Blocking P2P Torrent Traffic - FAQ?
-
1 - block ports above 1024
2 - install and enable rule p2p for snort
3 - enable openappID for snort (rule p2p) -
I think snort and the rules are loaded, however looking at the services>snort>interface
blocking is disabled and barnyard2 is disabled and I am still able to torrent ububtux64I am getting snort alerts on status dashboard page but no blocking?
-
Don't block ports above 1024. That's stupid.
You won't stop torrents but you will break other things.Just stick with snort or suricata and get the P2P rules blocking for you. Use the snort vrt and openet free sets. I recommend you only use the P2P rules and you might need to.disable some of those.
Check out the IDS/IPS subforum for specific help getting your rules working.
-
With snort running and p2p libraries linked rebooted machine, still p2p traffic passes, went to pirate bay and transferred ubuntu just fine, logs showed some 2p2 blocking but still transferred the whole 1.6 gig file.
that could have just as easily been a copyrighted program… I need to STOP it all and I cant control the users... I have to limit them.
I do have open DNS locked and have p2p blocking there and that partially works but only by dns, not by protocols.
What do hospitality, hotel, motel, cafe, etc. do to prohibit their customers form doing p2p and torrent stuff...
I know someone there has a solution...
Thank you, please help...
-
Your snort is probably simply alerting instead of of blocking. Orisconfigured in some other way.
-
For WAN the snort libraries selected are as follows
emerging-p2p.rules
snort_p2p.rules
snort_pua-p2p.rules
snort_pua-p2p.so.rules
openappid-p2p_file_sharing.rulesI am getting p2p alerts
"1:2007727
ET P2P possible torrent download"then I will see the ip address come up in the blocked section but transfers continue.
I was downloading a legal torrent from the pirate bay site of ubuntu to test. I did not even notice a slow down, 10-15 mbit d/l speed.
Any ideas, surely someone has active p2p blocking working…
-
You are alerting not blocking.
You need to check out the IDS/IPS subforum. It is not just set it and forget it.
-
It is not just set it and forget it.
This could be the IPS slogan ;)
Love it when users think I just click this IPS button and all set ;) heheheheeh
-
For WAN the snort libraries selected are as follows
emerging-p2p.rules
snort_p2p.rules
snort_pua-p2p.rules
snort_pua-p2p.so.rules
openappid-p2p_file_sharing.rulesI am getting p2p alerts
"1:2007727
ET P2P possible torrent download"then I will see the ip address come up in the blocked section but transfers continue.
I was downloading a legal torrent from the pirate bay site of ubuntu to test. I did not even notice a slow down, 10-15 mbit d/l speed.
Any ideas, surely someone has active p2p blocking working…
It's definitely working but everything is not stopped so the torrent will still work. I can verify I see the alerts and blocks from those alerts but a test of a pirate bay torrent still worked. It's a little more complex than simply checking "Checking this option will automatically block hosts that generate a Snort alert"
-
Are you sure it's not just blocking some of the connections that it can detect and not blocking the connections it can't detect?
