[Dshield] I should recognize this, but...

Josh Tolley josh at raintreeinc.com
Tue Apr 27 20:09:09 GMT 2004


I think I should probably recognize this traffic, but I don't. Anyone 
know what it is from? Snort says it's p2p traffic, and I'm willing to 
believe it, but I'm looking for specifics on the client, if it really is 
p2p. Google didn't turn up much for me... TIA

Generated by ACID v0.9.6b23 on Tue, 27 Apr 2004 13:00:30 -0700

------------------------------------------------------------------------------
#(5 - 12032) [2004-04-26 10:07:17] [snort/1432]  P2P GNUTella GET
IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
       hlen=5 TOS=0 dlen=204 ID=6189 flags=0 offset=0 TTL=128
TCP:  port=2699 -> dport: 8200  flags=***AP*** seq=846113190
       ack=1475707860 off=5 res=0 win=64512 urp=0 chksum=45838
Payload:  length = 164

000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET /jedi?reques
010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   t=agent&jedi=100
020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   &clct_ok=1&sessi
030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   on=1155717226&ti
040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   cket=102&timesta
050 : 6D 70 3D 34 36 26 6E 6F 63 61 63 68 65 3D 31 30   mp=46&nocache=10
060 : 39 26 73 65 71 3D 30 26 74 74 6C 3D 30 26 61 67   9&seq=0&ttl=0&ag
070 : 65 6E 74 32 2E 73 74 61 74 65 3D 65 78 69 74 26   ent2.state=exit&
080 : 6D 61 73 74 65 72 2E 6D 61 69 6E 53 77 69 74 63   master.mainSwitc
090 : 68 3D 63 6C 6F 73 65 20 48 54 54 50 2F 31 2E 30   h=close HTTP/1.0
0a0 : 0D 0A 0D 0A                                       ....
------------------------------------------------------------------------------
#(5 - 12033) [2004-04-26 10:07:17] [snort/1432]  P2P GNUTella GET
IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
       hlen=5 TOS=0 dlen=163 ID=6194 flags=0 offset=0 TTL=128
TCP:  port=2700 -> dport: 8200  flags=***AP*** seq=846282988
       ack=683867581 off=5 res=0 win=64512 urp=0 chksum=64740
Payload:  length = 123

000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET /jedi?reques
010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   t=agent&jedi=100
020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   &clct_ok=1&sessi
030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   on=1155717226&ti
040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   cket=102&timesta
050 : 6D 70 3D 34 39 26 6E 6F 63 61 63 68 65 3D 31 31   mp=49&nocache=11
060 : 30 26 73 65 71 3D 30 26 74 74 6C 3D 31 32 20 48   0&seq=0&ttl=12 H
070 : 54 54 50 2F 31 2E 30 0D 0A 0D 0A                  TTP/1.0....
------------------------------------------------------------------------------
#(5 - 12030) [2004-04-26 10:07:16] [snort/1432]  P2P GNUTella GET
IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
       hlen=5 TOS=0 dlen=233 ID=6168 flags=0 offset=0 TTL=128
TCP:  port=2697 -> dport: 8200  flags=***AP*** seq=845784452
       ack=611653591 off=5 res=0 win=64512 urp=0 chksum=53
Payload:  length = 193

000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET /jedi?reques
010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   t=agent&jedi=100
020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   &clct_ok=1&sessi
030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   on=1155717226&ti
040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   cket=102&timesta
050 : 6D 70 3D 34 32 26 6E 6F 63 61 63 68 65 3D 31 30   mp=42&nocache=10
060 : 37 26 73 65 71 3D 30 26 74 74 6C 3D 30 26 61 67   7&seq=0&ttl=0&ag
070 : 65 6E 74 32 2E 65 78 69 74 43 61 75 73 65 3D 30   ent2.exitCause=0
080 : 26 6D 61 73 74 65 72 2E 63 6C 6F 73 65 4F 72 69   &master.closeOri
090 : 67 69 6E 3D 61 67 65 6E 74 32 26 6D 61 73 74 65   gin=agent2&maste
0a0 : 72 2E 6D 61 69 6E 53 77 69 74 63 68 3D 63 6C 6F   r.mainSwitch=clo
0b0 : 73 69 6E 67 20 48 54 54 50 2F 31 2E 30 0D 0A 0D   sing HTTP/1.0...
0c0 : 0A                                                .
------------------------------------------------------------------------------
#(5 - 12031) [2004-04-26 10:07:16] [snort/1432]  P2P GNUTella GET
IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
       hlen=5 TOS=0 dlen=163 ID=6184 flags=0 offset=0 TTL=128
TCP:  port=2698 -> dport: 8200  flags=***AP*** seq=845984488
       ack=4155776466 off=5 res=0 win=64512 urp=0 chksum=39401
Payload:  length = 123

000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET /jedi?reques
010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   t=agent&jedi=100
020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   &clct_ok=1&sessi
030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   on=1155717226&ti
040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   cket=102&timesta
050 : 6D 70 3D 34 33 26 6E 6F 63 61 63 68 65 3D 31 30   mp=43&nocache=10
060 : 38 26 73 65 71 3D 30 26 74 74 6C 3D 31 32 20 48   8&seq=0&ttl=12 H
070 : 54 54 50 2F 31 2E 30 0D 0A 0D 0A                  TTP/1.0....
------------------------------------------------------------------------------
#(5 - 12029) [2004-04-26 10:07:12] [snort/1432]  P2P GNUTella GET
IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
       hlen=5 TOS=0 dlen=163 ID=6085 flags=0 offset=0 TTL=128
TCP:  port=2688 -> dport: 8200  flags=***AP*** seq=844537804
       ack=3113570246 off=5 res=0 win=64512 urp=0 chksum=48208
Payload:  length = 123

000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET /jedi?reques
010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   t=agent&jedi=100
020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   &clct_ok=1&sessi
030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   on=1155717226&ti
040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   cket=102&timesta
050 : 6D 70 3D 34 32 26 6E 6F 63 61 63 68 65 3D 31 30   mp=42&nocache=10
060 : 36 26 73 65 71 3D 30 26 74 74 6C 3D 31 32 20 48   6&seq=0&ttl=12 H
070 : 54 54 50 2F 31 2E 30 0D 0A 0D 0A                  TTP/1.0....

-- 
Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
760 509 9000




More information about the list mailing list