[Snort-users] Sneaky traffic WAS: RE: openaanval calling home

Travis Wixel traxely at ...125...
Mon Apr 19 20:49:03 EDT 2004


Yup.

In your process.php file near the bottom there is a value "1800" change this 
to whatever you like. It is the number of seconds to wait between requests 
to the server.

And if you didn't already know, they released version 1.43 tonight.


>From: "BM HM" <bm0714 at ...125...>
>To: traxely at ...125...
>Subject: RE: [Snort-users] Sneaky traffic WAS: RE: openaanval calling home
>Date: Mon, 19 Apr 2004 20:57:24 -0500
>
>Very cool. Did you happen to find out where to set the frequency of the 
>$version_checking?
>
>Thanx
>
>
>>From: "Travis Wixel" <traxely at ...125...>
>>To: snort-users at lists.sourceforge.net
>>Subject: [Snort-users] Sneaky traffic WAS: RE: openaanval calling home
>>Date: Tue, 20 Apr 2004 01:20:36 +0000
>>
>>
>>This URL was in the code:
>>http://update.aanval.com/updater/openaanval_ver
>>
>>It is just pulling down the latest version of openaanval and checking that 
>>against the file:
>>/aanval_site_dir/version/version.txt
>>
>>If they do not match it displays the new available version and gives you a 
>>link to download.
>>
>>My install v1.42 was set to poll every 30 minutes (from process.php in the 
>>/apps/ dir)
>>
>>This is easily turned off within your conf.php file:
>>$version_checking=1;
>>
>>I on the other hand chose to leave it on, as it is a nice feature as long 
>>as they don't abuse it. I do think they need to publish that they do this, 
>>just as some of us are very very security aware and would want to know 
>>everything which is going on.
>>
>>
>>-----Original Message-----
>>From: snort-users-admin at lists.sourceforge.net
>>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of BM HM
>>Sent: Monday, April 19, 2004 5:50 PM
>>To: snort-users at lists.sourceforge.net
>>Subject: [Snort-users] openaanval calling home
>>
>>I was just watching some tcpdump traffic and noticed my snort box making 
>>an
>>outbound connection to 217.160.255.191
>>
>>Looking up the IP I found that it is the website for openaanval
>>'www.aanval.com'. It appears that exactly every 30 minutes, I mean EXACTLY
>>it makes a short http connection to the aanval website.
>>
>>I looked through the php code and I think it is simply checking for 
>>version
>>information, but I am not experienced enough to know for real. Is this
>>something I should be concerned about?
>>
>>Could they be piggy-backing data maybe? What would they want to collect
>>anyway?
>>
>>_________________________________________________________________
>>Stop worrying about overloading your inbox - get MSN Hotmail Extra 
>>Storage! 
>>http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1/go/onm00200362ave/direct/01/
>>
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by: IBM Linux Tutorials
>>Free Linux tutorial presented by Daniel Robbins, President and CEO of
>>GenToo technologies. Learn everything from fundamentals to system
>>administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page – FREE 
download! http://toolbar.msn.com/go/onm00200413ave/direct/01/





More information about the Snort-users mailing list