RE: Logs showing GET /.hash=...

["Arnold, Jamie" <harnold () binghamton edu>]

Kazaa and others also use HTTP tunneling or now encryption to get around
NBAR and packet shapers. 


-----Original Message-----
From: Jim Dueltgen [mailto:jimd () lmi net] 
Sent: Thursday, May 01, 2003 1:28 PM
To: keith () keithbergen com; incidents () securityfocus com

I've been working recently with Cisco's Network Based Application
Recognition (NBAR) trying to keep Kazaa traffic under control in a
multi-tenant installation and I've only ever found this snippet in the
documentation:

2.  KaZaA version 2 might use port 80 to get around the Firewall. You can
control it be adding

match protocol http url \.hash=*

I'm not sure about the \ vs / as it shows in your logs and as one would
expect to see in a URL but the above is what's in Cisco's documentation.  My
understanding is that the actual download of a file via kazaa v2 happens
over port 80 in an attempt to get around passive packet filtering firewalls.

Regards,

Jim Dueltgen
   LMi.net

At 9:54 AM -0400 4/30/03, Keith Bergen wrote:
> I have seen log entries in the form:
> dormtw.isu.edu.tw - - [29/Apr/2003:22:04:17 - 0400] "GET 
> /.hash=8a8a30842bc6698dd1cbcb31191fc9e76018ea4c
> HTTP/1.1" 404 323
> dormtw.isu.edu.tw - - [29/Apr/2003:22:04:22 - 0400] "GET 
> /.hash=355bcee01e59b87d9cc33d4ae3cc8edf5f022d2a
> HTTP/1.1" 404 323
> dormtw.isu.edu.tw - - [29/Apr/2003:22:04:24 - 0400] "GET 
> /.hash=51f6ec2b496fa6fac83a88d7978321c7b64a5969
> HTTP/1.1" 404 323
>
> I looked at past posts, and one indicates that this might be KaZaa 
> traffic. The other post indicated it was "WinMX". Can somebody expand 
> on this? For example, what is WinMX? Also, why would KaZaa connect to 
> port 80?
>
> Thanks,
> Keith.
>
> -----------------------------------------------------------------------
> ----- Attend Black Hat Briefings & Training Europe, May 12-15 in 
> Amsterdam, the world's premier event for IT and network security 
> experts.  The two-day Training features 6 hand-on courses on May 12-13 
> taught by professionals.
> The two-day Briefings on May 14-15 features 24 top speakers with no 
> vendor sales pitches.  Deadline for the best rates is April 25.  
> Register today to ensure your place. 
> http://www.securityfocus.com/BlackHat-incidents
> -----------------------------------------------------------------------
> -----


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------



----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------