[Snort-users] Sneaky traffic WAS: RE: openaanval calling home
traxely at ...125...
Mon Apr 19 18:21:03 EDT 2004
This URL was in the code:
It is just pulling down the latest version of openaanval and checking that
against the file:
If they do not match it displays the new available version and gives you a
link to download.
My install v1.42 was set to poll every 30 minutes (from process.php in the
This is easily turned off within your conf.php file:
I on the other hand chose to leave it on, as it is a nice feature as long as
they don't abuse it. I do think they need to publish that they do this, just
as some of us are very very security aware and would want to know everything
which is going on.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of BM HM
Sent: Monday, April 19, 2004 5:50 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] openaanval calling home
I was just watching some tcpdump traffic and noticed my snort box making an
outbound connection to 22.214.171.124
Looking up the IP I found that it is the website for openaanval
'www.aanval.com'. It appears that exactly every 30 minutes, I mean EXACTLY
it makes a short http connection to the aanval website.
I looked through the php code and I think it is simply checking for version
information, but I am not experienced enough to know for real. Is this
something I should be concerned about?
Could they be piggy-backing data maybe? What would they want to collect
Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage!
More information about the Snort-users