[Snort-users] how to block P2P with snort

Sylvain BERTRAND sbertran at ...11537...
Thu Apr 1 03:21:03 EST 2004


http://sourceforge.net/projects/iptables-p2p/ is excellent, no need to 
look further... even if l7-filter looks amazing
The P2P match for iptables can detect most of the P2P protos around, 
except a few (Soulseek, maybe others...).
This and the classic portblocking rules should be enough.

Sylvain

PS: I know this was not "snort related", but I tought it my help some of us


Ravi wrote:

> Sylvain,
> Blocking P2P traffic is difficult job for snort.
>    - Some P2P applications uses TCP, if not switches to UDP
>    - Even some applications started using encryption to 
> communicate,and snort cant intrepret encrytped packets. But signatures 
> can be written to block the traffic before encryption takes place. 
> Hmm, giving a chance to lot of false positives.
>   I think anamoly detection can help to block p2p.
>
> There are some open source tools some working with iptables to block p2p.
> YOu may would like to look into this tools:
>    - http://l7-filter.sourceforge.net/
>   - http://sourceforge.net/projects/iptables-p2p/
> You can also block using squid as transparent proxy. Configure the ACL 
> and it will work fine if the p2p uses http protocol.    
> I have not used them yet, so let me know which is best in action.
>
> Cheers,
> -Ravi
> ROCSYS Technologies Ltd.,
> http://www.rocsys.com







More information about the Snort-users mailing list