<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:24.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Cambria","serif";
color:#365F91;
font-weight:bold;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>The best solution I have found in dealing with Bit Torrent(no solution is perfect mind you) is placing a Snort sensor “In-line” with your network, and using the Open Source Sourcefire and EmergingThreats.net open rules to only block the “specific” Bit Torrent clients and protocols that are causing you issues while allowing the ones used for legitimate purposes to pass though without issue. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Each type of Bit Torrent client has a specific signature specific to it<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>Example:<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:10.0pt;font-family:"Courier New"'>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BitComet)"; flow:to_server,established; <b>content:"User-Agent|3a| BitComet</b>/"; http_header; reference:url,www.bitcomet.com; reference:url,doc.emergingthreats.net/2011710; classtype:policy-violation; sid:2011710; rev:4;)<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><pre style='margin-left:.5in'>alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Vuze BT Connection"; flow:established; <b>content:"|00 00|"; depth:2; content:"|05|AZVER|01|";</b> distance:5; within:7; content:"appid"; within:10; threshold:type limit, track by_src, count 10, seconds 600; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010139; classtype:policy-violation; sid:2010139; rev:5;)<o:p></o:p></pre><pre><o:p> </o:p></pre><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>the 1<sup>st</sup> Snort rule is specific to the BitComet Bittorent Client, and the 2<sup>nd</sup> rule is specific to Vuze Bittorent Client. <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>A lot of rules are available, and you can even write your own by sniffing network traffic if your so inclined. This allows you to pick and choose which ones to allow and which ones to not allow. A really easy solution to this is simply setting up a Snort sensor with the OS of your choice(BSD/Linux/Pfsense/Redhat/etc) on a box between your Wi-Fi network and the internet connection that serves your patrons and running a Snort sensor there. <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Emerging threat Open/GPL rules can be found here<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><a href="https://rules.emergingthreats.net/">https://rules.emergingthreats.net/</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Sourcefire Open rules can be found here<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><a href="https://www.snort.org/downloads">https://www.snort.org/downloads</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Just remember you want <b>Snort to be watching the “LAN” part of your WI-Fi network NOT your WAN</b> as Bit torrent Network Sigs are sent across your LAN and that’s the point you need Snort sniffing to find them, sniffing WAN traffic is useless for this application as Bittorent will just keep making connections to different WAN IP’s till it slows your network to a crawl. By Sniffing on the LAN the minute they start that download, Snort will cut the connection to the internet completely leaving them nothing but local LAN access and Bit torrent will no longer be able to try and make any more connections.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>This won’t work for SLL/TLS encrypted Torrents though</span></b><span style='font-family:"Calibri","sans-serif"'>, however most of all movies and such are not on encrypted torrents. You can also make exceptions for specific patrons pretty easy by simply temporarily suppressing a specific signature for a specific IP or whatnot depending on your platform. I don’t like meddling with encrypted traffic though and I’m simply hands off there. <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>I have had very few issues with Bit torrent. The ones I had issues with(Bit Torrent clients) were really only used for downloading copyrighted movies and music only and nothing else and I got Snort sigs in place for those specific ones. The other more legit clients I don’t Snort traffic for and they are allowed to pass freely. In cases where it’s a legit use, and its blocked by mistake I make exceptions for those cases very easily and all is well. It was more of a bandwidth issue for me than anything else, making sure plenty of bandwidth is available for everyone else to be able to use the service too as Bit Torrent can be a hog at times.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>That’s my way of dealing with it, it took me about a year of tuning and writing/modifying rules and such to get it set up how I wanted it to function. Now it just works on its own, and I don’t really have any issues with it. I only see maybe 1-2 Snort alerts per month now concerning Bit Torrent and it’s from the same ones used primarily for downloading music, and the IP’s its connecting to are the standard nodes for downloading such materials, so it’s working as intended here. <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Its not perfect, and if someone is connecting to an encrypted torrent there is nothing I can do about it, but im fine with that. If you have the budget Cisco, Juniper, and Fortinet(I think) do make Layer 7 devices that are capable of giving you granular control over all these protocols and such encrypted or not, but they were well out of my price range. YMMV<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Sincerely<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Ron Woods<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ron Woods<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Computer Services Manager<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>St. Clairsville Public Library<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(740)-695-2062<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>http://www.stclibrary.org<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> OPLINTECH [mailto:oplintech-bounces@lists.oplin.org] <b>On Behalf Of </b>Technology Coordinator<br><b>Sent:</b> Monday, October 17, 2016 11:35 AM<br><b>To:</b> oplintech@lists.oplin.org<br><b>Subject:</b> [OPLINTECH] Bit Torrent traffic managment<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>How are you curtailing Bit Torrent traffic on your wireless networks? I am using Meraki and am seeing multiple instances of Bit Torrent being used to download copyright protected material by individual devices per MAC address. <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Do you block Bit Torrent outright?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Enable Bit Torrent for each individual?<o:p></o:p></p></div><div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The sticky wicket is that there is a legitimate use for this protocol so I am resistant to outright blocking it.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thank you,<o:p></o:p></p></div><div><p class=MsoNormal>Mark<o:p></o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><div><div><p class=MsoNormal><span style='font-size:9.5pt'>Mark Sanzotta<br>Technology Coordinator<br>Ashtabula County District Library<br>4335 Park Ave.<br>Ashtabula, Ohio 44004</span><o:p></o:p></p><div><p class=MsoNormal>Cell: 440.969.5486<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><h1 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:11.25pt;margin-left:0in;line-height:13.5pt'><span style='font-size:10.5pt;font-family:"Georgia","serif";color:#181818;font-weight:normal'>“Google can bring you back 100,000 answers. A librarian can bring you back the right one.” ― <a href="http://www.goodreads.com/author/show/1221698.Neil_Gaiman" target="_blank"><span style='color:#666600;text-decoration:none'>Neil Gaiman</span></a><o:p></o:p></span></h1></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div></div></div></div></div></body></html>