[Snort-sigs] Re: [Snort-users] Stopping outbound Kazaa [snort-users-admin at lists.sourceforge.net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List]

daniel.clemens daniel_clemens at ...842...
Fri Feb 14 05:46:06 EST 2003


As an admin you could always proxy all your outgoing ssl connections to a
termination point and sniff the traffic on the other side (after you have
proxied the connection)

I think the thing to worry about would be ssh style tunneling encryption
instead of ssl.

-Dan

On Fri, 14 Feb 2003, Steve Wray wrote:

> Ok, so the next generation of p2p filesharing apps
> will have to use, say, ssl to encrypt (or at least
> scramble) their packets so that network admins
> (or ISPs under orders from the RIAA) can't filter
> the traffic out based on port nor on the content
> of the traffic.
>
>
> > -----Original Message-----
> > From: snort-sigs-admin at lists.sourceforge.net
> > [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Travis S.
> > Sent: Friday, 14 February 2003 12:55 p.m.
> > To: Travis S.; Gustavo Beltrami Rossi
> > Cc: snort-users at lists.sourceforge.net;
> > snort-sigs at lists.sourceforge.net
> > Subject: [Snort-sigs] Re: [Snort-users] Stopping outbound
> > Kazaa [snort-users-admin at lists.sourceforge.net in
> > Pass-Through List] ['snort' in Pass-Through List]
> > ['snort-users' in Pass-Through List]
> >
> >
> > Concerning the comment about monitoring a specific port...
> > the new version of Kazaa (which is what composes the majority
> > of our traffic) will go straight to port 80 if it's default
> > port is blocked.
> >
> > On the idea to generate filters based on snort logs... that's
> > a good idea, but the most difficult part is classifying
> > traffic in my opinion - especially if you're dealing with a
> > very large pipe where it's possible that you won't catch 100%
> > of the packets in a given flow.
> >
> > When you get this software into production, I would be
> > interested to know how it works for you.
> >
> > For a while I was looking at using the logs to generate a
> > static route table, routing all traffic to a null interface
> > that dealt with a Kazaa remote computer.  This was too
> > forceful of a rule, however, as it would blacklist all
> > traffic from those computers.  I am in the process of getting
> > a machine up to use flexresp and see if we can kill outbound
> > connections of file transfers from our network - we'll see
> > how well that works.
> >
> > --Travis
> [big snip of quotes & sigs look it up in the archive if its important]
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your  SSL security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

-Daniel Uriah Clemens
-------------------------------------------------------------------------------------------------------------
Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200 | 877.806.8928
--------------------------------------------------------------------------------------------------------------





More information about the Snort-sigs mailing list