Snort mailing list archives
RE: Stopping outbound Kazaa
From: "Bob McDowell" <bmcdowell () coxhealthplans com>
Date: Fri, 14 Feb 2003 09:46:03 -0600
Really, you HAVE to do this anyway. Consider what happens if you miss one of the flavors of P2P and an employee exposes the company to risk. Is it the employee's fault because there's a policy against it? Or is it your fault because the 'firewall' didn't stop them? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of twig les Sent: Thursday, February 13, 2003 8:34 PM To: Erek Adams; Travis S. Cc: Gustavo Beltrami Rossi; snort-users () lists sourceforge net; snort-sigs () lists sourceforge net Subject: Re: [Snort-users] Stopping outbound Kazaa In the meanwhile while we get the technical solution working, try simply putting out a hardcopy memo to everyone threatening dire consequences to anyone using kazaa in the work network (the multitude of threats justify this I believe) and reminding them that you, as net/sysadmin, know everything that happens on your net. In other words lie to them and let their ignorance scare them into doing what you want, like those marijuana = terrorism commercials. --- Erek Adams <erek () snort org> wrote:
On Thu, 13 Feb 2003, Travis S. wrote:Concerning the comment about monitoring a specific port...the newversion of Kazaa (which is what composes the majority of ourtraffic)will go straight to port 80 if it's default port is blocked.Yep... Just like the AOL IM Client. God, that thing is evil. Just fire it up in a testlab off of the net and sniff the traffic. It uses damned near every "well known" port to get out. :-(For a while I was looking at using the logs to generate astatic routetable, routing all traffic to a null interface that dealtwith a Kazaaremote computer. This was too forceful of a rule, however,as it wouldblacklist all traffic from those computers. I am in theprocess ofgetting a machine up to use flexresp and see if we can killoutboundconnections of file transfers from our network - we'll seehow well thatworks.Honestly, I think you were on the right track with the null route. If you did something like "ip route <kaza_server_IP> <netmask> null0" that would stop anyone from connecting to it... If that's not useable, then consider using something like SnortSam to add an outbound ACL to your router. ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stopping outbound Kazaa Travis S. (Feb 06)
- Re: Stopping outbound Kazaa twig les (Feb 06)
- Re: Stopping outbound Kazaa Brian (Feb 07)
- Re: Stopping outbound Kazaa Gustavo Beltrami Rossi (Feb 10)
- <Possible follow-ups>
- Re: Stopping outbound Kazaa Travis S. (Feb 06)
- Re: Stopping outbound Kazaa Travis S. (Feb 13)
- Re: Stopping outbound Kazaa Erek Adams (Feb 13)
- Re: Stopping outbound Kazaa twig les (Feb 13)
- Re: Stopping outbound Kazaa Gustavo Beltrami Rossi (Feb 14)
- Re: Stopping outbound Kazaa Erek Adams (Feb 13)
- RE: Stopping outbound Kazaa Bob McDowell (Feb 14)