Policy enforcement in Peer-to-Peer networks using open-source tools
Policy enforcement in Peer-to-Peer networks using open-source tools
Policy enforcement in Peer-to-Peer networks using open-source tools
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Policy</strong> Enforcement <strong>in</strong> <strong>Peer</strong>-<strong>to</strong>-<strong>Peer</strong> Networks Us<strong>in</strong>g Open Source Tools<br />
Khurram Bhatti<br />
Bahria University, Islamabad<br />
khurramcap@yahoo.com<br />
Atif Shehzad<br />
Bahria University, Islamabad<br />
melleck66@yahoo.com<br />
Paper ID — ICOST2006-4<br />
M. Hassan Islam<br />
CASE, Islamabad<br />
mhasanislam@yahoo.com<br />
Abstract<br />
In spite of advances made <strong>in</strong> the world of network<br />
security, a vast majority of security <strong>in</strong>cidents are still<br />
attributed <strong>to</strong> the “<strong>in</strong>ternal threat” – end users – responsible<br />
for mis-configur<strong>in</strong>g devices and programs, unknow<strong>in</strong>gly<br />
propagat<strong>in</strong>g malicious code, or disclos<strong>in</strong>g proprietary<br />
bus<strong>in</strong>ess <strong>in</strong>formation. The emerg<strong>in</strong>g P2P systems have<br />
characteristics that can turn them <strong>in</strong><strong>to</strong> an attractive<br />
<strong>in</strong>frastructure can be exploited <strong>to</strong> breach the security of a<br />
network, if policy regard<strong>in</strong>g their usage <strong>in</strong> not <strong>in</strong> place. A<br />
rapidly evolv<strong>in</strong>g and chang<strong>in</strong>g technology, IDS is a defense<br />
system, purpose <strong>to</strong> f<strong>in</strong>d security violations and detects hostile<br />
activities <strong>in</strong> a host or network .IDS is capable <strong>to</strong> provide a<br />
view of unusual activity and issue alerts notify<strong>in</strong>g<br />
adm<strong>in</strong>istra<strong>to</strong>rs. Accord<strong>in</strong>g <strong>to</strong> Amoroso [1] "Intrusion<br />
Detection is a process of identify<strong>in</strong>g and respond<strong>in</strong>g <strong>to</strong><br />
malicious activity targeted at comput<strong>in</strong>g and network<strong>in</strong>g<br />
re<strong>source</strong>s", also IDS can dist<strong>in</strong>guish between external attacks<br />
by hackers and <strong>in</strong>ternal orig<strong>in</strong>at<strong>in</strong>g from <strong>in</strong>side the<br />
organization. At the simplest level, you can th<strong>in</strong>k of and IDS<br />
as an alarm system, IDS provides much for computers what<br />
the alarm system provides for organization's physical<br />
security. Us<strong>in</strong>g the same defense system, this paper talks<br />
about what a P2P application is with problems when they are<br />
on any host or network. Implementation was done at<br />
iPhonica us<strong>in</strong>g different OpenSource [14] <strong>to</strong>ols <strong>to</strong> come up<br />
with a solution.<br />
Index Terms: Security moni<strong>to</strong>r<strong>in</strong>g, snort, P2P, signature<br />
based, anomaly based, rule based, NIDS, HIDS. <strong>Policy</strong><br />
<strong>enforcement</strong>.<br />
1. Introduction<br />
Internet started with limited s<strong>to</strong>rage and comput<strong>in</strong>g<br />
re<strong>source</strong>s and now it has <strong>in</strong>creased at tremendous rate. [2] To<br />
share re<strong>source</strong>s on <strong>in</strong>ternet ma<strong>in</strong>ly there are two architecture<br />
used, client-server and peer-<strong>to</strong>-peer. In first architecture<br />
though more than one server can be used <strong>to</strong> avoid the<br />
<strong>in</strong>herent flaw of s<strong>in</strong>gle po<strong>in</strong>t failure and improved reliability<br />
and load balanc<strong>in</strong>g but still it is limited <strong>to</strong> number of user<br />
connected, bandwidth available etc. Performance of the<br />
server also depends upon the utilization/underutilization of<br />
CPU, memory free disk space <strong>in</strong> hard disk etc. The<br />
emergence of <strong>Peer</strong>-<strong>to</strong>-<strong>Peer</strong> architecture was based on<br />
utilization of not only the node itself but every other node<br />
member of the group. Thus <strong>in</strong>creas<strong>in</strong>g the reliability,<br />
Fault <strong>to</strong>lerance, load balanc<strong>in</strong>g au<strong>to</strong>matically. In p2p<br />
