[Snort-sigs] Re: [Snort-users] Stopping outbound Kazaa [snort-users-admin at lists.sourceforge.net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List]

Steve Wray steve.wray at ...1294...
Thu Feb 13 16:36:02 EST 2003


Ok, so the next generation of p2p filesharing apps
will have to use, say, ssl to encrypt (or at least
scramble) their packets so that network admins
(or ISPs under orders from the RIAA) can't filter
the traffic out based on port nor on the content
of the traffic.


> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net 
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Travis S.
> Sent: Friday, 14 February 2003 12:55 p.m.
> To: Travis S.; Gustavo Beltrami Rossi
> Cc: snort-users at lists.sourceforge.net; 
> snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Re: [Snort-users] Stopping outbound 
> Kazaa [snort-users-admin at lists.sourceforge.net in 
> Pass-Through List] ['snort' in Pass-Through List] 
> ['snort-users' in Pass-Through List]
> 
> 
> Concerning the comment about monitoring a specific port... 
> the new version of Kazaa (which is what composes the majority 
> of our traffic) will go straight to port 80 if it's default 
> port is blocked.
> 
> On the idea to generate filters based on snort logs... that's 
> a good idea, but the most difficult part is classifying 
> traffic in my opinion - especially if you're dealing with a 
> very large pipe where it's possible that you won't catch 100% 
> of the packets in a given flow.
> 
> When you get this software into production, I would be 
> interested to know how it works for you.
> 
> For a while I was looking at using the logs to generate a 
> static route table, routing all traffic to a null interface 
> that dealt with a Kazaa remote computer.  This was too 
> forceful of a rule, however, as it would blacklist all 
> traffic from those computers.  I am in the process of getting 
> a machine up to use flexresp and see if we can kill outbound 
> connections of file transfers from our network - we'll see 
> how well that works.
> 
> --Travis
[big snip of quotes & sigs look it up in the archive if its important]





More information about the Snort-sigs mailing list