[Snort-users] RE: [Snort-sigs] Triangle Boy

Hicks, John JHicks at ...5857...
Wed Aug 7 11:45:05 EDT 2002


All the reports say it's available in Source Code from their site ... but
wait a sec ... safeweb.com doesn't seem to be responding ... weird ...

John

-----Original Message-----
From: O'Flynn, Derek [mailto:DOFlyn at ...6551...]
Sent: Tuesday, July 23, 2002 12:40 PM
To: snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] Triangle Boy


Triangle boy spoofs the IP on the returning packet to be the "triangle"
client, thereby hiding the safeweb servers.  Check out the link John
provided they explain it in detail.  I don't see this as being such a large
problem since there is no mass way of downloading the program yet.  If it
does show up on download.com or even a link on their site, then I would
consider it a problem.  I would like to see if there is a signature
somewhere, I'm trying to find the executable, at which point I can work on a
signature, but as of yet, don't have the executable in hand.  If someone has
the link to download it please post it.

Derek



-----Original Message-----
From: John Sage [mailto:jsage at ...2022...] 
Sent: Monday, July 22, 2002 5:22 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Triangle Boy

On Mon, Jul 22, 2002 at 11:22:52AM -0700, Florin Andrei wrote:
> http://siliconvalley.internet.com/news/article.php/707911
> 
> Anyone has sigs for this nasty little baby?
> 
> -- 
> Florin Andrei
> 
> Don't break things that don't need to be broken
> while you're fixing things that really need fixing.

My personal take: this is *almost* as much vaporware as they accuse
PeekaBooty of being..

It's certainly a great deal of PR fluff.

While PeekaBooty supposedly works from a "..distributed server
cloud.." (in other words, you don't really know *where* a specific set
of content is coming from), apparently Triangle Boy works by using
"..the SafeWeb server, which returns the requested page directly to
the client browser.."

So how are they going to hide the SafeWeb server's IP address, or the
IP addresses of their server farm?

Block that, and you've got them by the -- um.. -- you get the idea...



- John
-- 
"Cowardly refusing to create an empty archive."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-users mailing list