systems every nodes can share the re<strong>source</strong> of each other<br />
re<strong>source</strong>s without <strong>in</strong>tervention of server, [10] so computer<br />
can behave either as server or client depend<strong>in</strong>g on re<strong>source</strong><br />
share request.<br />
Despite these advantage p2p systems comes with many<br />
<strong>in</strong>herent security flaws because of its work<strong>in</strong>g structure.<br />
The emerg<strong>in</strong>g <strong>Peer</strong>-<strong>to</strong>-<strong>Peer</strong> systems have characteristics<br />
that turn them <strong>in</strong><strong>to</strong> an attractive <strong>in</strong>frastructure that can be<br />
used as attack platform. Attackers that compromise a P2P<br />
system can expect benefits such as a large number of<br />
participants, easy hid<strong>in</strong>g of attack control traffic and good<br />
global distribution of participat<strong>in</strong>g hosts. This gives attackers<br />
high flexibility and at the same time a small risk of be<strong>in</strong>g<br />
identified.<br />
P2P systems has brought many disadvantages over the<br />
<strong>in</strong>ternet which are ma<strong>in</strong>ly discussed <strong>in</strong> this presentation some<br />
of them are i.e. Bandwidth Utilization when used <strong>in</strong> limited<br />
dedicated bandwidth , Malicious code flow, Confidential<br />
company Information leakage.<br />
We believe that an <strong>in</strong>trusion detection system (IDS) can<br />
be the best <strong>to</strong>ol for detect<strong>in</strong>g a malicious P2P application<br />
because security flaws <strong>in</strong>troduced by P2P are not very<br />
specific, and a few of the important identify<strong>in</strong>g parameters<br />
(IP address, port numbers etc) can vary even with<strong>in</strong> the same<br />
application. Moreover, because of the <strong>in</strong>herent anonymity<br />
associated with P2P host, detection of a malicious node is<br />
very difficult.<br />
In part 2 of this paper we have discussed some of the<br />
security problems associated with p2p application. Next<br />
phase deals with traffic analyses of p2p application which<br />
helps <strong>to</strong> generate signatures based on packet fields. These<br />
signatures are then fed <strong>in</strong> snort rules database as discussed <strong>in</strong><br />
part three and four respectively.<br />
2. Problems with P2P applications<br />
The decentralized nature of peer-<strong>to</strong>-peer file shar<strong>in</strong>g<br />
removes the need for a central server, and removes the<br />
possibility of centralized control [5] [12]. Because peer-<strong>to</strong>peer<br />
file shar<strong>in</strong>g <strong>networks</strong> do not require a central server,<br />
they are more scalable and more redundant than centralized<br />
file shar<strong>in</strong>g schemes. <strong>Peer</strong>-<strong>to</strong>-peer file shar<strong>in</strong>g <strong>networks</strong> are<br />
also more resistant <strong>to</strong> legal attacks [13], because there is no
one central entity <strong>to</strong> file a lawsuit aga<strong>in</strong>st. To attack a peer<strong>to</strong>-peer<br />
file shar<strong>in</strong>g network, a claimant must file suits aga<strong>in</strong>st<br />
<strong>in</strong>dividual network users.<br />
Bandwidth Utilization: [6] Many organizations have taken<br />
<strong>to</strong> use l<strong>in</strong>ks <strong>to</strong> create virtual private <strong>networks</strong> between their<br />
officers or central office. VPN performance may suffer if<br />
legitimate traffic has <strong>to</strong> compete with non-bus<strong>in</strong>ess fileshar<strong>in</strong>g<br />
traffic. To cater with the issue traffic shap<strong>in</strong>g<br />
applications can be used so that p2p applications can not<br />
monopolize <strong>in</strong>ternet bandwidth.<br />
Malicious code: P2P applications can provide a conduit<br />
for malicious code <strong>to</strong> enter <strong>in</strong> network such as viruses and<br />
trajon horse programs are a danger ow<strong>in</strong>g <strong>to</strong> file shar<strong>in</strong>g p2p<br />
applications. But by deploy<strong>in</strong>g desk<strong>to</strong>p and server based<br />
antivirus scann<strong>in</strong>g def<strong>in</strong>itions it can greatly reduce the risk.<br />
Fake files [7] It is very hard sometimes <strong>to</strong> tell whether the<br />
files one is download<strong>in</strong>g are <strong>in</strong>deed the authentic files. Media<br />
