Really, you HAVE to do this anyway.  Consider what happens if you miss one of the flavors of P2P and an employee exposes the company to risk.  Is it the employee's fault because there's a policy against it?  Or is it your fault because the 'firewall' didn't stop them?



-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of twig les
Sent: Thursday, February 13, 2003 8:34 PM
To: Erek Adams; Travis S.
Cc: Gustavo Beltrami Rossi; snort-users@lists.sourceforge.net;
snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-users] Stopping outbound Kazaa


In the meanwhile while we get the technical solution working,
try simply putting out a hardcopy memo to everyone threatening
dire consequences to anyone using kazaa in the work network (the
multitude of threats justify this I believe) and reminding them
that you, as net/sysadmin, know everything that happens on your
net.  In other words lie to them and let their ignorance scare
them into doing what you want, like those marijuana = terrorism
commercials.


--- Erek Adams <erek@snort.org> wrote:
> On Thu, 13 Feb 2003, Travis S. wrote:
>
> > Concerning the comment about monitoring a specific port...
> the new
> > version of Kazaa (which is what composes the majority of our
> traffic)
> > will go straight to port 80 if it's default port is blocked.
>
> Yep...  Just like the AOL IM Client.  God, that thing is evil.
>  Just fire
> it up in a testlab off of the net and sniff the traffic.  It
> uses damned
> near every "well known" port to get out.  :-(
>
> > For a while I was looking at using the logs to generate a
> static route
> > table, routing all traffic to a null interface that dealt
> with a Kazaa
> > remote computer.  This was too forceful of a rule, however,
> as it would
> > blacklist all traffic from those computers.  I am in the
> process of
> > getting a machine up to use flexresp and see if we can kill
> outbound
> > connections of file transfers from our network - we'll see
> how well that
> > works.
>
> Honestly, I think you were on the right track with the null
> route.  If you
> did something like "ip route <kaza_server_IP> <netmask> null0"
> that would
> stop anyone from connecting to it...
>
> If that's not useable, then consider using something like
> SnortSam to add
> an outbound ACL to your router.
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S.
> Thompson
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a
> FREE
> Thawte SSL guide and find the answers to all your  SSL
> security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.        
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users