[Snort-sigs] Akamai NetSession

James Lay jlay at ...3266...
Thu Sep 19 17:31:15 EDT 2013


All,

I'm sending this off to VRT/ET...my brain says this software is PUA, 
regardless of what http://www.akamai.com/client has to say.  Below are 
two rules to catch the server list download and log upload:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER 
Akamai NetSession server list download"; flow:to_server, established; 
content:"User-Agent|3a 20|Akamai|20|NetSession|20|C-API"; http_header; 
fast_pattern:only; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; 
reference:url,http://www.akamai.com/client; classtype:unknown; 
sid:10000091; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER 
Akamai NetSession log upload"; flow:to_server, established; 
content:"user-agent|3a|Akamai|20|NetSession|20|Interface"; http_header; 
fast_pattern:only; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; 
reference:url,http://www.akamai.com/client; classtype:unknown; 
sid:10000092; rev:1;)

The FAQ neglects to mention the a)silent install (note the exe name in 
the additional reading below), and b)the large volume of STUN traffic it 
generates:

124 2013-09-19 14:21:51.669093000  192.168.1.7 -> 69.192.2.140 UDP 87 
Source port: 50129  Destination port: 3478
125 2013-09-19 14:21:51.669276000  192.168.1.7 -> 209.170.97.215 UDP 73 
Source port: 50130  Destination port: 3478
126 2013-09-19 14:21:51.670272000  192.168.1.7 -> 69.31.16.16  UDP 73 
Source port: 50130  Destination port: 3478
127 2013-09-19 14:21:51.670336000  192.168.1.7 -> 72.246.184.7 UDP 73 
Source port: 50130  Destination port: 3478
128 2013-09-19 14:21:51.670397000  192.168.1.7 -> 69.31.16.4   UDP 73 
Source port: 50130  Destination port: 3478
129 2013-09-19 14:21:51.729341000 209.170.97.215 -> 192.168.1.7  UDP 
105 Source port: 3478  Destination port: 50130
130 2013-09-19 14:21:51.770854000  69.31.16.16 -> 192.168.1.7  UDP 105 
Source port: 3478  Destination port: 50130
131 2013-09-19 14:21:51.772712000   69.31.16.4 -> 192.168.1.7  UDP 105 
Source port: 3478  Destination port: 50130
132 2013-09-19 14:21:51.842479000 72.246.184.7 -> 192.168.1.7  UDP 105 
Source port: 3478  Destination port: 50130
134 2013-09-19 14:21:52.367738000  192.168.1.7 -> 209.170.97.215 UDP 
160 Source port: 50130  Destination port: 3478
135 2013-09-19 14:21:52.368191000  192.168.1.7 -> 69.31.16.16  UDP 160 
Source port: 50130  Destination port: 3478
136 2013-09-19 14:21:52.368244000  192.168.1.7 -> 72.246.184.7 UDP 160 
Source port: 50130  Destination port: 3478
137 2013-09-19 14:21:52.368292000  192.168.1.7 -> 69.31.16.4   UDP 160 
Source port: 50130  Destination port: 3478
138 2013-09-19 14:21:52.368324000  192.168.1.7 -> 209.170.97.215 UDP 
161 Source port: 50130  Destination port: 3478
139 2013-09-19 14:21:52.368353000  192.168.1.7 -> 69.31.16.16  UDP 161 
Source port: 50130  Destination port: 3478

I suppose we could sig up the stun IP lookup:

  40 2013-09-19 14:21:46.580752000  192.168.1.7 -> 192.168.1.1 DNS 82 
Standard query A stun.client.akadns.net
  41 2013-09-19 14:21:46.646693000 192.168.1.1 -> 192.168.1.7  DNS 523 
Standard query response A 72.246.184.13 A 96.6.40.28 A 209.170.97.215 A 
213.248.117.241 A 213.248.117.249 A 217.212.238.118 A 217.212.238.135 A 
69.192.2.132

Pcaps enclosed....additional reading:

https://client.akamai.com/conf/client_single_user_conf.html
http://www.nojokeit.com/2011/11/windows-firewall-blocked.html

Thanks all...as usual anything to make these more useful is greatly 
appreciated.

James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logput.pcapng
Type: application/octet-stream
Size: 5240 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130919/4a44e8ce/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: configget.pcapng
Type: application/octet-stream
Size: 3968 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130919/4a44e8ce/attachment-0001.obj>


More information about the Snort-sigs mailing list