[Snort-users] Sneaky traffic WAS: RE: openaanval calling home

Travis Wixel traxely at ...125...
Mon Apr 19 18:21:03 EDT 2004


This URL was in the code:
http://update.aanval.com/updater/openaanval_ver

It is just pulling down the latest version of openaanval and checking that 
against the file:
/aanval_site_dir/version/version.txt

If they do not match it displays the new available version and gives you a 
link to download.

My install v1.42 was set to poll every 30 minutes (from process.php in the 
/apps/ dir)

This is easily turned off within your conf.php file:
$version_checking=1;

I on the other hand chose to leave it on, as it is a nice feature as long as 
they don't abuse it. I do think they need to publish that they do this, just 
as some of us are very very security aware and would want to know everything 
which is going on.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of BM HM
Sent: Monday, April 19, 2004 5:50 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] openaanval calling home

I was just watching some tcpdump traffic and noticed my snort box making an
outbound connection to 217.160.255.191

Looking up the IP I found that it is the website for openaanval
'www.aanval.com'. It appears that exactly every 30 minutes, I mean EXACTLY
it makes a short http connection to the aanval website.

I looked through the php code and I think it is simply checking for version
information, but I am not experienced enough to know for real. Is this
something I should be concerned about?

Could they be piggy-backing data maybe? What would they want to collect
anyway?

_________________________________________________________________
Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! 
http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1/go/onm00200362ave/direct/01/





More information about the Snort-users mailing list