Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    blocking p2p traffic

    Scheduled Pinned Locked Moved IDS/IPS
    22 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Crunch 0 @bmeeks
      last edited by Crunch 0

      @bmeeks

      Hi thanks for the snort rule. Yeah my test machine can catch it. So it proves that snort works and i have no alternate path to the internet. I see drop alerts in the alert tab and i cannot ping (Request timeout).

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @Crunch 0
        last edited by bmeeks

        @crunch-0 said in blocking p2p traffic:

        @bmeeks

        Hi thanks for the snort rule. Yeah my test machine can catch it. So it proves that snort works and i have no alternate path to the internet. I see drop alerts in the alert tab and i cannot ping (Request timeout).

        Then that indicates the p2p rules you are using are insufficient to stop all of the Bit Torrent stuff. It is catching part of the conversation between client and peer, but not everything, so the client is still able to make the connection and download. It's not a problem with Snort itself. Instead, it is a problem with the rule or rules attempting to detect the traffic. The rules are apparently not picking up everything.

        The PUA rules are really designed to detect the presence of the target application and not necessarily to block it totally. You may need other rules to completely block the traffic. Try a Google search for "blocking p2p with snort" to get some links. I found a few. Several are old, but some are newer. Here is a newer one: https://www.researchgate.net/publication/334213518_Interception_of_P2P_Traffic_in_a_Campus_Network.

        Here is a SANS Institute paper from 2009 about detecting Bit Torrent with Snort: https://www.sans.edu/student-files/presentations/Pres_R_Wanner_Torrents_Snort_V2.pdf.

        Blocking stuff like this is a whack-a-mole game. The developers of the torrent clients strive to make their traffic indistinguishable from regular network traffic (and thus unblockable). And the IDS/IPS rules creators strive to create new detection rules that trigger on the latest evasion techniques - and around and around it goes .... 🙂.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.