Re: Is anyone using 'react' to block the use of Gnutella?

[Joe Giles <jgiles () joeman1 com>]

Interesting that you mention that about the e-mail service. I have the same alerts in
my list, however, me and my wife are the only ones on the mail server, and we both
use Linux Evolution to read mail. Maybe another type of worm? 

In these instances, it appears that my server IP(My internal network is masq'ed) is
the source and there are a wide range of IP ports involved...

Here is some output from acid:



length = 158

000 : 47 45 54 20 2F 6F 2F 6F 3F 6D 3D 36 38 63 65 31   GET /o/o?m=68ce1
010 : 39 39 65 63 32 63 35 35 31 37 35 39 37 63 65 30   99ec2c5517597ce0
020 : 61 34 64 38 39 36 32 30 66 35 35 26 62 3D 33 64   a4d89620f55&b=3d
030 : 38 62 62 66 36 30 36 63 37 62 34 36 35 61 35 34   8bbf606c7b465a54
040 : 38 38 61 31 32 31 33 63 39 35 35 34 30 62 20 48   88a1213c95540b H
050 : 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77   TTP/1.0..Host: w
060 : 77 77 2E 6E 30 6F 31 2E 63 6F 6D 3A 38 30 38 30   ww.n0o1.com:8080
070 : 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55   ..Accept: */*..U
080 : 73 65 72 2D 41 67 65 6E 74 3A 20 67 6E 6F 6D 65   ser-Agent: gnome
090 : 2D 76 66 73 2F 31 2E 30 2E 35 0D 0A 0D 0A         -vfs/1.0.5....

This is from one IP address.. Here is another:

length = 335

000 : 47 45 54 20 2F 61 64 6A 3F 50 6F 6F 6C 3D 46 72   GET /adj?Pool=Fr
010 : 6F 6E 74 50 61 67 65 5F 31 32 35 78 31 32 35 26   ontPage_125x125&
020 : 61 6A 74 79 70 65 3D 63 67 69 5F 69 6D 61 67 65   ajtype=cgi_image
030 : 26 61 6A 6B 65 79 3D 74 69 74 6C 65 26 6C 61 6E   &ajkey=title&lan
040 : 67 5F 75 73 65 3D 75 6E 69 71 75 65 20 48 54 54   g_use=unique HTT
050 : 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A   P/1.1..Accept: *
060 : 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74   /*..Referer: htt
070 : 70 3A 2F 2F 77 77 77 2E 7A 74 68 69 6E 67 2E 63   p://www.zthing.c
080 : 6F 6D 2F 69 6E 64 65 78 2E 70 68 70 33 0D 0A 41   om/index.php3..A
090 : 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20   ccept-Language: 
0a0 : 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 2D 45 6E   en-us..Accept-En
0b0 : 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65   coding: gzip, de
0c0 : 66 6C 61 74 65 0D 0A 55 73 65 72 2D 41 67 65 6E   flate..User-Agen
0d0 : 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28   t: Mozilla/4.0 (
0e0 : 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45   compatible; MSIE
0f0 : 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54    6.0; Windows NT
100 : 20 35 2E 31 3B 20 2E 4E 45 54 20 43 4C 52 20 31    5.1; .NET CLR 1
110 : 2E 30 2E 33 37 30 35 29 0D 0A 48 6F 73 74 3A 20   .0.3705)..Host: 
120 : 77 77 77 2E 7A 74 68 69 6E 67 2E 63 6F 6D 3A 38   www.zthing.com:8
130 : 30 38 31 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   081..Connection:
140 : 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A       Keep-Alive....

These 2 dumps seem to loop over and over through different days and times. However,
sometimes it happens min's and sec's apart. In 2 days, I have 183 of these alerts.
Since the 22nd of this month, I have not recieved anymore .. I dont see a pattern
though, maybe you or someone might pick up on someting. If so, share your thoughts.

Thanks

Joe


Frederick Garbrecht writes:
> Hi Scott
> Perhaps this doesn't apply, but have you checked the actual
> packet content
> to be sure that the triggering traffic is really Gnutella?  I
> was seeing
> alot of these alerts also, but upon looking at the packets it
> turned out
> that one of our users was connecting to some web-based external
> mail server
> which was triggering alerts.
> Fred
> ----- Original Message -----
> From: "Vieth, Scott" <svieth () mail mcw edu>
> To: <snort-users () lists sourceforge net>
> Sent: Monday, September 23, 2002 3:38 PM
Subject: [Snort-users] Is anyone using 'react' to block the use
> of Gnutella?
>
>
> > Hi:
> >
> > Snort is telling me that we have folks using Gnutella to
> send/receive
> files
> > from other Gnutella users on the Internet.  I've blocked all
> the 'easy'
> TCP
> > ports on the firewall to stop P2P file sharing.  But the P2P
> protocols are
> > still getting through. I think they are getting more
> "firewall-smart".
> > Since Snort can 'see' the folks who are running Gnutella,
> could I use
> > 'react' to block/disrupt/close those connections?
> >
> > Just wondering....
> >
> > Thanks,
> >
> > -Scott Vieth
> > Medical College of Wisconsin
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users