Re: Stopping outbound Kazaa

["Travis S." <security () starfieldsw com>]

Yes, I've looked at both of the rules mentioned.  The problem is that while the old version of Kazaa uses port 1214, 
the newer versions use dynamic port allocations for transfers, even port 80.  Thanks for the suggestion though.

--Travis

---------- Original Message ----------------------------------
From: twig les <twigles () yahoo com>
Date: Thu, 6 Feb 2003 11:37:07 -0800 (PST)

> There are 2 kazaa rules that I know of offhand, sid:1383 and
> sid:1699.  Unfortunately these require dst port 1214 so they can
> be avoided.  Without knowing anything about your infrastructure
> or corporate environment it's hard to find a solution, although
> to be honest if this is a work environment and you're out of
> bandwidth I'd simply kill all Kazaa, up or down.  Especially
> since it's normally the "You've Got Mail" crowd downloading
> things and not virus-scanning them before execution.  Not to
> mention the heinous MPAA/RIAA(TM ... probably) plot to punish
> copyright thieves :).
>
> The only way I can think of to stop Kazaa is thru bandwidth
> monitoring and policy.  Send out a new policy based on
> filesharing being a no-no and then watch the bandwidth
> consumption and figure who has got a suspicious stream of
> traffic (30-60kps for 16 hours straight coming from a desktop in
> finance to the internet).  QoS on the router(s) may help but I
> don't know your environment.  You could simply kick the end-user
> traffic to a lower priority.
>
> So in essence, no, I haven't figured out a clever way to do this
> with free stuff.  But I'm feeling quite chatty today so I hope
> this helps.
>
>
> --- "Travis S." <security () starfieldsw com> wrote:
> > On a large 1 gbps full-duplex internet pipe, I want to prevent
> > outside users from downloading files on Kazaa, gnutella, etc
> > from our network.  On the other hand, I don't want to stop our
> > users from downloading these files from the outside.
> >
> > Basically the idea is to manage the uncontrolled outbound
> > stream so we have spare - right now it's pegged 100% usage.
> >
> > Has anybody figured out clever ways to accomplish this using
> > snort or any other package?  Obviously I would prefer a free
> > solution, so it would be great if Snort could do this.
> >
> > --Travis
> >
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld = Something
> > 2 See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> =====
> -----------------------------------------------------------
> Know yourself and know your enemy and you will never fear defeat.         
> -----------------------------------------------------------
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users