Educause Security Discussion mailing list archives

Re: classifying P2P traffic

From: Alex <alex.everett () UNC EDU>
Date: Tue, 29 Jan 2008 12:18:41 -0500

Mike:

You do bring up a very good point.

From a network perspective, we are running into some very difficult issues.

Applications no longer use static ports which we could block.
Good and bad can look similar from patterns (edonkey, storm worm).
Applications will try hard to get around deterrents (port hopping,
encryption, web).
We are all running into some issues, at some point they may not be
addressable by a network device.

Alex Everett, CISSP
University of North Carolina

-----Original Message-----
From: Michael Hornung [mailto:hornung () WASHINGTON EDU]
Sent: Tuesday, January 29, 2008 12:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU; SECURITY () LISTSERV EDUCAUSE EDU;
SECURITY () LISTSERV EDUCAUSE EDU; SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] classifying P2P traffic

I've looked at L7-Filter (http://l7-filter.sourceforge.net/) and it is an
interesting approach.  I have not found a really satisfactory way to build
reporting around it, but my current thinking is that something pretty good
could be born out of an Argus and L7-Filter hybrid with some burly
post-processing to link, for example, top talkers with the applications
their flows have matched.

___________________________________________________
 Michael Hornung          UW Technology
 hornung () washington edu   University of Washington

On Tue, 29 Jan 2008 at 10:50, Harris, Michael C. wrote:

|Any suggestions other than Snort or IPAudit for open source or freeware
|for monitoring and reporting (not in line blocking)  of how bad the P2P
|problem is. Have any ideas on how best to collect the data to make the
|justification for purchasing Tipping point or Packeteer. Snort and
|IPAudit are fine for playing Wack-A-Mole with P2P by signature or by
|port, encryption forces this to a volumetric review but neither is any
|good for management reporting to quantify the severity of the problem.
|
|Mike
|
|----Original Message-----
|From: Youngquist, Jason R. [mailto:jryoungquist () CCIS EDU]
|Sent: Tuesday, January 29, 2008 8:50 AM
|To: SECURITY () LISTSERV EDUCAUSE EDU
|Subject: [SECURITY] classifying P2P traffic
|
|What devices are you using to monitor P2P traffic and how well are they
|working for you?  Is there some P2P traffic that you believe your
|monitoring software isn't catching?  Ie. encrypted traffic, outdated
|P2P definitions from the vendor, etc.

Attachment: smime.p7s
Description:

Current thread:

Re: classifying P2P traffic, (continued)
- Re: classifying P2P traffic Greene, Chip (Jan 29)
- Re: classifying P2P traffic Hughes, Scott (Jan 29)
- Re: classifying P2P traffic Justin Dover (Jan 29)
- Re: classifying P2P traffic Julian Y. Koh (Jan 29)
- Re: classifying P2P traffic Alex (Jan 29)
- Re: classifying P2P traffic Harris, Michael C. (Jan 29)
- Re: classifying P2P traffic Michael Hornung (Jan 29)
- Re: classifying P2P traffic Michael Hornung (Jan 29)
- Re: classifying P2P traffic Lutzen, Karl F. (Jan 29)
- Re: classifying P2P traffic jkaftan (Jan 29)
- Re: classifying P2P traffic Alex (Jan 29)
- Re: classifying P2P traffic Samuel Young (Jan 29)
- Re: classifying P2P traffic Cal Frye (Jan 29)
- Re: classifying P2P traffic John Kristoff (Jan 29)
- Re: classifying P2P traffic Dan Oachs (Jan 29)
- Re: classifying P2P traffic Cal Frye (Jan 29)
- Re: classifying P2P traffic John Kristoff (Jan 30)
- Re: classifying P2P traffic Valdis Kletnieks (Jan 30)
- Re: classifying P2P traffic Shumon Huque (Feb 11)