[Snort-users] streaming media detection

Joel Esler eslerj at ...9426...
Fri Feb 4 07:51:53 EST 2005


You know, I've noticed that the frag processor picks that up sometimes.

Since it is streaming, packets tend to get fragmented somewhere...

J


On Thu, 2005-02-03 at 15:34 -0500, Seth Art wrote:

> I am also interested in detecting streaming audio into our network. 
> Its been eating up a ton of our bandwidth.  I searched the bleeding
> signatures and it doesnt look like there are any rules yet that look
> for streaming http traffic.  Has anyone played with this yet?   Is
> there any other way to flag this stuff besides by retroactivily
> finding IP address subnets?
> 
> -Seth
> 
> On Wed, 26 Jan 2005 05:27:12 -0800 (PST), Jose Maria Lopez
> <jkerouac at ...12346...> wrote:
> > El mié, 26 de 01 de 2005 a las 05:22, Paul Aviles escribió:
> > > Is there a way to detect people streaming media or listening to music? With most of them using port 80 I am curious as to what approach to use.
> > >
> > > Also, is there a way to send an email upon certain alerts?
> > >
> > > Thanks
> > 
> > You can look in the bleeding-edge rules to see if there are some
> > rules to detect this kind of traffic. If you want just to stop
> > this kind of traffic people use to do it using ACLs with Squid
> > or blocking the IPs this programs connect to.
> > 
> > About sending emails with certain alerts, I think OpenAanval
> > can do that.
> > 
> > Regards.
> > 
> > --
> > Jose Maria Lopez Hernandez
> > Director Tecnico de bgSEC
> > jkerouac at ...12346...
> > bgSEC Seguridad y Consultoria de Sistemas Informaticos
> > http://www.bgsec.com
> > ESPAÑA
> > 
> > The only people for me are the mad ones -- the ones who are mad to live,
> > mad to talk, mad to be saved, desirous of everything at the same time,
> > the ones who never yawn or say a commonplace thing, but burn, burn, burn
> > like fabulous yellow Roman candles.
> >                 -- Jack Kerouac, "On the Road"
> > 
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> > Tool for open source databases. Create drag-&-drop reports. Save time
> > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> > Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?listsnort-users
> >
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Joel Esler <eslerj at ...9426...>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050204/141eb7b8/attachment.html>


More information about the Snort-users mailing list