Core issue
Sensor signatures may include instructions to block sources of a particular attack, whenever that attack is detected. It is also possible to have a trusted network device whose normal, expected behavior appears to be that attack. Sensor signatures can be set to ignore a particular perceived attack when its source is a trusted network device.
Resolution
Using the Cisco Intrusion Detection System (IDS), these are the two signatures related to Kazaa:
- 11000: Kazaa version 2 User Datagram Protocol (UDP) client probe:
Kazaa is a common Peer-to-Peer (P2P) file sharing application distributed by Sharman Networks. Kazaa clients maintain a loosely meshed, decentralized network of systems sharing files. Certain nodes with sufficient bandwidth and resources serve as supernodes on the network providing a distributed search function.
Kazaa clients send UDP packets to various systems searching for another Kazaa peer. This signature fires when the keyword "Kazaa" is seen in a UDP packet destined for UDP port 1214 (SubSig 0), 1531 (SubSig 1), or from port 3861 (SubSig 2).
- 11005: Kazaa GET request
The signature fires when a client request to the default Kazaa server port (Transmission Control Protocol (TCP) 1214) is detected.
If you want to use a firewall, you can try to block ports UDP 1214, 1531 and 3861 TCP 1214.
For more information, refer to Configuring Sensors and Signatures.
Problem Type
How to (General Information)
Product Family
IDS/IPS management applications
Intrusion Detection (IDS) Management Software
IDS Event Viewer
IDS Device Manager
Features & Tasks
Configuring, editing and tuning signatures