Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 051094.html (Request Expert securityfocus.com Support)

RE: Logs showing GET /.hash=...

From: Arnold, Jamie <harnold(at)binghamton.edu>
Date: Thu May 01 2003 - 19:36:13 EDT


Kazaa and others also use HTTP tunneling or now encryption to get around NBAR and packet shapers.

-----Original Message-----
From: Jim Dueltgen [mailto:jimd@lmi.net] Sent: Thursday, May 01, 2003 1:28 PM
To: keith@keithbergen.com; incidents@securityfocus.com

I've been working recently with Cisco's Network Based Application Recognition (NBAR) trying to keep Kazaa traffic under control in a multi-tenant installation and I've only ever found this snippet in the documentation:

2. KaZaA version 2 might use port 80 to get around the Firewall. You can control it be adding

match protocol http url \.hash=*

I'm not sure about the \ vs / as it shows in your logs and as one would expect to see in a URL but the above is what's in Cisco's documentation. My understanding is that the actual download of a file via kazaa v2 happens over port 80 in an attempt to get around passive packet filtering firewalls.

Regards,

Jim Dueltgen

Do you need help?X

   LMi.net

At 9:54 AM -0400 4/30/03, Keith Bergen wrote:
>I have seen log entries in the form:


Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents
Received on Thu May 1 23:30:10 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:04 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library