Snort mailing list archives
RE: Sneaky traffic WAS: RE: openaanval calling home
From: "Travis Wixel" <traxely () hotmail com>
Date: Tue, 20 Apr 2004 03:48:32 +0000
Yup.In your process.php file near the bottom there is a value "1800" change this to whatever you like. It is the number of seconds to wait between requests to the server.
And if you didn't already know, they released version 1.43 tonight.
From: "BM HM" <bm0714 () hotmail com> To: traxely () hotmail com Subject: RE: [Snort-users] Sneaky traffic WAS: RE: openaanval calling home Date: Mon, 19 Apr 2004 20:57:24 -0500Very cool. Did you happen to find out where to set the frequency of the $version_checking?ThanxFrom: "Travis Wixel" <traxely () hotmail com> To: snort-users () lists sourceforge net Subject: [Snort-users] Sneaky traffic WAS: RE: openaanval calling home Date: Tue, 20 Apr 2004 01:20:36 +0000 This URL was in the code: http://update.aanval.com/updater/openaanval_verIt is just pulling down the latest version of openaanval and checking that against the file:/aanval_site_dir/version/version.txtIf they do not match it displays the new available version and gives you a link to download.My install v1.42 was set to poll every 30 minutes (from process.php in the /apps/ dir)This is easily turned off within your conf.php file: $version_checking=1;I on the other hand chose to leave it on, as it is a nice feature as long as they don't abuse it. I do think they need to publish that they do this, just as some of us are very very security aware and would want to know everything which is going on.-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of BM HM Sent: Monday, April 19, 2004 5:50 PM To: snort-users () lists sourceforge net Subject: [Snort-users] openaanval calling homeI was just watching some tcpdump traffic and noticed my snort box making anoutbound connection to 217.160.255.191 Looking up the IP I found that it is the website for openaanval 'www.aanval.com'. It appears that exactly every 30 minutes, I mean EXACTLY it makes a short http connection to the aanval website.I looked through the php code and I think it is simply checking for versioninformation, but I am not experienced enough to know for real. Is this something I should be concerned about? Could they be piggy-backing data maybe? What would they want to collect anyway? _________________________________________________________________Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1/go/onm00200362ave/direct/01/------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________MSN Toolbar provides one-click access to Hotmail from any Web page FREE download! http://toolbar.msn.com/go/onm00200413ave/direct/01/
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sneaky traffic WAS: RE: openaanval calling home Travis Wixel (Apr 19)
- <Possible follow-ups>
- RE: Sneaky traffic WAS: RE: openaanval calling home Travis Wixel (Apr 19)