[Snort-users] how to block P2P with snort
sbertran at ...11537...
Thu Apr 1 03:21:03 EST 2004
http://sourceforge.net/projects/iptables-p2p/ is excellent, no need to
look further... even if l7-filter looks amazing
The P2P match for iptables can detect most of the P2P protos around,
except a few (Soulseek, maybe others...).
This and the classic portblocking rules should be enough.
PS: I know this was not "snort related", but I tought it my help some of us
> Blocking P2P traffic is difficult job for snort.
> - Some P2P applications uses TCP, if not switches to UDP
> - Even some applications started using encryption to
> communicate,and snort cant intrepret encrytped packets. But signatures
> can be written to block the traffic before encryption takes place.
> Hmm, giving a chance to lot of false positives.
> I think anamoly detection can help to block p2p.
> There are some open source tools some working with iptables to block p2p.
> YOu may would like to look into this tools:
> - http://l7-filter.sourceforge.net/
> - http://sourceforge.net/projects/iptables-p2p/
> You can also block using squid as transparent proxy. Configure the ACL
> and it will work fine if the p2p uses http protocol.
> I have not used them yet, so let me know which is best in action.
> ROCSYS Technologies Ltd.,
More information about the Snort-users