Snort mailing list archives
Akamai NetSession
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 19 Sep 2013 15:31:15 -0600
All,I'm sending this off to VRT/ET...my brain says this software is PUA, regardless of what http://www.akamai.com/client has to say. Below are two rules to catch the server list download and log upload:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Akamai NetSession server list download"; flow:to_server, established; content:"User-Agent|3a 20|Akamai|20|NetSession|20|C-API"; http_header; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://www.akamai.com/client; classtype:unknown; sid:10000091; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Akamai NetSession log upload"; flow:to_server, established; content:"user-agent|3a|Akamai|20|NetSession|20|Interface"; http_header; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://www.akamai.com/client; classtype:unknown; sid:10000092; rev:1;)
The FAQ neglects to mention the a)silent install (note the exe name in the additional reading below), and b)the large volume of STUN traffic it generates:
124 2013-09-19 14:21:51.669093000 192.168.1.7 -> 69.192.2.140 UDP 87 Source port: 50129 Destination port: 3478 125 2013-09-19 14:21:51.669276000 192.168.1.7 -> 209.170.97.215 UDP 73 Source port: 50130 Destination port: 3478 126 2013-09-19 14:21:51.670272000 192.168.1.7 -> 69.31.16.16 UDP 73 Source port: 50130 Destination port: 3478 127 2013-09-19 14:21:51.670336000 192.168.1.7 -> 72.246.184.7 UDP 73 Source port: 50130 Destination port: 3478 128 2013-09-19 14:21:51.670397000 192.168.1.7 -> 69.31.16.4 UDP 73 Source port: 50130 Destination port: 3478 129 2013-09-19 14:21:51.729341000 209.170.97.215 -> 192.168.1.7 UDP 105 Source port: 3478 Destination port: 50130 130 2013-09-19 14:21:51.770854000 69.31.16.16 -> 192.168.1.7 UDP 105 Source port: 3478 Destination port: 50130 131 2013-09-19 14:21:51.772712000 69.31.16.4 -> 192.168.1.7 UDP 105 Source port: 3478 Destination port: 50130 132 2013-09-19 14:21:51.842479000 72.246.184.7 -> 192.168.1.7 UDP 105 Source port: 3478 Destination port: 50130 134 2013-09-19 14:21:52.367738000 192.168.1.7 -> 209.170.97.215 UDP 160 Source port: 50130 Destination port: 3478 135 2013-09-19 14:21:52.368191000 192.168.1.7 -> 69.31.16.16 UDP 160 Source port: 50130 Destination port: 3478 136 2013-09-19 14:21:52.368244000 192.168.1.7 -> 72.246.184.7 UDP 160 Source port: 50130 Destination port: 3478 137 2013-09-19 14:21:52.368292000 192.168.1.7 -> 69.31.16.4 UDP 160 Source port: 50130 Destination port: 3478 138 2013-09-19 14:21:52.368324000 192.168.1.7 -> 209.170.97.215 UDP 161 Source port: 50130 Destination port: 3478 139 2013-09-19 14:21:52.368353000 192.168.1.7 -> 69.31.16.16 UDP 161 Source port: 50130 Destination port: 3478
I suppose we could sig up the stun IP lookup:40 2013-09-19 14:21:46.580752000 192.168.1.7 -> 192.168.1.1 DNS 82 Standard query A stun.client.akadns.net 41 2013-09-19 14:21:46.646693000 192.168.1.1 -> 192.168.1.7 DNS 523 Standard query response A 72.246.184.13 A 96.6.40.28 A 209.170.97.215 A 213.248.117.241 A 213.248.117.249 A 217.212.238.118 A 217.212.238.135 A 69.192.2.132
Pcaps enclosed....additional reading: https://client.akamai.com/conf/client_single_user_conf.html http://www.nojokeit.com/2011/11/windows-firewall-blocked.htmlThanks all...as usual anything to make these more useful is greatly appreciated.
James
Attachment:
logput.pcapng
Description:
Attachment:
configget.pcapng
Description:
------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Akamai NetSession James Lay (Sep 19)