Re: Bittorrent - utorrent

[Michał Melewski <mike () carstein kill-9 pl>]

Ove Dalgård Hansen napisał(a):
> Hello Everyone,
Hello

> I am in a bit of trouble,
>
> On a network where i am configuring IDS - using ASA5510 + SSM module, we try to deny access to Bittorrent downloads - it 
> consumes quite a bit of bandwith and is not allowed by the company's policy.
> We try to filter bittorrent which succedes - but the utorrent changes protocol and goes by the SSL port 443 and thereby circumvent the IDS, since its not possible to see the encrypted traffic. 
>
> Does anyone out there have a good idea of how i am to solve the issue?

I can't give you a direct solution, but few months (weeks?) ago lcamtuf 
wrote a tool called fl0p - http://lcamtuf.coredump.cx/soft/fl0p-devel.tgz.
The purpose of this tool is to examine an encrypted traffic, but instead 
of checking the packet payload it looks at relative times between 
packets, packet size and the packet sequence - it can tell users from 
any automated encrypted traffic.
The whole effort would be to teach fl0p how does utorrent traffic looks 
like. I don't know if it's possible to integrate this tool with your IDS 
- but this is worth checking.

Besides, from my point of view (I'm bit ISMS-centric), if you want to 
get rid p2p from your network start from dissalowing users to install 
custom software on their computers.

> Best Regards
BR

ps. I think it would be a good idea to integrate fl0p with Snort (as a 
module. Any volunteers?

--
Michael Melewski
PSNC Security Team

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------