giants offer apparently popular music or films <strong>to</strong> sniff out<br />
copyright viola<strong>to</strong>rs <strong>in</strong> an effort <strong>to</strong> try <strong>to</strong> protect their products<br />
from be<strong>in</strong>g distributed illegally onl<strong>in</strong>e.<br />
Vulnerable P2P application: [8] P2P applications require<br />
client software <strong>in</strong>stalled. So there are risks that application is<br />
badly code, and crashes the system or it conflicts with the<br />
environment set up for bus<strong>in</strong>ess purpose. There might be a<br />
cause that a p2p user has set up a p2p trap and does damage<br />
or allows <strong>to</strong> access more <strong>in</strong>formation than allowed.<br />
Information leakage: P2P application such as wrapster<br />
can provide an ideal cover and disguise data as Mp3 file and<br />
authorized system user is transferr<strong>in</strong>g <strong>in</strong>formation <strong>to</strong> another<br />
mach<strong>in</strong>e. Instant message provided by Microsoft, Yahoo and<br />
other can also be a great threat <strong>to</strong> the organization a mean <strong>to</strong><br />
transfer organization <strong>in</strong>side <strong>in</strong>formation <strong>to</strong> unauthorized<br />
users.<br />
Copyright issues [7] No one s<strong>in</strong>gle entity has de-fac<strong>to</strong><br />
control of what gets shared; there is an enormous amount of<br />
copyrighted works that are be<strong>in</strong>g illegally distributed without<br />
the consent of their crea<strong>to</strong>rs or rightful owners.<br />
Follow<strong>in</strong>g are few basic actions and technologies that can<br />
be taken <strong>to</strong> reduce these risks.<br />
Block traffic: [8] By block<strong>in</strong>g traffic between servers and<br />
peers, but it is possible that the p2p servers IP addresses<br />
change. Also p2p applications can connect <strong>to</strong> servers us<strong>in</strong>g<br />
socks proxy connections [14]. S<strong>in</strong>ce a proxy can be at any<br />
port and at any address, there is no way <strong>to</strong> prevent this from<br />
happen<strong>in</strong>g, which requires regular update <strong>to</strong> blockage part.<br />
Classify network traffic: [9] Classify<strong>in</strong>g network traffic<br />
<strong>in</strong><strong>to</strong> application and location based then analys<strong>in</strong>g them and<br />
f<strong>in</strong>ally apply<strong>in</strong>g bandwidth partition<strong>in</strong>g and per-session rate<br />
policies.<br />
Security flaws <strong>in</strong>troduced by p2p applications are not<br />
specific <strong>in</strong> any manner, hence there requires a generic<br />
solution<br />
Enforce policy: Enforce written security policies<br />
describ<strong>in</strong>g with applications are allowed <strong>to</strong> <strong>in</strong>stall on desk<strong>to</strong>p<br />
PCs.<br />
Antivirus products: To protect aga<strong>in</strong>st malware, servers,<br />
gateways and desk<strong>to</strong>p should be updated with antivirus<br />
products.<br />
Approach adopted <strong>to</strong> detect p2p applications is <strong>to</strong> focus<br />
on network traffic pattern be<strong>in</strong>g made by communicat<strong>in</strong>g<br />
p2p. Communication between client and server requires<br />
specific pro<strong>to</strong>cols for transactions.<br />
To start with the implementation follow<strong>in</strong>g steps were<br />
taken. Analysis of traffic generated by P2P applications,<br />
Identify unique traffic pattern. Writ<strong>in</strong>g detection rules us<strong>in</strong>g<br />
snort rule sets. Test the validity of signature rules for false<br />
positive and false negatives.<br />
3. Analysis, Design<br />
3.1. Traffic Analysis pattern identification<br />
Figure 1-A shows the actual network configuration and 1-<br />
B shows additional network traffic analyzer placement <strong>to</strong><br />
analyze the traffic. Switch has been replaced with Hub <strong>to</strong><br />
accomplish the purpose <strong>to</strong> mirror the same traffic <strong>to</strong> analyzer.<br />
Network traffic analyses was done us<strong>in</strong>g <strong>open</strong> <strong>source</strong> <strong>to</strong>ol<br />
Ethereal<br />
3.2. Limewire<br />
Figure 1 - Placement of network traffic analyzer<br />
We have selected Limewire [23] as the experimental p2p<br />
application. It is one of the fastest p2p file shar<strong>in</strong>g application<br />
