savagecat
asked on
Block KaZaA using Snort
I need a rule to block KaZaA using Snort.
ASKER
I know it can be done with a firewall or packet filtering. There's got to be a way to do it with Snort.
ASKER
I'd like to edit that post.
I need the rule to identify KaZaA traffic using Snort.
I need the rule to identify KaZaA traffic using Snort.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just caught your other post on the previous question, so I see where you're coming from now. This is much trickier. You need something that can inspect the data packet at layer 7 (both for telnet and KazaA). Yes, I suspect this is possible through Snort, but I don't know how off the top of my head. I'll see if I can find anything.
Did forget to mention that monitoring traffic at this level will be quite resource hungry... Still looking for telnet filter as for KazaA, you may need to make it up yourself
ASKER
I gave points on the telnet question via the other thread.
I *think* I have the Kazaa thing...
alert tcp 192.168.1.0/24 any -> any any ( \
content: "X-Kazaa-Username"; \
resp: rst_all; \
msg: "P2P Kazaa File Transfer";)
I *think* I have the Kazaa thing...
alert tcp 192.168.1.0/24 any -> any any ( \
content: "X-Kazaa-Username"; \
resp: rst_all; \
msg: "P2P Kazaa File Transfer";)
Hey Savage, I was writing that post before I realised you actually wanted to filter telnet as an app, not just request to the port (note the port 23 in the rule), so what I wrote won't work for what your after. Don't know if you can revert the point allocation, but give me a min, I'm still trying to find the telnet identifier... I'll should be able to earn those points.
Your Kaz rule looks about right, but I haven't traced it recently (like within the last year!!) to be sure
Your Kaz rule looks about right, but I haven't traced it recently (like within the last year!!) to be sure
sorry. i recommend blocking it by ridding employees or users who continue to use it when told to not use it
There comes a time when obedience to institutional policy has a value, and this is it. At least seize the affected PC and quarantine for offline repairs indefinitely
There comes a time when obedience to institutional policy has a value, and this is it. At least seize the affected PC and quarantine for offline repairs indefinitely
> rule to identify KaZaA
oh, btw, the general case for that product is that it is in a category where its rules of behavior can chnage from time to time. What that means is that a designated block will only function on some versions of the prduct, and not for other versions. This is part of why a better solution is to better manage the people using it.
You can try also to block IP addresses of remote sites it can access. That is probably a losing battle, at least is wasteful. Unless you have limited needs, small group. For example, with small group block everything, every single site, address, and port, and then only enable the ones that are useful for the users one server, one product, at a time.
Better, I think, say no one allowed to remain who uses the product, folow up and enforce the rule, like any other. Would you let them perform other abuses too? Where will that end. Stop now. Nip in bud.
oh, btw, the general case for that product is that it is in a category where its rules of behavior can chnage from time to time. What that means is that a designated block will only function on some versions of the prduct, and not for other versions. This is part of why a better solution is to better manage the people using it.
You can try also to block IP addresses of remote sites it can access. That is probably a losing battle, at least is wasteful. Unless you have limited needs, small group. For example, with small group block everything, every single site, address, and port, and then only enable the ones that are useful for the users one server, one product, at a time.
Better, I think, say no one allowed to remain who uses the product, folow up and enforce the rule, like any other. Would you let them perform other abuses too? Where will that end. Stop now. Nip in bud.
Just tried a trace in a few different scenarios, but haven't found the disctinction for Telnet yet. I'll probably post again in a few days on the Telnet thread.
Get hold of a Kazaa client, install Etherreal, get a packet capture, identify something common in all the initial Kazaa packets, then block them.
The trouble is, Kazaa packets look like HTTP packets, so you would typically need something at L7 (eg Proxy server) to dissect these and block. BlueCoat do it, as does Microsoft ISA server (I think?).
The trouble is, Kazaa packets look like HTTP packets, so you would typically need something at L7 (eg Proxy server) to dissect these and block. BlueCoat do it, as does Microsoft ISA server (I think?).
