Responding to DMCA takedown requests

Reply
Highlighted
L2 Linker

Responding to DMCA takedown requests

I'm a recent Cisco ASA convert. I'm in an academic environment so bittorrent (and P2P in general) is permitted. We get an occasional DMCA takedown request. Finding the culprit in the ASA world was pretty straightforward: grep the syslog for the NATed port and see if there was a match near the alleged infringement time. I'm having a difficult time figuring out how to identify alleged infringers in Palo Alto land.

This sample notice contains the only material I have to work with from the copyright holder:

INFRINGEMENT DETAIL

- ------------------------------

Infringing Work : AVENGERS (2012), THE

Filename : The Avengers 2012 HQ TS[ [Eng subs when needed P1RAT3-RG

First found (UTC): 2012-10-23T11:30:51.56Z

Last found (UTC): 2012-10-23T11:33:00.20Z

Filesize  : 1789259900 bytes

IP Address: 64.80.225.13

IP Port: 36028

Network: BitTorrent

Protocol: BitTorrent


I was thinking that searching the traffic log for ( port.dst eq 36028 ) and ( time_generated leq '2012/10/23 08:00:00' )  (we're GMT -4) would do the trick. Plenty of bittorrent application matches but I haven't found anything close to the time. This has been the case for each takedown notice received since my PA installation.


Ideas of where I'm going wrong?


Rand

Tags (1)
L6 Presenter

Re: Responding to DMCA takedown requests

Hi...Maybe you can change the query to match on src or dst port ( port eq 36028 ).  Thanks.

L7 Applicator

Re: Responding to DMCA takedown requests

Using port.dst and port.src (or just port) will give you the pre-natted information.  If you're looking for logs that match up with an entity on the public Internet, then you'll want to use queries like this:

(natsport eq 36028) and (natdport eq 36028)

Generally speaking, most outbound NAT implementations don't modify the destination port - so try it with (natsport eq 36028) and see if that works. 

L6 Presenter

Re: Responding to DMCA takedown requests

Respond to that threat by asking for srcip and srcport used on their side (and when they replies with this information you can search for it as dstip and dstport in PA logs).

If they refuse to answer then throw this threat to /dev/null.

L2 Linker

Re: Responding to DMCA takedown requests

(natsport eq 36028) worked great. Thanks!


Capture.JPG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!