I kind of tried looking around for a solution for your problem the only thing I seem to come up with is Custom signature.
I picked up something for Kazaa a p2p application. THe first thing is that you need to capture those packets using ethereal or any packet sniffer tools. Pick up a sample traffic. Look for something in the traffic sample that will identify the Kazaa application.
Signature identify key parts of the traffic which wouldn't change. For Kazaa the payload seems to have the same last 6 bytes in multiple captures.
Traffic characteristics, usually an UDP packet, Payload always ends with the same 6 bytes, payload ends in "kazaa" followed by null (ox00)
Custom Signature Settings
- Engine: ATOMIC.IP
- L4 Protocol of UDP
- Payload Regex: [Kk][Aa][Zz][Aa][Aa]\x00
Create a custom signature based on this:
In event action you could ask for a Produce Verbose alert. Specify the Layer 4 protocol. Use the Payload inspection to specify the regex.
Leave the signature turned on for atleast a week or two. And check for results.
But you have pre-defined signatures too for p2p traffic clients like
Kazaa 5534 sub sig id 0,1,&2.
MOst engines doing this inspection would be string.tcp or atomic.ip.
You can search your signature details in this site and then tune the signature to deny the connection inline.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...