[Dshield] P2P GNUTella GET

Chris Brenton cbrenton at chrisbrenton.org
Mon Nov 3 12:14:06 GMT 2003


On Mon, 2003-11-03 at 13:41, Nguyen Nhu Hao wrote:
> Hello list,
> I used Snort and found that there are many attacks from my server to outside
> server but I don't know why, I am a Snort newbies and cannot find out which
> process on my server do that. Here is snort capture, Please help me to
> protect my server,
> Thank you very much.
> 
> [**] [1:1432:4] P2P GNUTella GET [**]
> [Classification: Potential Corporate Privacy Violation] [Priority: 1]
> 11/02-23:23:25.257925 172.16.1.15:57084 -> 203.162.0.190:25
> TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1112
> ***AP*** Seq: 0x1FF62E12 Ack: 0xBA7B5B9A Win: 0xF000 TcpLen: 20

OK, first question. Should 172.16.1.15 be trying to send e-mail to other
servers on the Internet? If so, this is probably a false positive. If
not, I would take a close look at the system.

I'm guessing you are OK because the target system is a legit MX record:

[cbrenton at valhalla cbrenton]$ host 203.162.0.190
190.0.162.203.in-addr.arpa is an alias for
190.0-24.0.162.203.in-addr.arpa.
190.0-24.0.162.203.in-addr.arpa domain name pointer hn-mail05.vnn.vn.
[cbrenton at valhalla cbrenton]$ host -t mx vnn.vn
vnn.vn mail is handled by 10 hn-mail05.vnn.vn.
vnn.vn mail is handled by 20 hn-mail06.vnn.vn.
[cbrenton at valhalla cbrenton]$

BTW, you did not show the payload decode on the above packet. Seeing
what actually triggered the alert can also help you figure out if its a
false positive or not.

HTH,
C






More information about the list mailing list