RE: Sneaky traffic WAS: RE: openaanval calling home

["Travis Wixel" <traxely () hotmail com>]

Yup.

In your process.php file near the bottom there is a value "1800" change this 
to whatever you like. It is the number of seconds to wait between requests 
to the server.

And if you didn't already know, they released version 1.43 tonight.


> From: "BM HM" <bm0714 () hotmail com>
> To: traxely () hotmail com
> Subject: RE: [Snort-users] Sneaky traffic WAS: RE: openaanval calling home
> Date: Mon, 19 Apr 2004 20:57:24 -0500
>
> Very cool. Did you happen to find out where to set the frequency of the 
> $version_checking?
>
> Thanx
>
>
> > From: "Travis Wixel" <traxely () hotmail com>
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Sneaky traffic WAS: RE: openaanval calling home
> > Date: Tue, 20 Apr 2004 01:20:36 +0000
> >
> >
> > This URL was in the code:
> > http://update.aanval.com/updater/openaanval_ver
> >
> > It is just pulling down the latest version of openaanval and checking that 
> > against the file:
> > /aanval_site_dir/version/version.txt
> >
> > If they do not match it displays the new available version and gives you a 
> > link to download.
> >
> > My install v1.42 was set to poll every 30 minutes (from process.php in the 
> > /apps/ dir)
> >
> > This is easily turned off within your conf.php file:
> > $version_checking=1;
> >
> > I on the other hand chose to leave it on, as it is a nice feature as long 
> > as they don't abuse it. I do think they need to publish that they do this, 
> > just as some of us are very very security aware and would want to know 
> > everything which is going on.
> >
> >
> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net
> > [mailto:snort-users-admin () lists sourceforge net] On Behalf Of BM HM
> > Sent: Monday, April 19, 2004 5:50 PM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] openaanval calling home
> >
> > I was just watching some tcpdump traffic and noticed my snort box making 
> > an
> > outbound connection to 217.160.255.191
> >
> > Looking up the IP I found that it is the website for openaanval
> > 'www.aanval.com'. It appears that exactly every 30 minutes, I mean EXACTLY
> > it makes a short http connection to the aanval website.
> >
> > I looked through the php code and I think it is simply checking for 
> > version
> > information, but I am not experienced enough to know for real. Is this
> > something I should be concerned about?
> >
> > Could they be piggy-backing data maybe? What would they want to collect
> > anyway?
> >
> > _________________________________________________________________
> > Stop worrying about overloading your inbox - get MSN Hotmail Extra 
> > Storage! 
> > http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1/go/onm00200362ave/direct/01/
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: IBM Linux Tutorials
> > Free Linux tutorial presented by Daniel Robbins, President and CEO of
> > GenToo technologies. Learn everything from fundamentals to system
> > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page – FREE 
download! http://toolbar.msn.com/go/onm00200413ave/direct/01/



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users