[Snort-users] Snort and Kazaa 2.0
sam at ...5202...
Tue Oct 22 18:04:03 EDT 2002
Based on what we have seen, it no longer uses the 1214 port for it's
traffic. (Although, it does use it sometimes.. ) Wierd.
Anyway, we have come up with a rule that seems to work very well for the new
Kazaa. YMMV though..
This is for snort 1.8.7 (but should work for 1.9.0).
alert tcp any any -> any any (msg: "P2P Kazaa File Transfer"; content:
"X-Kazaa"; rev: 1;)
What we have seen, is that even though the new Kazaa doesn't use the
standard 1214, the protocol still utilizes the X-Kazaa tag for it's
transfers. While this rule will not alert you as to when someone is
searching for a file, it will alert when someone initiates a transfer
session. (Multiple times quite possibly, depending on the packet).
Through a resp: rst_snd in there, and you've blocked Kazaa 2.0 (at least in
----- Original Message -----
From: "Vicente" <vi_joel at ...131...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, October 21, 2002 1:57 PM
Subject: [Snort-users] Snort and Kazaa 2.0
> Sorry about the last, empty mesg.
> I want to know if someone could help me to block kazaa
> 2.0 traffic, using snort or iptables. This new version
> seems to use a lot os different port numbers and I
> can't block it.
> Yahoo! GeoCities
> Tudo para criar o seu site: ferramentas fáceis de usar, espaço de sobra e
> This sf.net emial is sponsored by: Influence the future
> of Java(TM) technology. Join the Java Community
> Process(SM) (JCP(SM)) program now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users