I would like to know how you are using Snort to close or deny ports? The last I checked Snort was an IDS used for logging and alerting?
At 12:36 PM 4/10/2002 +0200, Georges J. JAHCHAN, P. Eng. wrote: >Watching traffic and blocking ports on firewalls is not the right solution. >Peer-to-peer apps tend to use an ever-changing variation of hosts and ports. >Keeping track of the connections is a time consuming manual process. > >If you want to manage how applications use your WAN bandwidth, you need a >PacketShaper. It auto-identifies the applications making it to your WAN and >allows you to set policies to guarantee, limit or block the WAN bandwidth >used by any class of traffic (sort of an application QoS). It acts on both >inbound and outbound traffic, and adds less than 2-msec of latency. It has >substantial layer-7 "smarts" to identify (and block or tame) Napster, >Gnutella and KaZaa amongst others. Check it out at: http://www.packeteer.com > >----- Original Message ----- >From: "Daniel Crichton" <[EMAIL PROTECTED]> >To: "Julian Gomez" <[EMAIL PROTECTED]> >Cc: <[EMAIL PROTECTED]> >Sent: Wednesday, April 10, 2002 11:25 am >Subject: Re: PIX 515 > > >On 10 Apr 2002 at 17:06, Julian Gomez wrote: > > > until I'm done doing my thing ;) Question - how do you bolt down Napster > > and its ilk ? I thought it uses a range of dynamic ports even tunneling > > through HTTP if it has to. > >For the older versions I don't think it would do HTTP tunneling, so I just >blocked the ports and server IPs it used. Here's the list of IPs and ports >I had blocked back then (in fact still do, although I also run nmap from >time to time across the network looking for anything out of the ordinary, >although my LAN is now much smaller and everyone knows I keep tabs on what >software they have installed!). > >208.184.216.0/24:8875 >208.178.163.61/32:4444 >208.178.163.61/32:5555 >208.178.163.61/32:6666 >208.178.163.61/32:7777 >208.178.163.61/32:8888 >208.178.175.0/24:4444 >208.178.175.0/24:5555 >208.178.175.0/24:6666 >208.178.175.0/24:7777 >208.178.175.0/24:8888 >208.184.216.0/24:4444 >208.184.216.0/24:5555 >208.184.216.0/24:6666 >208.184.216.0/24:7777 >208.184.216.0/24:8888 >208.49.239.0/24:4444 >208.49.239.0/24:5555 >208.49.239.0/24:6666 >208.49.239.0/24:7777 >208.49.239.0/24:8888 >0.0.0.0:6699 > >the last one being all outgoing connections on 6699. > > > Is this PIX specific ? Having never touched a PIX - I'm blurry at best. > >Nope, I just blocked the above which I found on a site somewhere when >digging around for ways to block Napster. If I had to do it again I'd >probably run something like Snort which allows you to look for specific >data in the packets to identify Napster (and other apps) no matter what >the destination IP or port and return the packets to close or deny the >connection to the local machine, then the responses from the real >destination would be ignored as the connection would already be closed. >Obviously to do this you would need Snort running on a machine that could >see all packets being passed from the inside to the internet so placing it >is fun in a switched network. > >Dan >--- >D.C. Crichton email: [EMAIL PROTECTED] >Senior Systems Analyst tel: +44 (0)121 706 6000 >Computer Manuals Ltd. fax: +44 (0)121 606 0477 > >Computer book info on the web: > http://computer-manuals.co.uk/ >Want to earn money? Join our affiliate network! > http://computer-manuals.co.uk/affiliate/ > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls > > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