over <strong>in</strong>ternet. It is <strong>open</strong> <strong>source</strong> application and works over<br />
Gnutella pro<strong>to</strong>col [24], which is one of the most widely used<br />
unstructured p2p pro<strong>to</strong>col. Follow<strong>in</strong>g is the traffic pattern<br />
detected when Limewire [23] connects <strong>to</strong> Gnutella network.<br />
Figure 2 - Show<strong>in</strong>g connect request <strong>to</strong> servers
alert udp $HOME_NET 6345:6349 -><br />
$EXTERNAL_NET 6345:6349 (msg: " P2P UDP traffic --<br />
Limewire"; threshold: type threshold,track by_src,count 40,<br />
seconds 300; classtype: policy-violation;<br />
reference:url,www.limewire.com;)<br />
Figure 3 - IP broadcast message by p2p server<br />
[11] From analysis of traffic pattern unique parameters<br />
were identified like a) Port 6364 b) User-Agent: LimeWire<br />
<strong>in</strong> request and response. c) GNUTELLA CONNECT<br />
alert tcp $HOME_NET any -> $EXTERNAL_NET any<br />
(msg: " P2P Gnutella Connect"; flow: established,<strong>to</strong>_server;<br />
content:"GNUTELLA CONNECT/"; nocase; offset: 0; depth:<br />
17; classtype: policy-violation;<br />
reference:url,www.gnutella.com;)<br />
3.4. Test<strong>in</strong>g signatures<br />
When snort was restarted with these new signatures<br />
loaded it captured traffic generated by p2p application<br />
connect<strong>in</strong>g <strong>to</strong> Gnutella network and logged <strong>to</strong> database<br />
configured. Alerts generated are shown <strong>in</strong> the figure below.<br />
Figure 4 - Connect request <strong>to</strong> server<br />
After number of traffic pattern and packet analysis<br />
follow<strong>in</strong>g snort signatures were developed.<br />
3.3. Build<strong>in</strong>g signatures<br />
Snort [20] an <strong>open</strong> <strong>source</strong> <strong>in</strong>trusion detection system is a<br />
packet sniffer/packet logger/network IDS. Its salient features<br />
are<br />
• Runs on multiple OSs.<br />
• Uses a hexdump payload dump.<br />
• Displays all the different network packets the same<br />
way.<br />
Snort’s first signature-based analysis (also known as<br />
rules-based with<strong>in</strong> the Snort community) became a feature <strong>in</strong><br />
late January 1999. As time progressed, so did the number of<br />
rules. The rule types <strong>in</strong>clude P2P, backdoor, distributed<br />
denial of service (DDoS) attacks, Web attacks, viruses, and<br />
many others.<br />
Based on packet analysis follow<strong>in</strong>g snort signatures are<br />
developed. [20]<br />
alert tcp $HOME_NET any -> $EXTERNAL_NET any<br />
(msg: " P2P LimeWire Traffic"; flow: established;<br />
content:"User-Agent\: LimeWire"; nocase; classtype: policyviolation;<br />
reference:url,www.limewire.com; )<br />
alert udp $HOME_NET 6346 -> $EXTERNAL_NET<br />
6346:6700 (msg: " P2P Limewire UDP Traffic";<br />
content:"|49 50 40 83 53 43 50 41|"; threshold: type<br />
threshold, track by_src,count 10, seconds 60; classtype:<br />
policy-violation; reference:url,www.limewire.com;)<br />
Figure 5 - Alert message with date, <strong>source</strong> and dest<strong>in</strong>ation ip<br />
address<br />
These figures are from BASE (Basic Analysis and<br />
Security Eng<strong>in</strong>e) [19] used as front end <strong>to</strong> view and manage<br />
different alerts generated.<br />
3.5. Stats<br />
These stats were taken by runn<strong>in</strong>g the rules on the p2p<br />
traffic along with normal network traffic.<br />
P2P<br />
application<br />
No of test<br />
procedures<br />
False<br />
Positive<br />
False<br />
Negatives<br />
Limewire 25 0 0 25<br />
SeelSouk 25 0 1 24<br />
Kaza 25 0 2 23<br />
Sheraza 25 0 1 24<br />
Overnet 25 0 3 22<br />
Bit<strong>to</strong>rent 25 0 2 23<br />
Ares 25 0 1 24<br />
Table 1 – Stats of true/false alerts<br />
4. Implementation at iPhonica<br />
4.1. Network Analysis<br />
True<br />
Positives<br />
Network at iPhonica [22] is designed <strong>to</strong> operate for data<br />
and VoIP traffic. As shown <strong>in</strong> Figure 6. Firewall is placed at<br />
software level <strong>in</strong> the ma<strong>in</strong> <strong>in</strong>ternet gateway which connects <strong>to</strong><br />
switch operat<strong>in</strong>g under VLAN, one switch provides ports <strong>to</strong><br />
SIP phones and other switch provides ports <strong>to</strong> the data<br />
network devices i.e Desk<strong>to</strong>p computers.
