[Snort-sigs] Re: [Snort-users] Stopping outbound Kazaa

twig les twigles at ...144...
Fri Feb 14 05:46:02 EST 2003


In the meanwhile while we get the technical solution working,
try simply putting out a hardcopy memo to everyone threatening
dire consequences to anyone using kazaa in the work network (the
multitude of threats justify this I believe) and reminding them
that you, as net/sysadmin, know everything that happens on your
net.  In other words lie to them and let their ignorance scare
them into doing what you want, like those marijuana = terrorism
commercials.


--- Erek Adams <erek at ...95...> wrote:
> On Thu, 13 Feb 2003, Travis S. wrote:
> 
> > Concerning the comment about monitoring a specific port...
> the new
> > version of Kazaa (which is what composes the majority of our
> traffic)
> > will go straight to port 80 if it's default port is blocked.
> 
> Yep...  Just like the AOL IM Client.  God, that thing is evil.
>  Just fire
> it up in a testlab off of the net and sniff the traffic.  It
> uses damned
> near every "well known" port to get out.  :-(
> 
> > For a while I was looking at using the logs to generate a
> static route
> > table, routing all traffic to a null interface that dealt
> with a Kazaa
> > remote computer.  This was too forceful of a rule, however,
> as it would
> > blacklist all traffic from those computers.  I am in the
> process of
> > getting a machine up to use flexresp and see if we can kill
> outbound
> > connections of file transfers from our network - we'll see
> how well that
> > works.
> 
> Honestly, I think you were on the right track with the null
> route.  If you
> did something like "ip route <kaza_server_IP> <netmask> null0"
> that would
> stop anyone from connecting to it...
> 
> If that's not useable, then consider using something like
> SnortSam to add
> an outbound ACL to your router.
> 
> -----
> Erek Adams
> 
>    "When things get weird, the weird turn pro."   H.S.
> Thompson
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a
> FREE
> Thawte SSL guide and find the answers to all your  SSL
> security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com




More information about the Snort-sigs mailing list