[Snort-users] P2P or emu connection?

Penetration Test penetration.test at ...11827...
Wed Oct 6 05:01:44 EDT 2004


Hi All,

The network which we are monitoring has a lot of connections with the
following combination of ports.

src_port    dst_port    
----------- ----------- 
2764        22946
2784        22962
2786        22965
2819        23081
2838        23105
2901        23296
2947        45898
2949        45900
3116        47645
3132        47662
3135        47664
3175        47945
3234        48890
3252        48926
3291        49364
3311        49518
3330        49541

All the destination IP is identical, and having 5 source IPs. We
recorded the payload, here is some of the payload.

c:77e4d5e1#s:420e5aaf187e297b371830ebd5787675cff6177b# sa_a_08.bin
c:f2a5a093#s:66d482cc3f45ff7bf1363cf3c88e2dabc902a299# sa_a_01.bin
c:41ec6491#s:c0bd66409bc6ea969f4c45cc006fde891ba8b4d7# sa_a_03.bin
c:e0dff10d#s:3aa18b05f06b4b0a88ba4df86dfc0ca650c2684e# sa_a_05.bin
c:62169d31#s:294887b6ce0d56e053e7f7583b8a160afeef4ce5# sa_a_07.bin
c:a6f5966f#s:00319b96dacc4dcfd70935e1626da0ae6aa63e5a# sa_a_11.bin

It looks like a listing of r0m with checksum calculated, I would like
to know is the connection a kind of P2P file sharing or connection by
emulator ?? Thanks.

-- 
<<penetration dot test **AT** gmail dot com>>




More information about the Snort-users mailing list