Re: Bittorrent - utorrent

[Tremaine Lea <focus-ids () ddiction com>]

On 7-Mar-07, at 12:38 PM, Ove Dalgård Hansen wrote:

> Hello Everyone,
>
> I am in a bit of trouble,
>
> On a network where i am configuring IDS - using ASA5510 + SSM  
> module, we try to deny access to Bittorrent downloads - it consumes  
> quite a bit of bandwith and is not allowed by the company's policy.
> We try to filter bittorrent which succedes - but the utorrent  
> changes protocol and goes by the SSL port 443 and thereby  
> circumvent the IDS, since its not possible to see the encrypted  
> traffic.
>
> Does anyone out there have a good idea of how i am to solve the issue?
>
>
> Best Regards
>
> Ove Hansen
> IT-Quality A/S
> Banemarksvej 50F
> Denmark - 2605


I'd recommend looking at something like Bluecoat which allows you to  
examine the SSL traffic.  The caveat being you'll want to exclude  
banking and financial institutions from inspection to avoid capturing/ 
compromising private user data.

Alternately, block all outbound 443 traffic after examining a months  
worth of logs to determine which is legit and which is questionable.,  
then explicitly allow 443 to those sites.  The better a job you do at  
identifying which are legit, the fewer follow up tickets you get to  
create further access.

Create a list of all destination IP's on 443 for $now -30days.  At  
this point you can then use the linux sort utility to both organize  
the list and eliminate duplicates.  From there you should be able to  
identify which are legitimate destinations.

Cheers,

Tremaine Lea
Network Security Consultant



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------