecting sigs of p2p softwares. In
that fase, anybody knows if is it possible to catch a sig across
multiples packets on the same stream? If it is, please let me know how.

Something like that:

host1 -> host2 : GET /GET/ (pkt 1)
host2 -> host1 : SERVER OK (pkt 2)

I'm using snort 1.9 with stream4 enabled.

Thanks in advance,
Rossi.





More information about the Snort-sigs mailing list