Dana pointed this out to me.... Application Layer Packet Classifier for Linux.
This is a classifier for the Linux kernel's Netfilter subsystem that identifies packets based on application layer data (OSI layer 7). This means that it can classify packets as HTTP, FTP, Gnucleus, eDonkey2000, etc, regardless of port. Our classifier complements existing ones that match on address, port numbers and so on.Basically this means your firewall can be told to say, block http traffic into the network and it'll work regardless of if some clever employee has set up a webserver on port 8080, or 31337. Wonder how slow it is though, doing regex matching on application layer data doesn't scream "speed" to me :) Course, with todays bandwidth and computer speed....
Will have to try that one out sometime....
I setup IPP2p for a company that has a couple of hundred users... it cut their monthly bandwidth usage from 400-500+ GB to less then 100 GB.
IPP2P is a plugin for netfilter/iptables that can block eDonkey, Kazza, WinMX, BitTorrent, etc.
http://nyetwork.org/wiki/iptables
Works great... but like you say, doing CPU intensive packet inspection on a firewall doesn't make sense... better to setup Snort+ACID to watch a mirrored switch port or something. Would rather have Snort die then the main firewall to be affected in whatever way.
>Basically this means your firewall can be told to say, block http traffic into the network and it'll work regardless of if some clever employee has set up a webserver on port 8080, or 31337.
A cleaver employee would use an encrypted tunnel and problem solved.
The admin at my University has blocked everything but port 80 and 21, to prevent ppl use Emule.
We now download now from http and ftp servers, and I have to setup a tunnel so to get to irc, etc.
Latest news, ISPs are forced to filter p2p apps or they will be sued by the MPAA.