Re: Logs showing GET /.hash=...

[Justin Pryzby <justinpryzby () users sourceforge net>]

Probably, "match protocol" is a regular expression where . means any
character and \. is an escape sequence meaning a period.

Justin Pryzby
On Thu, May 01, 2003 at 01:27:00PM -0500, Jim Dueltgen wrote:
> I've been working recently with Cisco's Network Based Application
> Recognition (NBAR) trying to keep Kazaa traffic under control in a
> multi-tenant installation and I've only ever found this snippet in
> the documentation:
>
> 2. KaZaA version 2 might use port 80 to get around the Firewall. You
> can control it be adding
>
> match protocol http url \.hash=*
>
> I'm not sure about the \ vs / as it shows in your logs and as one
> would expect to see in a URL but the above is what's in Cisco's
> documentation. My understanding is that the actual download of a
> file via kazaa v2 happens over port 80 in an attempt to get around
> passive packet filtering firewalls.
>
> Regards,
>
> Jim Dueltgen
>   LMi.net
>
> At 9:54 AM -0400 4/30/03, Keith Bergen wrote:
> > I have seen log entries in the form:
> > dormtw.isu.edu.tw - - [29/Apr/2003:22:04:17 -
> > 0400] 'GET /.hash=8a8a30842bc6698dd1cbcb31191fc9e76018ea4c
> > HTTP/1.1' 404 323
> > dormtw.isu.edu.tw - - [29/Apr/2003:22:04:22 -
> > 0400] 'GET /.hash=355bcee01e59b87d9cc33d4ae3cc8edf5f022d2a
> > HTTP/1.1' 404 323
> > dormtw.isu.edu.tw - - [29/Apr/2003:22:04:24 -
> > 0400] 'GET /.hash=51f6ec2b496fa6fac83a88d7978321c7b64a5969
> > HTTP/1.1' 404 323
> >
> > I looked at past posts, and one indicates that this might be
> > KaZaa traffic. The other post indicated it was 'WinMX'. Can
> > somebody expand on this? For example, what is WinMX? Also,
> > why would KaZaa connect to port 80?
> >
> > Thanks,
> > Keith.
> >
> > ----------------------------------------------------------------------------
> > Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
> > world's premier event for IT and network security experts. The two-day
> > Training features 6 hand-on courses on May 12-13 taught by professionals.
> > The two-day Briefings on May 14-15 features 24 top speakers with no vendor
> > sales pitches. Deadline for the best rates is April 25. Register today to
> > ensure your place. http://www.securityfocus.com/BlackHat-incidents
> > ----------------------------------------------------------------------------
>
>
> ----------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
> world's premier event for IT and network security experts. The two-day
> Training features 6 hand-on courses on May 12-13 taught by professionals. 
> The two-day Briefings on May 14-15 features 24 top speakers with no vendor
> sales pitches. Deadline for the best rates is April 25. Register today to
> ensure your place. http://www.securityfocus.com/BlackHat-incidents
> ----------------------------------------------------------------------------

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------