Snort mailing list archives
Re: Stopping outbound Kazaa
From: twig les <twigles () yahoo com>
Date: Thu, 13 Feb 2003 18:33:48 -0800 (PST)
In the meanwhile while we get the technical solution working, try simply putting out a hardcopy memo to everyone threatening dire consequences to anyone using kazaa in the work network (the multitude of threats justify this I believe) and reminding them that you, as net/sysadmin, know everything that happens on your net. In other words lie to them and let their ignorance scare them into doing what you want, like those marijuana = terrorism commercials. --- Erek Adams <erek () snort org> wrote:
On Thu, 13 Feb 2003, Travis S. wrote:Concerning the comment about monitoring a specific port...the newversion of Kazaa (which is what composes the majority of ourtraffic)will go straight to port 80 if it's default port is blocked.Yep... Just like the AOL IM Client. God, that thing is evil. Just fire it up in a testlab off of the net and sniff the traffic. It uses damned near every "well known" port to get out. :-(For a while I was looking at using the logs to generate astatic routetable, routing all traffic to a null interface that dealtwith a Kazaaremote computer. This was too forceful of a rule, however,as it wouldblacklist all traffic from those computers. I am in theprocess ofgetting a machine up to use flexresp and see if we can killoutboundconnections of file transfers from our network - we'll seehow well thatworks.Honestly, I think you were on the right track with the null route. If you did something like "ip route <kaza_server_IP> <netmask> null0" that would stop anyone from connecting to it... If that's not useable, then consider using something like SnortSam to add an outbound ACL to your router. ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stopping outbound Kazaa Travis S. (Feb 06)
- Re: Stopping outbound Kazaa twig les (Feb 06)
- Re: Stopping outbound Kazaa Brian (Feb 07)
- Re: Stopping outbound Kazaa Gustavo Beltrami Rossi (Feb 10)
- <Possible follow-ups>
- Re: Stopping outbound Kazaa Travis S. (Feb 06)
- Re: Stopping outbound Kazaa Travis S. (Feb 13)
- Re: Stopping outbound Kazaa Erek Adams (Feb 13)
- Re: Stopping outbound Kazaa twig les (Feb 13)
- Re: Stopping outbound Kazaa Gustavo Beltrami Rossi (Feb 14)
- Re: Stopping outbound Kazaa Erek Adams (Feb 13)
- RE: Stopping outbound Kazaa Bob McDowell (Feb 14)