This was on INCIDENTS@SECURITYFOCUS.COM today: If anyone wants a good way to detect napster usage (as well as lots of other shenanigans) you might try using snort IDS. http://myweb.clark.net/~roesch/ "A Lightweight Intrusion Detection System" Jim Forster wrote some snort rules to report on Napster usage. http://snort.rapidnet.com/ Here are the Napster Rules that show ports and content. You can adapt this to your own IDS. It triggers for me whenever I go on napster (I only use napster for research purposes ;^> ) alert tcp any any <> any 6699 (msg:"Napster Client Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 8888 (msg:"Napster 8888 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 7777 (msg:"Napster 7777 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 6666 (msg:"Napster 6666 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 5555 (msg:"Napster 5555 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 4444 (msg:"Napster 4444 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 8875 (msg:"Napster Server Login"; flags:PA; content:"anon@napster.com";) -- Bob F EMail BobFi@SWBell.net A Truly Wise Man Never Plays Leapfrog With A Unicorn... -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/