[Snort-users] Sneaky traffic WAS: RE: openaanval calling home

Travis Wixel traxely at ...125...
Mon Apr 19 18:21:03 EDT 2004

This URL was in the code:

It is just pulling down the latest version of openaanval and checking that 
against the file:

If they do not match it displays the new available version and gives you a 
link to download.

My install v1.42 was set to poll every 30 minutes (from process.php in the 
/apps/ dir)

This is easily turned off within your conf.php file:

I on the other hand chose to leave it on, as it is a nice feature as long as 
they don't abuse it. I do think they need to publish that they do this, just 
as some of us are very very security aware and would want to know everything 
which is going on.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of BM HM
Sent: Monday, April 19, 2004 5:50 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] openaanval calling home

I was just watching some tcpdump traffic and noticed my snort box making an
outbound connection to

Looking up the IP I found that it is the website for openaanval
'www.aanval.com'. It appears that exactly every 30 minutes, I mean EXACTLY
it makes a short http connection to the aanval website.

I looked through the php code and I think it is simply checking for version
information, but I am not experienced enough to know for real. Is this
something I should be concerned about?

Could they be piggy-backing data maybe? What would they want to collect

Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! 

More information about the Snort-users mailing list