[Snort-users] Is anyone using 'react' to block the use of Gnu tella?

Vieth, Scott svieth at ...6966...
Wed Sep 25 08:25:06 EDT 2002


Thanks for the tip.  I'll look inside the packets before I go any further to
make sure it's really P2P traffic.  However, one of the Snort signatures
that is firing is looking for "GNUTELLA CONNECT" in the traffic.  That's a
pretty clear sign that someone is running a P2P application....

Thanks,

-Scott :^)

-----Original Message-----
From: Frederick Garbrecht [mailto:fgarbrecht at ...4638...]
Sent: Tuesday, September 24, 2002 6:58 PM
To: Vieth, Scott; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Is anyone using 'react' to block the use of
Gnutella?


Hi Scott
Perhaps this doesn't apply, but have you checked the actual packet content
to be sure that the triggering traffic is really Gnutella?  I was seeing
alot of these alerts also, but upon looking at the packets it turned out
that one of our users was connecting to some web-based external mail server
which was triggering alerts.
Fred
----- Original Message -----
From: "Vieth, Scott" <svieth at ...6966...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, September 23, 2002 3:38 PM
Subject: [Snort-users] Is anyone using 'react' to block the use of Gnutella?


> Hi:
>
> Snort is telling me that we have folks using Gnutella to send/receive
files
> from other Gnutella users on the Internet.  I've blocked all the 'easy'
TCP
> ports on the firewall to stop P2P file sharing.  But the P2P protocols are
> still getting through. I think they are getting more "firewall-smart".
>
> Since Snort can 'see' the folks who are running Gnutella, could I use
> 'react' to block/disrupt/close those connections?
>
> Just wondering....
>
> Thanks,
>
> -Scott Vieth
> Medical College of Wisconsin
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list