[Snort-sigs] Re: [Snort-users] Stopping outbound Kazaa

Erek Adams erek at ...95...
Thu Feb 13 17:55:06 EST 2003

On Thu, 13 Feb 2003, Travis S. wrote:

> Concerning the comment about monitoring a specific port... the new
> version of Kazaa (which is what composes the majority of our traffic)
> will go straight to port 80 if it's default port is blocked.

Yep...  Just like the AOL IM Client.  God, that thing is evil.  Just fire
it up in a testlab off of the net and sniff the traffic.  It uses damned
near every "well known" port to get out.  :-(

> For a while I was looking at using the logs to generate a static route
> table, routing all traffic to a null interface that dealt with a Kazaa
> remote computer.  This was too forceful of a rule, however, as it would
> blacklist all traffic from those computers.  I am in the process of
> getting a machine up to use flexresp and see if we can kill outbound
> connections of file transfers from our network - we'll see how well that
> works.

Honestly, I think you were on the right track with the null route.  If you
did something like "ip route <kaza_server_IP> <netmask> null0" that would
stop anyone from connecting to it...

If that's not useable, then consider using something like SnortSam to add
an outbound ACL to your router.

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-sigs mailing list