We have an IDS system that keeps detecting BitTorrent on our wireless network. The IP that comes across is an AP IP address. I look at the AP identified on the IDS log and don't see "BitTorrent" or P2P traffic from any clients but we have a lot of clients and could be missing it.
I've added P2P networks to the Application firewall for the AP's but I'm still getting notified of BitTorrent traffic on my wireless network.
Can anyone think of why my firewall rule may not be working correctly?
Are you NATing clients on the AP, or bridging them to a local VLAN? NATing will of course make them appear to come from the AP, from bridging means only the APs traffic itself will come from the AP (and you would probably be getting a false positive in this case).
You can create a layer 7 firewall rule for your WiFi. Go:
Wireless/Firewall and Traffic Shaping/Add a layer 7 Firewall Rule
Add the category "Peer to Peer (P2P)" and select "All Peer-to-peer (P2P)".
We are bridging the wireless clients. I have instituted a Layer 7 firewall rule but that is why I'm asking because it doesn't seem to be working.
I'm confused when you say I could be getting a false positive? Are you saying that the false positive is indeed BitTorrent traffic but it's not really on my wireless LAN because of the way it's configured?
If you are bridging, and you are see Bittorrent coming from the AP's IP address - then it is highly probable that this is a false positive. The access point itself wont be using Bit Torrent.
"False positive" is when an IDS system incorrectly describes the traffic. It means it says it is Bit Torrent traffic when in fact it is not.
I wouldn't think it's not so much a false positive but rather there is a device behind/connected to the AP using bit torrent but because we are "bridging" my AP is what shows up on the IDS as the device using BitTorrent.
I need to understand why the Layer 7 rules isn't blocking the device using BitTorrent/P2P once the traffic hits the AP.
If there is no Bit Torrent traffic because it is a false positive, then the AP has nothing to block.
Have you any other systems to provide evidence that Bit Torrent is being used?
I don't have any other systems but the IDS is able to give me the name of the song being downloaded over the BT client so I'm pretty sure it's legit.
I guess I still don't see how an AP that is bridged is generating false positives that my IDS sees as outgoing Internet traffic. The AP is sending traffic but because all the traffic of the clients is going through the AP it makes sense that my IDS would Identify the AP as the device with the BT client on it from my way of thinking.
It makes no sense that it is being reported as from the AP.
The user generates a packet using their MAC address and their IP address which is then bridged to the local network. At no point is anything identifying the AP placed in the layer 2 frame or layer 3 packet.