dcsimg
Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 35

Thread: Blocking messengers

  1. #21
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    I know there's different options to achive the same goal. Thats not what I was asking. Either way, best bet is to block their logon servers I guess. Simplest anyway, and doesn't give me a headache.

    Thanks for all the replies though!

  2. #22
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If you use a NIDS you can also create rules to look for the SYN's on the default port. This will catch the initial SYN against the, (blocked), default port. The you can take a womble down to the offending users desk and slap the little ******* for contravening policy.

    Works for me......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #23
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If you use a NIDS you can also create rules to look for the SYN's on the default port. This will catch the initial SYN against the, (blocked), default port. The you can take a womble down to the offending users desk and slap the little ******* for contravening policy.

    Works for me......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #24
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Hey Nebulus,

    I didn't know IDS's could block traffic as well. What IDS were you referring to? I might check out that option....then supplement that with Tiger Shark's idea.

    Thanks everyone!

  5. #25
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Hey Nebulus,

    I didn't know IDS's could block traffic as well. What IDS were you referring to? I might check out that option....then supplement that with Tiger Shark's idea.

    Thanks everyone!

  6. #26
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I am wanting to say snort can do this (not 100% sure, haven't really tried to do this very often). When I stated this, I had ISS RealSecure in mind, but really I think that most modern NIDS have this capability. It isn't anything special really, it just sends a spoofed packet to the source and destination (pretending to be one or the other) and sends a reset. Both sides will think there was a communication or some other kind of error and drop the connection. If it is something you are not seeing very often it would be safe to do this, but if you were not careful and you set it up to do that on an event that is frequently triggered, you will wind up amplifing the amount of traffic (for every packet it triggers off of, it generates 2 packets to kill the connection) which could do more harm than just letting the event go without resetting the connection.

    Hope this helps,

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #27
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I am wanting to say snort can do this (not 100% sure, haven't really tried to do this very often). When I stated this, I had ISS RealSecure in mind, but really I think that most modern NIDS have this capability. It isn't anything special really, it just sends a spoofed packet to the source and destination (pretending to be one or the other) and sends a reset. Both sides will think there was a communication or some other kind of error and drop the connection. If it is something you are not seeing very often it would be safe to do this, but if you were not careful and you set it up to do that on an event that is frequently triggered, you will wind up amplifing the amount of traffic (for every packet it triggers off of, it generates 2 packets to kill the connection) which could do more harm than just letting the event go without resetting the connection.

    Hope this helps,

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #28
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Just an FYI for those that didn't know: AIM does, in fact, allow you to search and connect on other ports. The other day, I tried connecting with the default port, and it would not allow me to contact the login server. Next, I went into the configuration - where you can change to go through a proxy and so on... Here, I found an option to scan for a port to connect through, and low and behold, it connected over port 21! UGH!
    Opinions are like holes - everybody\'s got\'em.

    Smile

  9. #29
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Just an FYI for those that didn't know: AIM does, in fact, allow you to search and connect on other ports. The other day, I tried connecting with the default port, and it would not allow me to contact the login server. Next, I went into the configuration - where you can change to go through a proxy and so on... Here, I found an option to scan for a port to connect through, and low and behold, it connected over port 21! UGH!
    Opinions are like holes - everybody\'s got\'em.

    Smile

  10. #30
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Nebulus: No point in using the IDS to drop both sides of the connection, (Yes Snort will do this if the rule is written to do it and there is also a test facility that allows a message to be sent to the two machines I believe - I gotta look into that in a minute..... ), since the client will assume it is dropped at the firewall and allow the alternative connection to take place.

    I'm gonna take a look at the message thingy, test it and see what it does. The I might add the message part to a rule for these chat proggies that will be received by the offending user telling them to quit or die...... . I'll see if it works and get back to you all.

    Pooh.....

    I use a custom version of snort that does not include flexresp therefore it doesn't recognize the react keyword and fails out on the rule....... Also, this used to send a message to the browser rather than a windows messaging message, (which would be real nice), so it is designed to limit web access more than anything else - shame really... I coulda had a lot of fun with my (L)users......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •