Block KaZaA using Snort

I need a rule to block KaZaA using Snort.
savagecatAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jasefCommented:
Hi savagecat,
Snort is and Intrusion Detection System.  What you are looking for is a firewall, or packet filtering.  This is usually along the lines of IPFW for xBSD, IP Chains or IP Tables for Linux or a function performed by a router or hardware firewall. Same for telnet

Cheers!
0
savagecatAuthor Commented:
I know it can be done with a firewall or packet filtering.  There's got to be a way to do it with Snort.
0
savagecatAuthor Commented:
I'd like to edit that post.

I need the rule to identify KaZaA traffic using Snort.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

jasefCommented:
For the sake of brevity, I'll stop posting on the other thread as it will be the same. Intrusion Detection systems are designed to detect attacks or reconaissance attempts on your network.  Some will drop or alter traffic (which Snort can do), others will only report it.  Whilst you can use Snort in this capacity, I recommend implementation of a firewall. If you don't care, you can block it as follows

Telnet...
alert tcp $YOUR_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Login Denied"; flags: A+; content: "Login failed"; nocase; classtype:bad-unknown; sid:492; rev:2; fwsam: dst)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jasefCommented:
Just caught your other post on the previous question, so I see where you're coming from now.  This is much trickier.  You need something that can inspect the data packet at layer 7 (both for telnet and KazaA).  Yes, I suspect this is possible through Snort, but I don't know how off the top of my head.  I'll see if I can find anything.
0
jasefCommented:
Did forget to mention that monitoring traffic at this level will be quite resource hungry...  Still looking for telnet filter as for KazaA, you may need to make it up yourself
0
savagecatAuthor Commented:
I gave points on the telnet question via the other thread.

I *think* I have the Kazaa thing...

    alert tcp 192.168.1.0/24 any -> any any ( \
                                  content: "X-Kazaa-Username"; \
                                  resp: rst_all; \
                                  msg: "P2P Kazaa File Transfer";)
0
jasefCommented:
Hey Savage, I was writing that post before I realised you actually wanted to filter telnet as an app, not just request to the port (note the port 23 in the rule), so what I wrote won't work for what your after.  Don't know if you can revert the point allocation, but give me a min, I'm still trying to find the telnet identifier... I'll should be able to earn those points.
Your Kaz rule looks about right, but I haven't traced it recently (like within the last year!!) to be sure
0
SunBowCommented:
sorry. i recommend blocking it by ridding employees or users who continue to use it when told to not use it

There comes a time when obedience to institutional policy has a value, and this is it.  At least seize the affected PC and quarantine for offline repairs indefinitely
0
SunBowCommented:
>  rule to identify KaZaA

oh, btw, the general case for that product is that it is in a category where its rules of behavior can chnage from time to time.  What that means is that a designated block will only function on some versions of the prduct, and not for other versions.  This is part of why a better solution is to better manage the people using it.

You can try also to block IP addresses of remote sites it can access.  That is probably a losing battle, at least is wasteful.  Unless you have limited needs, small group.  For example, with small group block everything, every single site, address, and port, and then only enable the ones that are useful for the users one server, one product, at a time.

Better, I think, say no one allowed to remain who uses the product, folow up and enforce the rule, like any other. Would you let them perform other abuses too? Where will that end. Stop now. Nip in bud.
0
jasefCommented:
Just tried a trace in a few different scenarios, but haven't found the disctinction for Telnet yet.  I'll probably post again in a few days on the Telnet thread.
0
Tim HolmanCommented:
Get hold of a Kazaa client, install Etherreal, get a packet capture, identify something common in all the initial Kazaa packets, then block them.
The trouble is, Kazaa packets look like HTTP packets, so you would typically need something at L7 (eg Proxy server) to dissect these and block.  BlueCoat do it, as does Microsoft ISA server (I think?).

0
Tim HolmanCommented:
Another way to detect would be just to look for TCP port 1214, but make sure it's not blocked so Kazaa doesn't try and tunnel via port 80, as this would make it a nightmare to find !!

Plus there are two rules in Snort that could help - SID 1383 and 1699:

http://www.snort.org/cgi-bin/sigs-search.cgi?sid=kazaa
0
CharlyPhillyCommented:
I got this from: http://jk.yazzy.org/openbsd/kazaa.php

First, build and install the flexresp (dynamic connection killing support) flavor of the snort port:

    # cd /usr/ports/net/snort
    # env FLAVOR="flexresp" make install clean

Second, add a snort user and group:

    # groupadd -g 700 _snort
    # useradd -g _snort -d /nonexistant \
          -L daemon -c 'Snort Account' \
          -s /sbin/nologin -u 700 _snort

Check the useradd manual page for a description of the options used.

Third, make a snort directory, and it's log directory. The log directory is where alerts will be put, and the user under which snort runs needs write access to this directory.

    # mkdir -p /var/snort/log
    # chown _snort:_snort /var/snort/log

Fourth, create a Snort rule to block Kazaa. The example is for a 192.168.1.0/24 network. If you run a different internal network, change the network mask accordingly. The rule presented will send RST TCP commands in both ways of the Kazaa connection (Kazaa user and Kazaa network), effectively killing the connection as soon as snort detects a packet containing the X-Kazaa-Username string.

    # cat >/var/snort/rules
    alert tcp 192.168.1.0/24 any -> any any ( \
                                  content: "X-Kazaa-Username"; \
                                  resp: rst_all; \
                                  msg: "P2P Kazaa File Transfer";)

At last, start snort:

    # /usr/local/bin/snort -D -h 192.168.1.0/24 \
         -t /var/snort -u _snort -i xl0 \
         -A fast -c /var/snort/rules \
         -l /var/snort/log



0
jasefCommented:
Hi SC,
Back on the ol' Telnet wagon, it appears from my research, there is nothing distinctive in a telnet initiated packet, therefore no way to filter it as a protocol :(  Anyone that knows differently please post.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
File Sharing Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.