Its homegrown. We are just running a default snort compile with just the p2p rule enabled. The following are the only parameters I used for the snort.conf (aside from disabling all the rules).
var HOME_NET [192.168.0.0/16] var EXTERNAL_NET !$HOME_NET include $RULE_PATH/p2p.rules Running snort with the following parameters: /usr/local/bin/snort -A fast -D -N -c /usr/local/snort/snort.conf" And blocking the src or dest IP whichever you prefer listed on the /var/log/snort/alert file via a perl script. I also disabled the following line on the p2p ruleset due to a lot of false positives: #alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;) I could email you the script if you like. On Tue, 2003-09-16 at 16:55, Jun Tanamal wrote: > Michael Blancas wrote: > > >I'm using snort with just the p2p rules and have a perl script reads the > >snort alert log and blocks the destination or source (depending on your > >preference) using iptables. Works perfectly for us, and had a reduction > >of traffic by almost 50%. > > > Viola! Is there a HOW-TO link on this? -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
