[Snort-users] openaanval calling home

BM HM bm0714 at ...125...
Mon Apr 19 16:50:12 EDT 2004


I was just watching some tcpdump traffic and noticed my snort box making an 
outbound connection to 217.160.255.191

Looking up the IP I found that it is the website for openaanval 
'www.aanval.com'. It appears that exactly every 30 minutes, I mean EXACTLY 
it makes a short http connection to the aanval website.

I looked through the php code and I think it is simply checking for version 
information, but I am not experienced enough to know for real. Is this 
something I should be concerned about?

Could they be piggy-backing data maybe? What would they want to collect 
anyway?

_________________________________________________________________


More information about the Snort-users mailing list