[Snort-users] P2P Rules and Sending TCP Resets.

Chas Tomlin cet at ...11331...
Fri Feb 27 06:40:09 EST 2004


Hi,

We are doing exactly that at the University of Southampton.

When you build snort enable flexresp using; 

configure --enable-flexresp

You can use a rule like the one below to block those P2P sessions;

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack
(kazaa/morpheus) traffic"; flow:to_server,established; content:"GET";
depth:3; content:"UserAgent\: KazaaClient"; reference:url,www.kazaa.com;
classtype:policy-violation; sid:1699; rev:4; react: block;)

Note the 'react: block' 

Hope this helps


Chas Tomlin
Systems Administrator/Programmer
University of Southampton
Electronics and Computer Science

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rob Ward
Sent: 27 February 2004 11:12
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] P2P Rules and Sending TCP Resets.

Hi, We're receiving a lot of complaints regarding copyright
infringements 
from users within our Network using P2P software. Dealing with the 
complaints about P2P use is almost a full time job in itself at the
moment.

We've succesfully managed to block some applications using Cisco NBAR
but 
the more clued up students are configuring their P2P clients to use high

port numbers which is giving us problems with Gnutella, Fasttrack and
Bit 
Torrent in particular. We have managed to identify these users with
Snort 
running on NetBSD. I've read about TCP resets in the archives but can't 
find any examples of how to implement this, can anyone help please?

Regards

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department

Tel: 0151 794 4449
Fax: 0151 794 4442
Mob: 07970 247 326


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list