topic Re: Responding to DMCA takedown requests in General Topics

Responding to DMCA takedown requests

MCmgt — Wed, 24 Oct 2012 18:04:10 GMT

I'm a recent Cisco ASA convert. I'm in an academic environment so bittorrent (and P2P in general) is permitted. We get an occasional DMCA takedown request. Finding the culprit in the ASA world was pretty straightforward: grep the syslog for the NATed port and see if there was a match near the alleged infringement time. I'm having a difficult time figuring out how to identify alleged infringers in Palo Alto land.

This sample notice contains the only material I have to work with from the copyright holder:

INFRINGEMENT DETAIL

- ------------------------------

Infringing Work : AVENGERS (2012), THE

Filename : The Avengers 2012 HQ TS[ [Eng subs when needed P1RAT3-RG

First found (UTC): 2012-10-23T11:30:51.56Z

Last found (UTC): 2012-10-23T11:33:00.20Z

Filesize : 1789259900 bytes

IP Address: 64.80.225.13

IP Port: 36028

Network: BitTorrent

Protocol: BitTorrent

I was thinking that searching the traffic log for ( port.dst eq 36028 ) and ( time_generated leq '2012/10/23 08:00:00' ) (we're GMT -4) would do the trick. Plenty of bittorrent application matches but I haven't found anything close to the time. This has been the case for each takedown notice received since my PA installation.

Ideas of where I'm going wrong?

Rand

Re: Responding to DMCA takedown requests

rmonvon — Wed, 24 Oct 2012 19:41:59 GMT

Hi...Maybe you can change the query to match on src or dst port ( port eq 36028 ). Thanks.

Re: Responding to DMCA takedown requests

jvalentine — Wed, 24 Oct 2012 19:55:11 GMT

Using port.dst and port.src (or just port) will give you the pre-natted information. If you're looking for logs that match up with an entity on the public Internet, then you'll want to use queries like this:

(natsport eq 36028) and (natdport eq 36028)

Generally speaking, most outbound NAT implementations don't modify the destination port - so try it with (natsport eq 36028) and see if that works.

Re: Responding to DMCA takedown requests

mikand — Wed, 24 Oct 2012 20:38:28 GMT

Respond to that threat by asking for srcip and srcport used on their side (and when they replies with this information you can search for it as dstip and dstport in PA logs).

If they refuse to answer then throw this threat to /dev/null.

Re: Responding to DMCA takedown requests

MCmgt — Thu, 25 Oct 2012 12:16:11 GMT

(natsport eq 36028) worked great. Thanks!