4.2. Solution overview<br />
Figure 6 - Iphonica Network layout<br />
Solution is divided <strong>in</strong><strong>to</strong> 4 modules that comb<strong>in</strong>e as s<strong>in</strong>gle<br />
product <strong>to</strong> perform NIDS function.<br />
A: Mach<strong>in</strong>e <strong>in</strong>stalled with gen<strong>to</strong>o l<strong>in</strong>ux [15] (L<strong>in</strong>ux<br />
distribution) runn<strong>in</strong>g snort <strong>in</strong> promiscuous mode.<br />
B: Database server, with snort database s<strong>to</strong>rage plug-<strong>in</strong><br />
schema <strong>in</strong>stalled. Database can be among, Postgresql [18],<br />
mysql, Oracle, adodb ODBC.<br />
C: Webserver mach<strong>in</strong>e, runn<strong>in</strong>g apache httpd [17]<br />
daemon <strong>to</strong> serve BASE <strong>in</strong>terface, BASE connects <strong>to</strong> database<br />
server and provides reports on the alerts and logs generated.<br />
D: Viewer allowed <strong>to</strong> access BASE [19] Interface,<br />
accessible from any browser, mozill, firefox, opera etc…<br />
Figure 8 - Network layout with NIDS deployed<br />
Figure 8 shows the placement of NIDS sensors. One<br />
sensor is placed before the firewall and another on the data<br />
network part. Sensor-1 placed before the firewall gives us<br />
reports on what k<strong>in</strong>d of traffic we are receiv<strong>in</strong>g on <strong>in</strong>ternet<br />
gateway. While sensor-2 looks for malicious packets that has<br />
passed from the firewall placed.<br />
Figure 9 shows when sensors with p2p rules. If any client<br />
on the data network runs a p2p application and communicates<br />
with p2p network, it’ll be detected by sensor 1, 2 and logged<br />
<strong>to</strong> the database.<br />
Figure 7 - Solution Inter flow<br />
Figure 9 - Network layout NIDS deployed, communication between<br />
p2p client and server
4.3. Open Source <strong>to</strong>ols<br />
Follow<strong>in</strong>g are the <strong>open</strong> <strong>source</strong> [14] <strong>to</strong>ols used <strong>to</strong><br />
implement this solution a) L<strong>in</strong>ux: [15] Unix like operat<strong>in</strong>g<br />
system with CLI and X w<strong>in</strong>dows <strong>to</strong> <strong>in</strong>teract b) PHP: [16] is<br />
server side script<strong>in</strong>g language <strong>to</strong> create dynamic pages on<br />
runtime c) Apache: [17] Apache software foundation has<br />
httpd deamon application <strong>to</strong> serve pages on server side and is<br />
known as webserver. d) Postgresql: [18]A relational database<br />
system e) BASE: [19]BASE is a management portal for all<br />
alerts generated by snort e) SNORT: [20]An Intrusion<br />
detection system which can generate alerts and log related<br />
activity based on the def<strong>in</strong>ed rules and can work at host and<br />
network level. f) Ethereal: [21] Ethereal is network traffic<br />
sniffer application used for packet dissection and analysis.<br />
9. Conclusion<br />
We believe that the successful implementation of a policy<br />
is dependent not only on a well coded software but of the<br />
awareness if users and other allied staff. Furthermore, due <strong>to</strong><br />
short development cycles, cross platform implementation and<br />
