Snort mailing list archives
Re: Is anyone using 'react' to block the use of Gnutella?
From: Joe Giles <jgiles () joeman1 com>
Date: Tue, 24 Sep 2002 19:53 MDT
Interesting that you mention that about the e-mail service. I have the same alerts in my list, however, me and my wife are the only ones on the mail server, and we bothuse Linux Evolution to read mail. Maybe another type of worm?
In these instances, it appears that my server IP(My internal network is masq'ed) is the source and there are a wide range of IP ports involved... Here is some output from acid: length = 158 000 : 47 45 54 20 2F 6F 2F 6F 3F 6D 3D 36 38 63 65 31 GET /o/o?m=68ce1 010 : 39 39 65 63 32 63 35 35 31 37 35 39 37 63 65 30 99ec2c5517597ce0 020 : 61 34 64 38 39 36 32 30 66 35 35 26 62 3D 33 64 a4d89620f55&b=3d 030 : 38 62 62 66 36 30 36 63 37 62 34 36 35 61 35 34 8bbf606c7b465a54 040 : 38 38 61 31 32 31 33 63 39 35 35 34 30 62 20 48 88a1213c95540b H 050 : 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 TTP/1.0..Host: w 060 : 77 77 2E 6E 30 6F 31 2E 63 6F 6D 3A 38 30 38 30 ww.n0o1.com:8080 070 : 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55 ..Accept: */*..U 080 : 73 65 72 2D 41 67 65 6E 74 3A 20 67 6E 6F 6D 65 ser-Agent: gnome 090 : 2D 76 66 73 2F 31 2E 30 2E 35 0D 0A 0D 0A -vfs/1.0.5.... This is from one IP address.. Here is another: length = 335 000 : 47 45 54 20 2F 61 64 6A 3F 50 6F 6F 6C 3D 46 72 GET /adj?Pool=Fr 010 : 6F 6E 74 50 61 67 65 5F 31 32 35 78 31 32 35 26 ontPage_125x125& 020 : 61 6A 74 79 70 65 3D 63 67 69 5F 69 6D 61 67 65 ajtype=cgi_image 030 : 26 61 6A 6B 65 79 3D 74 69 74 6C 65 26 6C 61 6E &ajkey=title&lan 040 : 67 5F 75 73 65 3D 75 6E 69 71 75 65 20 48 54 54 g_use=unique HTT 050 : 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A P/1.1..Accept: * 060 : 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 /*..Referer: htt 070 : 70 3A 2F 2F 77 77 77 2E 7A 74 68 69 6E 67 2E 63 p://www.zthing.c 080 : 6F 6D 2F 69 6E 64 65 78 2E 70 68 70 33 0D 0A 41 om/index.php3..A090 : 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 ccept-Language: 0a0 : 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 2D 45 6E en-us..Accept-En
0b0 : 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 coding: gzip, de 0c0 : 66 6C 61 74 65 0D 0A 55 73 65 72 2D 41 67 65 6E flate..User-Agen 0d0 : 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 t: Mozilla/4.0 ( 0e0 : 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 compatible; MSIE 0f0 : 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 6.0; Windows NT 100 : 20 35 2E 31 3B 20 2E 4E 45 54 20 43 4C 52 20 31 5.1; .NET CLR 1110 : 2E 30 2E 33 37 30 35 29 0D 0A 48 6F 73 74 3A 20 .0.3705)..Host: 120 : 77 77 77 2E 7A 74 68 69 6E 67 2E 63 6F 6D 3A 38 www.zthing.com:8
130 : 30 38 31 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 081..Connection: 140 : 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A Keep-Alive.... These 2 dumps seem to loop over and over through different days and times. However, sometimes it happens min's and sec's apart. In 2 days, I have 183 of these alerts. Since the 22nd of this month, I have not recieved anymore .. I dont see a pattern though, maybe you or someone might pick up on someting. If so, share your thoughts. Thanks Joe Frederick Garbrecht writes:
Hi Scott Perhaps this doesn't apply, but have you checked the actual packet content to be sure that the triggering traffic is really Gnutella? I was seeing alot of these alerts also, but upon looking at the packets it turned out that one of our users was connecting to some web-based external mail server which was triggering alerts. Fred ----- Original Message ----- From: "Vieth, Scott" <svieth () mail mcw edu> To: <snort-users () lists sourceforge net> Sent: Monday, September 23, 2002 3:38 PM
Subject: [Snort-users] Is anyone using 'react' to block the use
of Gnutella?Hi: Snort is telling me that we have folks using Gnutella tosend/receive filesfrom other Gnutella users on the Internet. I've blocked allthe 'easy' TCPports on the firewall to stop P2P file sharing. But the P2Pprotocols arestill getting through. I think they are getting more"firewall-smart".Since Snort can 'see' the folks who are running Gnutella,could I use'react' to block/disrupt/close those connections? Just wondering.... Thanks, -Scott Vieth Medical College of Wisconsin ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is anyone using 'react' to block the use of Gnutella? Vieth, Scott (Sep 23)
- Re: Is anyone using 'react' to block the use of Gnutella? hackerwacker (Sep 23)
- Re: Is anyone using 'react' to block the use of Gnutella? Matt Kettler (Sep 23)
- Re: Is anyone using 'react' to block the use of Gnutella? hackerwacker (Sep 23)
- Re: Is anyone using 'react' to block the use of Gnutella? Matt Kettler (Sep 23)
- Re: Is anyone using 'react' to block the use of Gnutella? Matt Kettler (Sep 23)
- Re: Is anyone using 'react' to block the use of Gnutella? hackerwacker (Sep 23)
- Re: Is anyone using 'react' to block the use of Gnutella? Frederick Garbrecht (Sep 24)
- <Possible follow-ups>
- Re: Is anyone using 'react' to block the use of Gnutella? Joe Giles (Sep 24)