[Dshield] Kazaa inquiry to dst port 80?

John Sage jsage at finchhaven.com
Tue Nov 19 08:13:30 GMT 2002


Thought this a bit odd. Notice that the destination port on my end is
TCP:80

Usually I'd see TCP:1214 on my end.


Given:

ngrep -ext -I "snort-1118 at 0536.log" "" "src host 129.63.51.28" 


input: snort-1118 at 0536.log
filter: ip and ( src host 129.63.51.28 )
#
T 2002/11/18 13:12:37.114088 129.63.51.28:1971 -> 12.82.128.22:80 [S]
#
T 2002/11/18 13:12:37.354045 129.63.51.28:1971 -> 12.82.128.22:80 [A]
#
T 2002/11/18 13:12:37.644120 129.63.51.28:1971 -> 12.82.128.22:80 [AP]
  47 45 54 20 2f 2e 68 61    73 68 3d 30 38 30 61 38    GET /.hash=080a8
  32 62 64 62 36 38 64 35    63 32 30 30 30 62 35 39    2bdb68d5c2000b59
  32 35 33 38 63 36 61 33    62 32 37 66 64 64 65 31    2538c6a3b27fdde1
  30 38 39 20 48 54 54 50    2f 31 2e 31 0d 0a 48 6f    089 HTTP/1.1..Ho
  73 74 3a 20 31 32 2e 38    32 2e 31 32 38 2e 32 32    st: 12.82.128.22
  3a 38 30 0d 0a 55 73 65    72 41 67 65 6e 74 3a 20    :80..UserAgent:
  4b 61 7a 61 61 43 6c 69    65 6e 74 20 53 65 70 20    KazaaClient Sep
  31 36 20 32 30 30 32 20    32 33 3a 35 39 3a 34 33    16 2002 23:59:43
  0d 0a 58 2d 4b 61 7a 61    61 2d 55 73 65 72 6e 61    ..X-Kazaa-Userna
  6d 65 3a 20 61 69 72 73    6f 66 74 70 72 6f 0d 0a    me: airsoftpro..
  58 2d 4b 61 7a 61 61 2d    4e 65 74 77 6f 72 6b 3a    X-Kazaa-Network:
  20 4b 61 5a 61 41 0d 0a    58 2d 4b 61 7a 61 61 2d     KaZaA..X-Kazaa-
  49 50 3a 20 31 32 39 2e    36 33 2e 35 31 2e 32 38    IP: 129.63.51.28
  3a 31 32 31 34 0d 0a 58    2d 4b 61 7a 61 61 2d 53    :1214..X-Kazaa-S
  75 70 65 72 6e 6f 64 65    49 50 3a 20 31 32 39 2e    upernodeIP: 129.
  38 32 2e 38 38 2e 38 32    3a 38 30 0d 0a 52 61 6e    82.88.82:80..Ran
  67 65 3a 20 62 79 74 65    73 3d 30 2d 34 35 30 31    ge: bytes=0-4501
  39 30 34 0d 0a 43 6f 6e    6e 65 63 74 69 6f 6e 3a    904..Connection:
  20 63 6c 6f 73 65 0d 0a    58 2d 4b 61 7a 61 61 2d     close..X-Kazaa-
  58 66 65 72 49 64 3a 20    31 33 33 37 34 36 30 33    XferId: 13374603
  0d 0a 58 2d 4b 61 7a 61    61 2d 58 66 65 72 55 69    ..X-Kazaa-XferUi
  64 3a 20 7a 5a 6c 42 38    62 2b 46 42 69 73 72 77    d: zZlB8b+FBisrw
  50 35 38 70 6f 43 73 42    4c 76 38 6a 53 68 36 50    P58poCsBLv8jSh6P
  75 52 54 0d 0a 0d 0a                                  uRT....        
#
T 2002/11/18 13:12:44.184751 129.63.51.28:1971 -> 12.82.128.22:80 [AP]
  47 45 54 20 2f 2e 68 61    73 68 3d 30 38 30 61 38    GET /.hash=080a8
  32 62 64 62 36 38 64 35    63 32 30 30 30 62 35 39    2bdb68d5c2000b59
  32 35 33 38 63 36 61 33    62 32 37 66 64 64 65 31    2538c6a3b27fdde1
  30 38 39 20 48 54 54 50    2f 31 2e 31 0d 0a 48 6f    089 HTTP/1.1..Ho
  73 74 3a 20 31 32 2e 38    32 2e 31 32 38 2e 32 32    st: 12.82.128.22
  3a 38 30 0d 0a 55 73 65    72 41 67 65 6e 74 3a 20    :80..UserAgent:
  4b 61 7a 61 61 43 6c 69    65 6e 74 20 53 65 70 20    KazaaClient Sep
  31 36 20 32 30 30 32 20    32 33 3a 35 39 3a 34 33    16 2002 23:59:43
  0d 0a 58 2d 4b 61 7a 61    61 2d 55 73 65 72 6e 61    ..X-Kazaa-Userna
  6d 65 3a 20 61 69 72 73    6f 66 74 70 72 6f 0d 0a    me: airsoftpro..
  58 2d 4b 61 7a 61 61 2d    4e 65 74 77 6f 72 6b 3a    X-Kazaa-Network:
  20 4b 61 5a 61 41 0d 0a    58 2d 4b 61 7a 61 61 2d     KaZaA..X-Kazaa-
  49 50 3a 20 31 32 39 2e    36 33 2e 35 31 2e 32 38    IP: 129.63.51.28
  3a 31 32 31 34 0d 0a 58    2d 4b 61 7a 61 61 2d 53    :1214..X-Kazaa-S
  75 70 65 72 6e 6f 64 65    49 50 3a 20 31 32 39 2e    upernodeIP: 129.
  38 32 2e 38 38 2e 38 32    3a 38 30 0d 0a 52 61 6e    82.88.82:80..Ran
  67 65 3a 20 62 79 74 65    73 3d 30 2d 34 35 30 31    ge: bytes=0-4501
  39 30 34 0d 0a 43 6f 6e    6e 65 63 74 69 6f 6e 3a    904..Connection:
  20 63 6c 6f 73 65 0d 0a    58 2d 4b 61 7a 61 61 2d     close..X-Kazaa-
  58 66 65 72 49 64 3a 20    31 33 33 37 34 36 30 33    XferId: 13374603
  0d 0a 58 2d 4b 61 7a 61    61 2d 58 66 65 72 55 69    ..X-Kazaa-XferUi
  64 3a 20 7a 5a 6c 42 38    62 2b 46 42 69 73 72 77    d: zZlB8b+FBisrw
  50 35 38 70 6f 43 73 42    4c 76 38 6a 53 68 36 50    P58poCsBLv8jSh6P
  75 52 54 0d 0a 0d 0a                                  uRT....        
#
T 2002/11/18 13:12:49.095275 129.63.51.28:1971 -> 12.82.128.22:80 [A]
#
T 2002/11/18 13:12:53.475744 129.63.51.28:1971 -> 12.82.128.22:80 [AF]
#
T 2002/11/18 13:12:59.596337 129.63.51.28:1971 -> 12.82.128.22:80 [AF]
exit



- John
-- 
Forest: a collection of trees

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list