Re: [Snort-users] streaming media detection

permalink · #1 (**permalink**) 02-04-2005

--=-ZDkPn2o+KIait/07p+SO
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

You know, I've noticed that the frag processor picks that up sometimes.

Since it is streaming, packets tend to get fragmented somewhere...

J

On Thu, 2005-02-03 at 15:34 -0500, Seth Art wrote:

> I am also interested in detecting streaming audio into our network.=20
> Its been eating up a ton of our bandwidth. I searched the bleeding
> signatures and it doesnt look like there are any rules yet that look
> for streaming http traffic. Has anyone played with this yet? Is
> there any other way to flag this stuff besides by retroactivily
> finding IP address subnets?
>=20
> -Seth
>=20
> On Wed, 26 Jan 2005 05:27:12 -0800 (PST), Jose Maria Lopez
> <jkerouac@bgsec.com> wrote:
> > El mi=C3=A9, 26 de 01 de 2005 a las 05:22, Paul Aviles escribi=C3=B3:
> > > Is there a way to detect people streaming media or listening to music=
? With most of them using port 80 I am curious as to what approach to use.
> > >
> > > Also, is there a way to send an email upon certain alerts?
> > >
> > > Thanks
> >=20
> > You can look in the bleeding-edge rules to see if there are some
> > rules to detect this kind of traffic. If you want just to stop
> > this kind of traffic people use to do it using ACLs with Squid
> > or blocking the IPs this programs connect to.
> >=20
> > About sending emails with certain alerts, I think OpenAanval
> > can do that.
> >=20
> > Regards.
> >=20
> > --
> > Jose Maria Lopez Hernandez
> > Director Tecnico de bgSEC
> > jkerouac@bgsec.com
> > bgSEC Seguridad y Consultoria de Sistemas Informaticos
> > http://www.bgsec.com
> > ESPA=C3=91A
> >=20
> > The only people for me are the mad ones -- the ones who are mad to live=
,
> > mad to talk, mad to be saved, desirous of everything at the same time,
> > the ones who never yawn or say a commonplace thing, but burn, burn, bur=
n
> > like fabulous yellow Roman candles.
> > -- Jack Kerouac, "On the Road"
> >=20
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> > Tool for open source databases. Create drag-&-drop reports. Save time
> > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> > Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/...fo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?listsnort-users
> >
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...=3Dsnort-users

--=20
Joel Esler <eslerj@rcert-s.army.mil>

--=-ZDkPn2o+KIait/07p+SO
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
You know, I've noticed that the frag processor picks that up sometimes. 
 
Since it is streaming, packets tend to get fragmented somewhere... 
 
J 
 
 
On Thu, 2005-02-03 at 15:34 -0500, Seth Art wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
I am also interested in detecting streaming audio into our network. 
Its been eating up a ton of our bandwidth. I searched the bleeding
signatures and it doesnt look like there are any rules yet that look
for streaming http traffic. Has anyone played with this yet? Is
there any other way to flag this stuff besides by retroactivily
finding IP address subnets?

-Seth

On Wed, 26 Jan 2005 05:27:12 -0800 (PST), Jose Maria Lopez
<<A HREF="mailto:jkerouac@bgsec.com">jkerouac@bgsec.co m</A>> wrote:
> El mié, 26 de 01 de 2005 a las 05:22, Paul Aviles escribió:
> > Is there a way to detect people streaming media or listening to music? With most of them using port 80 I am curious as to what approach to use.
> >
> > Also, is there a way to send an email upon certain alerts?
> >
> > Thanks
> 
> You can look in the bleeding-edge rules to see if there are some
> rules to detect this kind of traffic. If you want just to stop
> this kind of traffic people use to do it using ACLs with Squid
> or blocking the IPs this programs connect to.
> 
> About sending emails with certain alerts, I think OpenAanval
> can do that.
> 
> Regards.
> 
> --
> Jose Maria Lopez Hernandez
> Director Tecnico de bgSEC
> <A HREF="mailto:jkerouac@bgsec.com">jkerouac@bgsec.co m</A>
> bgSEC Seguridad y Consultoria de Sistemas Informaticos
> <A HREF="http://www.bgsec.com">http://www.bgsec.com</A>
> ESPAÑA
> 
> The only people for me are the mad ones -- the ones who are mad to live,
> mad to talk, mad to be saved, desirous of everything at the same time,
> the ones who never yawn or say a commonplace thing, but burn, burn, burn
> like fabulous yellow Roman candles.
> -- Jack Kerouac, "On the Road"
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at <A HREF="http://www.intelliview.com/go/osdn_nl">http://www.intelliview.com/go/osdn_nl</A>
> _______________________________________________
> Snort-users mailing list
> <A HREF="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</A>
> Go to this URL to change user options or unsubscribe:
> <A HREF="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</A>
> Snort-users list archive:
> <A HREF="http://www.geocrawler.com/redir-sf.php3?listsnort-users">http://www.geocrawler.com/redir-sf.php3?listsnort-users</A>
>

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at <A HREF="http://www.intelliview.com/go/osdn_nl">http://www.intelliview.com/go/osdn_nl</A>
__________________________________ _____________
Snort-users mailing list
<A HREF="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</A>
Go to this URL to change user options or unsubscribe:
<A HREF="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</A>
Snort-users list archive:
<A HREF="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</A>
</PRE>
</BLOCKQUOTE>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
-- 
Joel Esler <<A HREF="mailto:eslerj@rcert-s.army.mil">eslerj@rcert-s.army.mil</A>>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

--=-ZDkPn2o+KIait/07p+SO--

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode