[Snort-sigs] Re: [Snort-users] Stopping outbound Kazaa

Erek Adams erek at ...95...
Thu Feb 13 17:55:06 EST 2003


On Thu, 13 Feb 2003, Travis S. wrote:

> Concerning the comment about monitoring a specific port... the new
> version of Kazaa (which is what composes the majority of our traffic)
> will go straight to port 80 if it's default port is blocked.

Yep...  Just like the AOL IM Client.  God, that thing is evil.  Just fire
it up in a testlab off of the net and sniff the traffic.  It uses damned
near every "well known" port to get out.  :-(

> For a while I was looking at using the logs to generate a static route
> table, routing all traffic to a null interface that dealt with a Kazaa
> remote computer.  This was too forceful of a rule, however, as it would
> blacklist all traffic from those computers.  I am in the process of
> getting a machine up to use flexresp and see if we can kill outbound
> connections of file transfers from our network - we'll see how well that
> works.

Honestly, I think you were on the right track with the null route.  If you
did something like "ip route <kaza_server_IP> <netmask> null0" that would
stop anyone from connecting to it...

If that's not useable, then consider using something like SnortSam to add
an outbound ACL to your router.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-sigs mailing list