• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1247
  • Last Modified:

Block KaZaA using Snort

I need a rule to block KaZaA using Snort.
0
savagecat
Asked:
savagecat
  • 7
  • 3
  • 2
  • +2
1 Solution
 
jasefCommented:
Hi savagecat,
Snort is and Intrusion Detection System.  What you are looking for is a firewall, or packet filtering.  This is usually along the lines of IPFW for xBSD, IP Chains or IP Tables for Linux or a function performed by a router or hardware firewall. Same for telnet

Cheers!
0
 
savagecatAuthor Commented:
I know it can be done with a firewall or packet filtering.  There's got to be a way to do it with Snort.
0
 
savagecatAuthor Commented:
I'd like to edit that post.

I need the rule to identify KaZaA traffic using Snort.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
jasefCommented:
For the sake of brevity, I'll stop posting on the other thread as it will be the same. Intrusion Detection systems are designed to detect attacks or reconaissance attempts on your network.  Some will drop or alter traffic (which Snort can do), others will only report it.  Whilst you can use Snort in this capacity, I recommend implementation of a firewall. If you don't care, you can block it as follows

Telnet...
alert tcp $YOUR_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Login Denied"; flags: A+; content: "Login failed"; nocase; classtype:bad-unknown; sid:492; rev:2; fwsam: dst)
0
 
jasefCommented:
Just caught your other post on the previous question, so I see where you're coming from now.  This is much trickier.  You need something that can inspect the data packet at layer 7 (both for telnet and KazaA).  Yes, I suspect this is possible through Snort, but I don't know how off the top of my head.  I'll see if I can find anything.
0
 
jasefCommented:
Did forget to mention that monitoring traffic at this level will be quite resource hungry...  Still looking for telnet filter as for KazaA, you may need to make it up yourself
0
 
savagecatAuthor Commented:
I gave points on the telnet question via the other thread.

I *think* I have the Kazaa thing...

    alert tcp 192.168.1.0/24 any -> any any ( \
                                  content: "X-Kazaa-Username"; \
                                  resp: rst_all; \
                                  msg: "P2P Kazaa File Transfer";)
0
 
jasefCommented:
Hey Savage, I was writing that post before I realised you actually wanted to filter telnet as an app, not just request to the port (note the port 23 in the rule), so what I wrote won't work for what your after.  Don't know if you can revert the point allocation, but give me a min, I'm still trying to find the telnet identifier... I'll should be able to earn those points.
Your Kaz rule looks about right, but I haven't traced it recently (like within the last year!!) to be sure
0
 
SunBowCommented:
sorry. i recommend blocking it by ridding employees or users who continue to use it when told to not use it

There comes a time when obedience to institutional policy has a value, and this is it.  At least seize the affected PC and quarantine for offline repairs indefinitely
0
 
SunBowCommented:
>  rule to identify KaZaA

oh, btw, the general case for that product is that it is in a category where its rules of behavior can chnage from time to time.  What that means is that a designated block will only function on some versions of the prduct, and not for other versions.  This is part of why a better solution is to better manage the people using it.

You can try also to block IP addresses of remote sites it can access.  That is probably a losing battle, at least is wasteful.  Unless you have limited needs, small group.  For example, with small group block everything, every single site, address, and port, and then only enable the ones that are useful for the users one server, one product, at a time.

Better, I think, say no one allowed to remain who uses the product, folow up and enforce the rule, like any other. Would you let them perform other abuses too? Where will that end. Stop now. Nip in bud.
0
 
jasefCommented:
Just tried a trace in a few different scenarios, but haven't found the disctinction for Telnet yet.  I'll probably post again in a few days on the Telnet thread.
0
 
Tim HolmanCommented:
Get hold of a Kazaa client, install Etherreal, get a packet capture, identify something common in all the initial Kazaa packets, then block them.
The trouble is, Kazaa packets look like HTTP packets, so you would typically need something at L7 (eg Proxy server) to dissect these and block.  BlueCoat do it, as does Microsoft ISA server (I think?).

0
 
Tim HolmanCommented:
Another way to detect would be just to look for TCP port 1214, but make sure it's not blocked so Kazaa doesn't try and tunnel via port 80, as this would make it a nightmare to find !!

Plus there are two rules in Snort that could help - SID 1383 and 1699:

http://www.snort.org/cgi-bin/sigs-search.cgi?sid=kazaa
0
 
CharlyPhillyCommented:
I got this from: http://jk.yazzy.org/openbsd/kazaa.php

First, build and install the flexresp (dynamic connection killing support) flavor of the snort port:

    # cd /usr/ports/net/snort
    # env FLAVOR="flexresp" make install clean

Second, add a snort user and group:

    # groupadd -g 700 _snort
    # useradd -g _snort -d /nonexistant \
          -L daemon -c 'Snort Account' \
          -s /sbin/nologin -u 700 _snort

Check the useradd manual page for a description of the options used.

Third, make a snort directory, and it's log directory. The log directory is where alerts will be put, and the user under which snort runs needs write access to this directory.

    # mkdir -p /var/snort/log
    # chown _snort:_snort /var/snort/log

Fourth, create a Snort rule to block Kazaa. The example is for a 192.168.1.0/24 network. If you run a different internal network, change the network mask accordingly. The rule presented will send RST TCP commands in both ways of the Kazaa connection (Kazaa user and Kazaa network), effectively killing the connection as soon as snort detects a packet containing the X-Kazaa-Username string.

    # cat >/var/snort/rules
    alert tcp 192.168.1.0/24 any -> any any ( \
                                  content: "X-Kazaa-Username"; \
                                  resp: rst_all; \
                                  msg: "P2P Kazaa File Transfer";)

At last, start snort:

    # /usr/local/bin/snort -D -h 192.168.1.0/24 \
         -t /var/snort -u _snort -i xl0 \
         -A fast -c /var/snort/rules \
         -l /var/snort/log



0
 
jasefCommented:
Hi SC,
Back on the ol' Telnet wagon, it appears from my research, there is nothing distinctive in a telnet initiated packet, therefore no way to filter it as a protocol :(  Anyone that knows differently please post.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now