[Snort-users] block p2p traffic

khaled fawzy khismaeel at ...7693...
Wed Apr 14 01:04:06 EDT 2004


dear group ;

    I use snort flex response to block p2p protocols it works fine with the
old versions of kazaa and imesh . the rule that catch this traffic is :

     alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack
(kazaa/morpheus) GET request"; flow:to_server,established; content:"GET ";
depth:4; reference: url,www.musiccity.com/technology.htm;
reference:url,www.kazaa.com; resp: rst_all; classtype:policy-violation;
sid:1383; rev:4;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack
(kazaa/morpheus) traffic"; flow:to_server,established; content:"GET";
depth:3; content:"UserAgent\: KazaaClient"; reference:url,www.kazaa.com;
resp:rst_all; classtype:policy-violation; sid:1699; rev:4;)

but this rule can not see the newer version of kazaa (2.6) and imesh (4.5).
could anyone  has a modified rule to catch p2p trafic please. or any one
konw any other open source software that i can use to block p2p. thanks in
advace and goodbye.






More information about the Snort-users mailing list