Re: blocking new version of kazaa

[Jochem Kossen <j.kossen@home.nl>]

On Sun, Aug 31, 2003 at 10:31:12AM +1000, Oliver Bode wrote:
[snip blocking kazaa traffic]
> 
> At the end of the experiment I came to the conclusion that it is virtually
> impossible to prevent this type of activity altogether. The closest I think
> you can come is by enforcing a strict firewall that only allows certain
> services and blocks everything else and strict organisational policies which
> support it.

Here's what i posted in a previous Kazaa thread.

    Every Kazaa connection uses some text in the packets containing
    'X-Kazaa-Username: username' to identify the users. I use snort
    (flexresp flavor) to filter on this with a rule like this one:

    alert tcp any any -> any any (msg: "P2P Kazaa File Transfer"; content: \
    "X-Kazaa-Username"; rev: 1; react: block;)

    Of course this is not ideal, but i don't see any Kazaa traffic on my
    network anymore. Also, i haven't heard of any 'new kazaa' (is it
    implemented differently?)...i've been using this solution for a while
    now (about 6 months)...

    Also, don't forget to run snort chroot'ed, and/or as non-root.

    jk

Should still be relevant. Good luck.

jk

-- 
j . k o s s e n  at  h o m e . n l
      http://jk.yazzy.org
         GNU BSD OSS FS