[LUGOS] P2P Scanner

Primož Gabrijelčič primoz at gabrijelcic.org
Mon Jan 12 21:07:22 CET 2004 

> > snort ti ne pomaga
> 
> Glede na čvek na OBSD misc@ naj bi. 

Da ne bom govoril v prazno:

	Every Kazaa connection uses some text in the packets containing
      'X-Kazaa-Username: username' to identify the users. I use snort
      (flexresp flavor) to filter on this with a rule like this one:

      alert tcp any any -> any any (msg: "P2P Kazaa File Transfer"; \
      content: "X-Kazaa-Username"; rev: 1; react: block;)

      Of course this is not ideal, but i don't see any Kazaa traffic on my
      network anymore. Also, i haven't heard of any 'new kazaa' (is it
      implemented differently?)...i've been using this solution for a while
      now (about 6 months)...

      Also, don't forget to run snort chroot'ed, and/or as non-root.

      jk

in

	Because Kazaa and this type of share-programs now can also switch 
	automatically when they detect that a specific port is closed.  I no

	longer block the default port on my firewall, but found that by
using 
	the bandwidth-management/traffic-shaping tools of PF (check man
page) 
	you can lower so much it through put (to a 14.4k modem) that the
user 
	will get discouraged "why this goes so slow" and Kazaa will not
switch 
	ports.  

	They will feel good that they are allowed to use Kazaa, they feel 
	empowered, but you simply shape the traffic in a way that it becomes

	pretty much useless.

	diego

alternativa

	(I am presuming that this is in a corporate or business setting...)
	Why not just block all outgoing traffic from your LAN and use a web
proxy/cache
	for surfing? Should your users *really* do anything other than
surfing?
	I've given up on trying to figure out what ports and what networks
the
	current p2p-filesharing-application-of-the-week is using and settled
on blocking
	everything. if a user complains that they cant use application X we
have a policy
	that states that, well, tough luck, you're not supposed to do that.
Employees are
	expected to work while at work, not screw around with kazaa,
gnutella, or whatnot.
	A nice side-effect is that this also blocks many spyware apps, like
Gator, from
	reporting home.
	For those annoying exception cases, and there always are, when, say,
the
	CEO wants to use some oddball application authpf works wonders.

	Lars Hansson

in (ampak tole boš moral sam iskat naprej)

	Hmm, search the mailinglist archives, I remember a post of Nick
Holland
	about a poisoned DNS system.

	Works very very well for me.

	Wijnand

In naj poudarim še enkrat - v praksi ses s tem nisem ukvarjal.

Pozdrav,
    Gp

    WinGpT: I link, therefore I am.
OpenBSD SI: http://obsd.17slon.org, http://obsd.17slon.org/list

More information about the lugos-list mailing list