[Dshield] P2P GNUTella GET
cbrenton at chrisbrenton.org
Mon Nov 3 12:14:06 GMT 2003
On Mon, 2003-11-03 at 13:41, Nguyen Nhu Hao wrote:
> Hello list,
> I used Snort and found that there are many attacks from my server to outside
> server but I don't know why, I am a Snort newbies and cannot find out which
> process on my server do that. Here is snort capture, Please help me to
> protect my server,
> Thank you very much.
> [**] [1:1432:4] P2P GNUTella GET [**]
> [Classification: Potential Corporate Privacy Violation] [Priority: 1]
> 11/02-23:23:25.257925 172.16.1.15:57084 -> 220.127.116.11:25
> TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1112
> ***AP*** Seq: 0x1FF62E12 Ack: 0xBA7B5B9A Win: 0xF000 TcpLen: 20
OK, first question. Should 172.16.1.15 be trying to send e-mail to other
servers on the Internet? If so, this is probably a false positive. If
not, I would take a close look at the system.
I'm guessing you are OK because the target system is a legit MX record:
[cbrenton at valhalla cbrenton]$ host 18.104.22.168
22.214.171.124.in-addr.arpa is an alias for
190.0-126.96.36.199.in-addr.arpa domain name pointer hn-mail05.vnn.vn.
[cbrenton at valhalla cbrenton]$ host -t mx vnn.vn
vnn.vn mail is handled by 10 hn-mail05.vnn.vn.
vnn.vn mail is handled by 20 hn-mail06.vnn.vn.
[cbrenton at valhalla cbrenton]$
BTW, you did not show the payload decode on the above packet. Seeing
what actually triggered the alert can also help you figure out if its a
false positive or not.
More information about the list