Re: Logs showing GET /.hash=...

From: Jim Dueltgen (jimdat_private)
Date: Thu May 01 2003 - 10:27:52 PDT

Next message: Justin Pryzby: "Re: Logs showing GET /.hash=..."

Previous message: Russell Fulton: "Re: UDP packets towards port 38293 (NAV)"
Next in thread: Justin Pryzby: "Re: Logs showing GET /.hash=..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've been working recently with Cisco's Network Based Application 
Recognition (NBAR) trying to keep Kazaa traffic under control in a 
multi-tenant installation and I've only ever found this snippet in 
the documentation:

2.  KaZaA version 2 might use port 80 to get around the Firewall. You 
can control it be adding

match protocol http url \.hash=*

I'm not sure about the \ vs / as it shows in your logs and as one 
would expect to see in a URL but the above is what's in Cisco's 
documentation.  My understanding is that the actual download of a 
file via kazaa v2 happens over port 80 in an attempt to get around 
passive packet filtering firewalls.

Regards,

Jim Dueltgen
   LMi.net

At 9:54 AM -0400 4/30/03, Keith Bergen wrote:
>I have seen log entries in the form:
>dormtw.isu.edu.tw - - [29/Apr/2003:22:04:17 -
>0400] "GET /.hash=8a8a30842bc6698dd1cbcb31191fc9e76018ea4c
>HTTP/1.1" 404 323
>dormtw.isu.edu.tw - - [29/Apr/2003:22:04:22 -
>0400] "GET /.hash=355bcee01e59b87d9cc33d4ae3cc8edf5f022d2a
>HTTP/1.1" 404 323
>dormtw.isu.edu.tw - - [29/Apr/2003:22:04:24 -
>0400] "GET /.hash=51f6ec2b496fa6fac83a88d7978321c7b64a5969
>HTTP/1.1" 404 323
>
>I looked at past posts, and one indicates that this might be
>KaZaa traffic. The other post indicated it was "WinMX". Can
>somebody expand on this? For example, what is WinMX? Also,
>why would KaZaa connect to port 80?
>
>Thanks,
>Keith.
>
>----------------------------------------------------------------------------
>Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
>world's premier event for IT and network security experts.  The two-day
>Training features 6 hand-on courses on May 12-13 taught by professionals. 
>The two-day Briefings on May 14-15 features 24 top speakers with no vendor
>sales pitches.  Deadline for the best rates is April 25.  Register today to
>ensure your place. http://www.securityfocus.com/BlackHat-incidents
>----------------------------------------------------------------------------


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Next message: Justin Pryzby: "Re: Logs showing GET /.hash=..."
Previous message: Russell Fulton: "Re: UDP packets towards port 38293 (NAV)"
Next in thread: Justin Pryzby: "Re: Logs showing GET /.hash=..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 01 2003 - 15:11:04 PDT