Kazaa and others also use HTTP tunneling or now encryption to get around NBAR and packet shapers. -----Original Message----- From: Jim Dueltgen [mailto:jimdat_private] Sent: Thursday, May 01, 2003 1:28 PM To: keithat_private; incidentsat_private I've been working recently with Cisco's Network Based Application Recognition (NBAR) trying to keep Kazaa traffic under control in a multi-tenant installation and I've only ever found this snippet in the documentation: 2. KaZaA version 2 might use port 80 to get around the Firewall. You can control it be adding match protocol http url \.hash=* I'm not sure about the \ vs / as it shows in your logs and as one would expect to see in a URL but the above is what's in Cisco's documentation. My understanding is that the actual download of a file via kazaa v2 happens over port 80 in an attempt to get around passive packet filtering firewalls. Regards, Jim Dueltgen LMi.net At 9:54 AM -0400 4/30/03, Keith Bergen wrote: >I have seen log entries in the form: >dormtw.isu.edu.tw - - [29/Apr/2003:22:04:17 - 0400] "GET >/.hash=8a8a30842bc6698dd1cbcb31191fc9e76018ea4c >HTTP/1.1" 404 323 >dormtw.isu.edu.tw - - [29/Apr/2003:22:04:22 - 0400] "GET >/.hash=355bcee01e59b87d9cc33d4ae3cc8edf5f022d2a >HTTP/1.1" 404 323 >dormtw.isu.edu.tw - - [29/Apr/2003:22:04:24 - 0400] "GET >/.hash=51f6ec2b496fa6fac83a88d7978321c7b64a5969 >HTTP/1.1" 404 323 > >I looked at past posts, and one indicates that this might be KaZaa >traffic. The other post indicated it was "WinMX". Can somebody expand >on this? For example, what is WinMX? Also, why would KaZaa connect to >port 80? > >Thanks, >Keith. > >----------------------------------------------------------------------- >----- Attend Black Hat Briefings & Training Europe, May 12-15 in >Amsterdam, the world's premier event for IT and network security >experts. The two-day Training features 6 hand-on courses on May 12-13 >taught by professionals. >The two-day Briefings on May 14-15 features 24 top speakers with no >vendor sales pitches. Deadline for the best rates is April 25. >Register today to ensure your place. >http://www.securityfocus.com/BlackHat-incidents >----------------------------------------------------------------------- >----- ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 01 2003 - 20:29:42 PDT