Here's the nbar configuration I use on our routers. <snip> ip cef ! class-map match-any p2p match protocol fasttrack match protocol gnutella match protocol napster match protocol httpurl "\.hash=*" match protocol httpurl "/.hash=*" match protocol kazaa2 ! ! policy-map p2p class p2p police cir 8000 bc 1500 be 1500 conform-action drop exceed-action drop interface FastEthernet0/0 (internal interface, or external) ip nbar protocol-discovery service-policy input p2p service-policy output p2p </snip> I would also recommend the Allot Communications NetEnforcer. I've tested 2 different versions, the AC202/10 and the AC302, on two different networks and it works great for all known p2p traffic. I'm hoping that our administration lets us buy one before to long. I was testing the AC302 on our dorm network and it cut 10 Megabits of traffic down below a Megabit, just by cutting p2p traffic down to 5Kbps. It works very well and it doesn't manipulate packets likes some other traffic shapers. James Williams Network Systems Operations West Texas A&M University -----Original Message----- From: Justin Pryzby [mailto:justinpryzbyat_private] Sent: Thursday, May 01, 2003 6:12 PM To: Jim Dueltgen Cc: incidentsat_private Subject: Re: Logs showing GET /.hash=... Probably, "match protocol" is a regular expression where . means any character and \. is an escape sequence meaning a period. Justin Pryzby On Thu, May 01, 2003 at 01:27:00PM -0500, Jim Dueltgen wrote: > > > I've been working recently with Cisco's Network Based Application > Recognition (NBAR) trying to keep Kazaa traffic under control in a > multi-tenant installation and I've only ever found this snippet in > the documentation: > > 2. KaZaA version 2 might use port 80 to get around the Firewall. You > can control it be adding > > match protocol http url \.hash=* > > I'm not sure about the \ vs / as it shows in your logs and as one > would expect to see in a URL but the above is what's in Cisco's > documentation. My understanding is that the actual download of a > file via kazaa v2 happens over port 80 in an attempt to get around > passive packet filtering firewalls. > > Regards, > > Jim Dueltgen > LMi.net > > At 9:54 AM -0400 4/30/03, Keith Bergen wrote: > >I have seen log entries in the form: > >dormtw.isu.edu.tw - - [29/Apr/2003:22:04:17 - > >0400] 'GET /.hash=8a8a30842bc6698dd1cbcb31191fc9e76018ea4c > >HTTP/1.1' 404 323 > >dormtw.isu.edu.tw - - [29/Apr/2003:22:04:22 - > >0400] 'GET /.hash=355bcee01e59b87d9cc33d4ae3cc8edf5f022d2a > >HTTP/1.1' 404 323 > >dormtw.isu.edu.tw - - [29/Apr/2003:22:04:24 - > >0400] 'GET /.hash=51f6ec2b496fa6fac83a88d7978321c7b64a5969 > >HTTP/1.1' 404 323 > > > >I looked at past posts, and one indicates that this might be > >KaZaa traffic. The other post indicated it was 'WinMX'. Can > >somebody expand on this? For example, what is WinMX? Also, > >why would KaZaa connect to port 80? > > > >Thanks, > >Keith. > > > >----------------------------------------------------------------------- ----- > >Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the > >world's premier event for IT and network security experts. The two-day > >Training features 6 hand-on courses on May 12-13 taught by professionals. > >The two-day Briefings on May 14-15 features 24 top speakers with no vendor > >sales pitches. Deadline for the best rates is April 25. Register today to > >ensure your place. http://www.securityfocus.com/BlackHat-incidents > >----------------------------------------------------------------------- ----- > > > ------------------------------------------------------------------------ ---- > Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the > world's premier event for IT and network security experts. The two-day > Training features 6 hand-on courses on May 12-13 taught by professionals. > The two-day Briefings on May 14-15 features 24 top speakers with no vendor > sales pitches. Deadline for the best rates is April 25. Register today to > ensure your place. http://www.securityfocus.com/BlackHat-incidents > ------------------------------------------------------------------------ ---- > ------------------------------------------------------------------------ ---- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 02 2003 - 08:20:48 PDT