Another way to detect would be just to look for TCP port 1214, but make sure it's not blocked so Kazaa doesn't try and tunnel via port 80, as this would make it a nightmare to find !!
Plus there are two rules in Snort that could help - SID 1383 and 1699:
http://www.snort.org/cgi-bin/sigs-search.cgi?sid=kazaa
Plus there are two rules in Snort that could help - SID 1383 and 1699:
http://www.snort.org/cgi-bin/sigs-search.cgi?sid=kazaa
I got this from: http://jk.yazzy.org/openbsd/kazaa.php
First, build and install the flexresp (dynamic connection killing support) flavor of the snort port:
# cd /usr/ports/net/snort
# env FLAVOR="flexresp" make install clean
Second, add a snort user and group:
# groupadd -g 700 _snort
# useradd -g _snort -d /nonexistant \
-L daemon -c 'Snort Account' \
-s /sbin/nologin -u 700 _snort
Check the useradd manual page for a description of the options used.
Third, make a snort directory, and it's log directory. The log directory is where alerts will be put, and the user under which snort runs needs write access to this directory.
# mkdir -p /var/snort/log
# chown _snort:_snort /var/snort/log
Fourth, create a Snort rule to block Kazaa. The example is for a 192.168.1.0/24 network. If you run a different internal network, change the network mask accordingly. The rule presented will send RST TCP commands in both ways of the Kazaa connection (Kazaa user and Kazaa network), effectively killing the connection as soon as snort detects a packet containing the X-Kazaa-Username string.
# cat >/var/snort/rules
alert tcp 192.168.1.0/24 any -> any any ( \
content: "X-Kazaa-Username"; \
resp: rst_all; \
msg: "P2P Kazaa File Transfer";)
At last, start snort:
# /usr/local/bin/snort -D -h 192.168.1.0/24 \
-t /var/snort -u _snort -i xl0 \
-A fast -c /var/snort/rules \
-l /var/snort/log
First, build and install the flexresp (dynamic connection killing support) flavor of the snort port:
# cd /usr/ports/net/snort
# env FLAVOR="flexresp" make install clean
Second, add a snort user and group:
# groupadd -g 700 _snort
# useradd -g _snort -d /nonexistant \
-L daemon -c 'Snort Account' \
-s /sbin/nologin -u 700 _snort
Check the useradd manual page for a description of the options used.
Third, make a snort directory, and it's log directory. The log directory is where alerts will be put, and the user under which snort runs needs write access to this directory.
# mkdir -p /var/snort/log
# chown _snort:_snort /var/snort/log
Fourth, create a Snort rule to block Kazaa. The example is for a 192.168.1.0/24 network. If you run a different internal network, change the network mask accordingly. The rule presented will send RST TCP commands in both ways of the Kazaa connection (Kazaa user and Kazaa network), effectively killing the connection as soon as snort detects a packet containing the X-Kazaa-Username string.
# cat >/var/snort/rules
alert tcp 192.168.1.0/24 any -> any any ( \
content: "X-Kazaa-Username"; \
resp: rst_all; \
msg: "P2P Kazaa File Transfer";)
At last, start snort:
# /usr/local/bin/snort -D -h 192.168.1.0/24 \
-t /var/snort -u _snort -i xl0 \
-A fast -c /var/snort/rules \
-l /var/snort/log
Hi SC,
Back on the ol' Telnet wagon, it appears from my research, there is nothing distinctive in a telnet initiated packet, therefore no way to filter it as a protocol :( Anyone that knows differently please post.
Back on the ol' Telnet wagon, it appears from my research, there is nothing distinctive in a telnet initiated packet, therefore no way to filter it as a protocol :( Anyone that knows differently please post.
Snort is and Intrusion Detection System. What you are looking for is a firewall, or packet filtering. This is usually along the lines of IPFW for xBSD, IP Chains or IP Tables for Linux or a function performed by a router or hardware firewall. Same for telnet
Cheers!