Core issue

Sensor signatures may include instructions to block sources of a particular attack, whenever that attack is detected. It is also possible to have a trusted network device whose normal, expected behavior appears to be that attack. Sensor signatures can be set to ignore a particular perceived attack when its source is a trusted network device.

Resolution

Using the Cisco Intrusion Detection System (IDS), these are the two signatures related to Kazaa:

• 11000: Kazaa version 2 User Datagram Protocol (UDP) client probe:  
    

  Kazaa is a common Peer-to-Peer (P2P) file sharing application distributed by Sharman Networks. Kazaa clients maintain a loosely meshed, decentralized network of systems sharing files. Certain nodes with sufficient bandwidth and resources serve as supernodes on the network providing a distributed search function.

    

  Kazaa clients send UDP packets to various systems searching for another Kazaa peer. This signature fires when the keyword "Kazaa" is seen in a UDP packet destined for UDP port 1214 (SubSig 0), 1531 (SubSig 1), or from port 3861 (SubSig 2).

    
     
• 11005: Kazaa GET request  
    

  The signature fires when a client request to the default Kazaa server port (Transmission Control Protocol (TCP) 1214) is detected.

    

  If you want to use a firewall, you can try to block ports UDP 1214, 1531 and 3861 TCP 1214.

    
    

  For more information, refer to Configuring Sensors and Signatures.

     

Problem Type

How to (General Information)

Product Family

IDS/IPS management applications

Intrusion Detection (IDS) Management Software

IDS Event Viewer

IDS Device Manager

Features & Tasks

Configuring, editing and tuning signatures