RE: Logs showing GET /.hash=...

["James Williams" <jwilliams () mail wtamu edu>]

Here's the nbar configuration I use on our routers.

<snip>

ip cef 
! 
class-map match-any p2p 
match protocol fasttrack 
match protocol gnutella 
match protocol napster 
match protocol httpurl "\.hash=*" 
match protocol httpurl "/.hash=*" 
match protocol kazaa2 
! 
! 
policy-map p2p 
class p2p 
police cir 8000 bc 1500 be 1500 
conform-action drop 
exceed-action drop 


interface FastEthernet0/0 (internal interface, or external)
ip nbar protocol-discovery 
service-policy input p2p 
service-policy output p2p

</snip>

I would also recommend the Allot Communications NetEnforcer. I've tested
2 different versions, the AC202/10 and the AC302, on two different
networks and it works great for all known p2p traffic. I'm hoping that
our administration lets us buy one before to long. I was testing the
AC302 on our dorm network and it cut 10 Megabits of traffic down below a
Megabit, just by cutting p2p traffic down to 5Kbps. It works very well
and it doesn't manipulate packets likes some other traffic shapers.


James Williams
Network Systems Operations
West Texas A&M University

-----Original Message-----
From: Justin Pryzby [mailto:justinpryzby () users sourceforge net] 
Sent: Thursday, May 01, 2003 6:12 PM
To: Jim Dueltgen
Cc: incidents () securityfocus com
Subject: Re: Logs showing GET /.hash=...

Probably, "match protocol" is a regular expression where . means any
character and \. is an escape sequence meaning a period.

Justin Pryzby
On Thu, May 01, 2003 at 01:27:00PM -0500, Jim Dueltgen wrote:
> I've been working recently with Cisco's Network Based Application
> Recognition (NBAR) trying to keep Kazaa traffic under control in a
> multi-tenant installation and I've only ever found this snippet in
> the documentation:
>
> 2. KaZaA version 2 might use port 80 to get around the Firewall. You
> can control it be adding
>
> match protocol http url \.hash=*
>
> I'm not sure about the \ vs / as it shows in your logs and as one
> would expect to see in a URL but the above is what's in Cisco's
> documentation. My understanding is that the actual download of a
> file via kazaa v2 happens over port 80 in an attempt to get around
> passive packet filtering firewalls.
>
> Regards,
>
> Jim Dueltgen
>   LMi.net
>
> At 9:54 AM -0400 4/30/03, Keith Bergen wrote:
> > I have seen log entries in the form:
> > dormtw.isu.edu.tw - - [29/Apr/2003:22:04:17 -
> > 0400] 'GET /.hash=8a8a30842bc6698dd1cbcb31191fc9e76018ea4c
> > HTTP/1.1' 404 323
> > dormtw.isu.edu.tw - - [29/Apr/2003:22:04:22 -
> > 0400] 'GET /.hash=355bcee01e59b87d9cc33d4ae3cc8edf5f022d2a
> > HTTP/1.1' 404 323
> > dormtw.isu.edu.tw - - [29/Apr/2003:22:04:24 -
> > 0400] 'GET /.hash=51f6ec2b496fa6fac83a88d7978321c7b64a5969
> > HTTP/1.1' 404 323
> >
> > I looked at past posts, and one indicates that this might be
> > KaZaa traffic. The other post indicated it was 'WinMX'. Can
> > somebody expand on this? For example, what is WinMX? Also,
> > why would KaZaa connect to port 80?
> >
> > Thanks,
> > Keith.
>
> -----------------------------------------------------------------------
-----
> > Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the
> > world's premier event for IT and network security experts. The
two-day
> > Training features 6 hand-on courses on May 12-13 taught by
professionals.
> > The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
> > sales pitches. Deadline for the best rates is April 25. Register
today to
> > ensure your place. http://www.securityfocus.com/BlackHat-incidents
>
> -----------------------------------------------------------------------
-----
>
------------------------------------------------------------------------
----
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the
> world's premier event for IT and network security experts. The two-day
> Training features 6 hand-on courses on May 12-13 taught by
professionals. 
> The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
> sales pitches. Deadline for the best rates is April 25. Register today
to
> ensure your place. http://www.securityfocus.com/BlackHat-incidents
------------------------------------------------------------------------
----
>

------------------------------------------------------------------------
----
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by
professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no
vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today
to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
------------------------------------------------------------------------
----


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------