How to block emule?

CYa · 11-17-2007, 04:26 PM

Hi there!

I work as a network administrator in a academic enviroment and I am giving a try to an untangled box.

I need to block emule . Already did with messenger by "Protocol Control" without problems but emule keeps on working.

Thanks for your software.

_________________
using untangle 5.0.3

juank · 11-17-2007, 07:36 PM

Cya,

It will keep working (emule) IF you set the block rule AFTER the emule connection was open.

I think that if you re-start Untangle, that will force your EMULE clients to open a new connection, but this time your Protocol Control rule WILL block it.

CYa · 11-18-2007, 12:49 PM

I tested setting the rule before and after to check it. Behaves as you said, thanks for the inpunt Juan. Still have some troubles.

As I did not see any specific pattern for edonkey/emule I added the following pattern from l7 website:

^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x 21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47 \x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x 54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x 9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)

The previous pattern works "very well". In fact, blocks emule protocol and http traffic too.

Any suggestions?

CYa · 11-18-2007, 02:01 PM

Some information from l7 sourceforge forum:

"> since protocol obfuscation in v0.47c was introduced, my router with
> l7-filter (which up to then worked like clockwork) does not recognize
> emule traffic. Is there anything I can do, before our dear
> pattern-makers develop a better pattern?

No, there's nothing you can do without a better pattern. You should also
know that there is a possibility that there is no better pattern. If
emule protocol obfustication means that all traffic is encrypted, then
l7-filter will not be able to match it. However, I have not gotten a
chance to research this. (I encourage others to work on it, since it may
be a while if it's just me.)

-Matthew"

CYa · 11-18-2007, 04:02 PM

By trying again and again I have found a way to block the last emule version (0.48a without obfuscation):

^[\xc5\xd4\xe3-\xe5]

Hope this helps.

brownstone · 02-15-2009, 06:09 PM

using the signature it is now detecting the emule but it still make a connection :-(

mdh · 02-15-2009, 06:40 PM

You'll need to do a Google search to see how emule operates. You might be able to catch it with:

1. Protocol Control - if you can get correct signatures for EACH version of emule in use on your network.
2. Firewall - Blocking access to IPs that make the connection between your user and their emule peers

The people that create these things always try to stay one step ahead, and are often able to do so. Network people spend an infinite number of hours trying to stay even with the people that are trying to stay one step ahead. It has often been pointed out on these forums that the best prevention is to ID your user and tell him that you will have his nads hanging from the doorjam if he doesn't stop using torrents at work/school (where ever you are). In an economy like this, people would not want to lose their job because they just gotta steal one more album.

11-17-2007, 04:26 PM	#1 (permalink)
CYa Newbie Join Date: Nov 2007 Posts: 4	How to block emule? (solved) Hi there! I work as a network administrator in a academic enviroment and I am giving a try to an untangled box. I need to block emule . Already did with messenger by "Protocol Control" without problems but emule keeps on working. Thanks for your software. _________________ using untangle 5.0.3 Last edited by CYa; 11-18-2007 at 04:04 PM.. Reason: being more specific

11-17-2007, 07:36 PM	#2 (permalink)
juank Join Date: Aug 2007 Location: Athens URLs submitted: 46 Posts: 1,474	Cya, It will keep working (emule) IF you set the block rule AFTER the emule connection was open. I think that if you re-start Untangle, that will force your EMULE clients to open a new connection, but this time your Protocol Control rule WILL block it. __________________ -------------------------------- Juan Machado --------------------------------

11-18-2007, 04:02 PM	#5 (permalink)
CYa Newbie Join Date: Nov 2007 Posts: 4	By trying again and again I have found a way to block the last emule version (0.48a without obfuscation): ^[\xc5\xd4\xe3-\xe5] Hope this helps. Last edited by CYa; 11-19-2007 at 02:44 AM..

02-15-2009, 06:40 PM	#7 (permalink)
mdh Join Date: Aug 2007 URLs submitted: 171 Posts: 4,802	You'll need to do a Google search to see how emule operates. You might be able to catch it with: 1. Protocol Control - if you can get correct signatures for EACH version of emule in use on your network. 2. Firewall - Blocking access to IPs that make the connection between your user and their emule peers The people that create these things always try to stay one step ahead, and are often able to do so. Network people spend an infinite number of hours trying to stay even with the people that are trying to stay one step ahead. It has often been pointed out on these forums that the best prevention is to ID your user and tell him that you will have his nads hanging from the doorjam if he doesn't stop using torrents at work/school (where ever you are). In an economy like this, people would not want to lose their job because they just gotta steal one more album. __________________ This space reserved for profound thought.....which does happen on occasion."

Protect

Filter

Perform

Connect

Manage

Add-Ons

11-18-2007, 12:49 PM	#3 (permalink)
CYa Newbie Join Date: Nov 2007 Posts: 4	I tested setting the rule before and after to check it. Behaves as you said, thanks for the inpunt Juan. Still have some troubles. As I did not see any specific pattern for edonkey/emule I added the following pattern from l7 website: ^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x 21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47 \x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x 54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x 9c\x9e\xa0\xa1\xa2\xa3\xa4]\|\x59................?[ -~]\|\x96....$) The previous pattern works "very well". In fact, blocks emule protocol and http traffic too. Any suggestions?

11-18-2007, 02:01 PM	#4 (permalink)
CYa Newbie Join Date: Nov 2007 Posts: 4	Some information from l7 sourceforge forum: "> since protocol obfuscation in v0.47c was introduced, my router with > l7-filter (which up to then worked like clockwork) does not recognize > emule traffic. Is there anything I can do, before our dear > pattern-makers develop a better pattern? No, there's nothing you can do without a better pattern. You should also know that there is a possibility that there is no better pattern. If emule protocol obfustication means that all traffic is encrypted, then l7-filter will not be able to match it. However, I have not gotten a chance to research this. (I encourage others to work on it, since it may be a while if it's just me.) -Matthew"

02-15-2009, 06:09 PM	#6 (permalink)
brownstone Newbie Join Date: Feb 2009 Posts: 1	using the signature it is now detecting the emule but it still make a connection :-(