vary<strong>in</strong>g level of competencies of designers, detection of P2P<br />
application is becom<strong>in</strong>g a colossal task. Best results can be<br />
achieved by understand<strong>in</strong>g the practical limitations as well as<br />
the capabilities of the technology. The facts such as unbridled<br />
growth of <strong>in</strong>ternet, <strong>open</strong><strong>in</strong>g up <strong>in</strong> electronic trade and lack of<br />
secure systems make it important and pert<strong>in</strong>ent filed of<br />
research, though IDS can't give you 100 performances but it<br />
def<strong>in</strong>itely can lower security breaches, and attacks.<br />
10. References<br />
[1] E. Amoroso, Wykrywanie <strong>in</strong>truzów, Wydawnictwo RM,<br />
Warszawa 1999.<br />
[2] James P. Anderson. Computer Security Threat Moni<strong>to</strong>r<strong>in</strong>g and<br />
Surveillance, James P. Anderson Co., Fort Wash<strong>in</strong>g<strong>to</strong>n, PA (Apr.<br />
1980).<br />
[3] Przemyslaw Kazienko & Piotr Dorosz. Intrusion Detection<br />
System.<br />
[4] Tim Crothers. Implement<strong>in</strong>g Intrusion Detection Sytems.<br />
[5] What is peer-<strong>to</strong>-peer file shar<strong>in</strong>g, http://www.tech-faq.com/p2ppeer-<strong>to</strong>-peer-file-shar<strong>in</strong>g.shtml.<br />
[6] Us<strong>in</strong>g Intrusion Detection <strong>to</strong> Detect Malicious <strong>Peer</strong>-<strong>to</strong>-<strong>Peer</strong><br />
Network. ww.cms.livjm.ac.uk/pgnet2003/submissions/Paper-25.pdf.<br />
[7] SoftCat.<br />
www.softcat.com/articles.php?cmd=showarticle&id=100.<br />
[8] Alberg. Information Security Magaz<strong>in</strong>e,<br />
http://<strong>in</strong>fosecuritymag.techtarget.com/articles/february01/cover.sht<br />
ml.<br />
[9] CISCO. Classify<strong>in</strong>g Network Traffic.,<br />
http://www.cisco.com/en/US/products/ps6350/products_configurati<br />
on_guide_chapter09186a00804a0b41.html<br />
[10] Bradley Mitchell. P2P Network<strong>in</strong>g and P2P Software,<br />
http://compnetwork<strong>in</strong>g.about.com/od/p2ppeer<strong>to</strong>peer/a/p2p<strong>in</strong>troducti<br />
on.htm.<br />
[11] Advanced Network Architecture Research Group. P2P<br />
Network Architecture, http://www-mura.ist.osaka-u.ac.jp/researche.html.<br />
[12] Clay Shirky. What is P2P… And What Isn’t,<br />
http://www.<strong>open</strong>p2p.com/pub/a/p2p/2000/11/24/shirky1-<br />
whatisp2p.html. “O`REILLY Openp2p.com” 11/24/2000<br />
[13] P2Pattacks,<br />
http://www.cs.kent.edu/~javed/DL/surveys/IAD06S-<br />
P2PVulnerabilities-marl<strong>in</strong>g/<strong>in</strong>dex.html.<br />
[14] Def<strong>in</strong>itions for OpenSource<br />
http://en.wikipedia.org/wiki/OpenSource.<br />
[15] L<strong>in</strong>ux , Gen<strong>to</strong>o l<strong>in</strong>ux http://www.gen<strong>to</strong>o.org.<br />
[16] PHP, http://www.php.net.<br />
[17] Apache, http://www.apache.org.<br />
[18] PostgreSQL, http://www.postgresql.org.<br />
[19] ACID/BASE, http://secureideas.<strong>source</strong>forge.net.<br />
[20] Snort IDS, http://www.snort.org.<br />
[21] Ethereal, http://www.ethereal.com.<br />
[22] iPhonica LLC, http://www.iphonica.com.<br />
[23] Limewire P2P application, http://www.limewire.org.<br />
[24] GNUTella Network, http://www.gnutella.com.