[Snort-sigs] RE: [Snort-users] Stopping outbound Kazaa

Bob McDowell bmcdowell at ...1304...
Sat Feb 15 05:55:13 EST 2003


Really, you HAVE to do this anyway.  Consider what happens if you miss one
of the flavors of P2P and an employee exposes the company to risk.  Is it
the employee's fault because there's a policy against it?  Or is it your
fault because the 'firewall' didn't stop them?



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of twig les
Sent: Thursday, February 13, 2003 8:34 PM
To: Erek Adams; Travis S.
Cc: Gustavo Beltrami Rossi; snort-users at lists.sourceforge.net;
snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-users] Stopping outbound Kazaa


In the meanwhile while we get the technical solution working,
try simply putting out a hardcopy memo to everyone threatening
dire consequences to anyone using kazaa in the work network (the
multitude of threats justify this I believe) and reminding them
that you, as net/sysadmin, know everything that happens on your
net.  In other words lie to them and let their ignorance scare
them into doing what you want, like those marijuana = terrorism
commercials.


--- Erek Adams <erek at ...95...> wrote:
> On Thu, 13 Feb 2003, Travis S. wrote:
>
> > Concerning the comment about monitoring a specific port...
> the new
> > version of Kazaa (which is what composes the majority of our
> traffic)
> > will go straight to port 80 if it's default port is blocked.
>
> Yep...  Just like the AOL IM Client.  God, that thing is evil.
>  Just fire
> it up in a testlab off of the net and sniff the traffic.  It
> uses damned
> near every "well known" port to get out.  :-(
>
> > For a while I was looking at using the logs to generate a
> static route
> > table, routing all traffic to a null interface that dealt
> with a Kazaa
> > remote computer.  This was too forceful of a rule, however,
> as it would
> > blacklist all traffic from those computers.  I am in the
> process of
> > getting a machine up to use flexresp and see if we can kill
> outbound
> > connections of file transfers from our network - we'll see
> how well that
> > works.
>
> Honestly, I think you were on the right track with the null
> route.  If you
> did something like "ip route <kaza_server_IP> <netmask> null0"
> that would
> stop anyone from connecting to it...
>
> If that's not useable, then consider using something like
> SnortSam to add
> an outbound ACL to your router.
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S.
> Thompson
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a
> FREE
> Thawte SSL guide and find the answers to all your  SSL
> security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030215/b20ffb44/attachment.html>


More information about the Snort-sigs mailing list