Responding to DMCA takedown requests

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Responding to DMCA takedown requests

L2 Linker

I'm a recent Cisco ASA convert. I'm in an academic environment so bittorrent (and P2P in general) is permitted. We get an occasional DMCA takedown request. Finding the culprit in the ASA world was pretty straightforward: grep the syslog for the NATed port and see if there was a match near the alleged infringement time. I'm having a difficult time figuring out how to identify alleged infringers in Palo Alto land.

This sample notice contains the only material I have to work with from the copyright holder:

INFRINGEMENT DETAIL

- ------------------------------

Infringing Work : AVENGERS (2012), THE

Filename : The Avengers 2012 HQ TS[ [Eng subs when needed P1RAT3-RG

First found (UTC): 2012-10-23T11:30:51.56Z

Last found (UTC): 2012-10-23T11:33:00.20Z

Filesize  : 1789259900 bytes

IP Address: 64.80.225.13

IP Port: 36028

Network: BitTorrent

Protocol: BitTorrent


I was thinking that searching the traffic log for ( port.dst eq 36028 ) and ( time_generated leq '2012/10/23 08:00:00' )  (we're GMT -4) would do the trick. Plenty of bittorrent application matches but I haven't found anything close to the time. This has been the case for each takedown notice received since my PA installation.


Ideas of where I'm going wrong?


Rand

1 accepted solution

Accepted Solutions

L7 Applicator

Using port.dst and port.src (or just port) will give you the pre-natted information.  If you're looking for logs that match up with an entity on the public Internet, then you'll want to use queries like this:

(natsport eq 36028) and (natdport eq 36028)

Generally speaking, most outbound NAT implementations don't modify the destination port - so try it with (natsport eq 36028) and see if that works. 

View solution in original post

4 REPLIES 4

L6 Presenter

Hi...Maybe you can change the query to match on src or dst port ( port eq 36028 ).  Thanks.

L7 Applicator

Using port.dst and port.src (or just port) will give you the pre-natted information.  If you're looking for logs that match up with an entity on the public Internet, then you'll want to use queries like this:

(natsport eq 36028) and (natdport eq 36028)

Generally speaking, most outbound NAT implementations don't modify the destination port - so try it with (natsport eq 36028) and see if that works. 

L6 Presenter

Respond to that threat by asking for srcip and srcport used on their side (and when they replies with this information you can search for it as dstip and dstport in PA logs).

If they refuse to answer then throw this threat to /dev/null.

(natsport eq 36028) worked great. Thanks!


Capture.JPG

  • 1 accepted solution
  • 2631 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!