Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [Snort-sigs] Triangle Boy

From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Wed, 7 Aug 2002 14:41:41 -0400
All the reports say it's available in Source Code from their site ... but
wait a sec ... safeweb.com doesn't seem to be responding ... weird ...

John

-----Original Message-----
From: O'Flynn, Derek [mailto:DOFlyn () lsuhsc edu]
Sent: Tuesday, July 23, 2002 12:40 PM
To: snort-sigs () lists sourceforge net
Subject: RE: [Snort-sigs] Triangle Boy


Triangle boy spoofs the IP on the returning packet to be the "triangle"
client, thereby hiding the safeweb servers.  Check out the link John
provided they explain it in detail.  I don't see this as being such a large
problem since there is no mass way of downloading the program yet.  If it
does show up on download.com or even a link on their site, then I would
consider it a problem.  I would like to see if there is a signature
somewhere, I'm trying to find the executable, at which point I can work on a
signature, but as of yet, don't have the executable in hand.  If someone has
the link to download it please post it.

Derek



-----Original Message-----
From: John Sage [mailto:jsage () finchhaven com] 
Sent: Monday, July 22, 2002 5:22 PM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Triangle Boy

On Mon, Jul 22, 2002 at 11:22:52AM -0700, Florin Andrei wrote:

http://siliconvalley.internet.com/news/article.php/707911

Anyone has sigs for this nasty little baby?

-- 
Florin Andrei

Don't break things that don't need to be broken
while you're fixing things that really need fixing.


My personal take: this is *almost* as much vaporware as they accuse
PeekaBooty of being..

It's certainly a great deal of PR fluff.

While PeekaBooty supposedly works from a "..distributed server
cloud.." (in other words, you don't really know *where* a specific set
of content is coming from), apparently Triangle Boy works by using
"..the SafeWeb server, which returns the requested page directly to
the client browser.."

So how are they going to hide the SafeWeb server's IP address, or the
IP addresses of their server farm?

Block that, and you've got them by the -- um.. -- you get the idea...



- John
-- 
"Cowardly refusing to create an empty archive."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: