[Snort-users] Snort and Kazaa 2.0

Sam Evans sam at ...5202...
Tue Oct 22 18:04:03 EDT 2002


Based on what we have seen, it no longer uses the 1214 port for it's
traffic.  (Although, it does use it sometimes.. )  Wierd.

Anyway, we have come up with a rule that seems to work very well for the new
Kazaa.   YMMV though..

This is for snort 1.8.7 (but should work for 1.9.0).

alert tcp any any -> any any (msg: "P2P Kazaa File Transfer"; content:
"X-Kazaa"; rev: 1;)

What we have seen, is that even though the new Kazaa doesn't use the
standard 1214, the protocol still utilizes the X-Kazaa tag for it's
transfers.  While this rule will not alert you as to when someone is
searching for a file, it will alert when someone initiates a transfer
session.  (Multiple times quite possibly, depending on the packet).

Through a resp: rst_snd in there, and you've blocked Kazaa 2.0 (at least in
our experience).

-Sam

----- Original Message -----
From: "Vicente" <vi_joel at ...131...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, October 21, 2002 1:57 PM
Subject: [Snort-users] Snort and Kazaa 2.0


> Hi,
>
> Sorry about the last, empty mesg.
> I want to know if someone could help me to block kazaa
> 2.0 traffic, using snort or iptables. This new version
> seems to use a lot os different port numbers and I
> can't block it.
>
> Thank's
>
> --
> Vicente
>
> _______________________________________________________________________
> Yahoo! GeoCities
> Tudo para criar o seu site: ferramentas fáceis de usar, espaço de sobra e
acessórios.
> http://br.geocities.yahoo.com/
>
>
> -------------------------------------------------------
> This sf.net emial is sponsored by: Influence the future
> of Java(TM) technology. Join the Java Community
> Process(SM) (JCP(SM)) program now.
>
http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>






More information about the Snort-users mailing list