Snort doesn't answer to such needs. It is not able to analyze application protocols such as BEEP or Edonkey. See: http://www.snort.org/docs/writing_rules/
filter application protocol based on ip/ports is not efficient. Some application are able to work on almost any port. cheers -----Message d'origine----- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Chuck Swiger Envoye : dimanche 27 novembre 2005 04:16 A : Alexandre DELAY Cc : [email protected] Objet : Re: Protocol filter capabilities Alexandre DELAY wrote: > I am looking for an efficient way to filter different protocols, such as > edonkey or BEEP. For the moment, I think that ipfw doesn't support it. Sure it does. Start with "deny all" [1] and then add the minimum required open ports, preferably only for a proxy server that the clients are required to use for all outside access. Specificly, look at and combine the closed and simple firewall types in /etc/rc.firewall. You might also try to use bandwidth shaping to prioritize P2P behind more useful traffic like VOIP. > Don't you think that it would be a nice thing to be able to include such > "filters" from, for example, ethereal? > Ethereal support more than 34k different protocols. It woul be nice to be > able to choose from those filters and to apply some rules according to those > filters. You're talking about a reactive IDS. You can rig them up using scripts which monitor logfiles, or something like /usr/ports/security/snort. However, I prefer to use IDS for traffic I permit but want to monitor, not traffic I already know I want to block. -- -Chuck _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
