Re: Logs showing GET /.hash=...

[André Luís Quintaes Guimarães <andreq () infolink com br>]

Im not much into the kazaa protocol, but the hashs probably means the
checksum from the downloadable files, its contained in the .dat while the
file is downloaded, so probably blocking this would stop the download.

Do you have any nat´d stations under one of this machine´s ip?

WinMX is another peer to peer file sharing program.
----- Original Message -----
From: "Arnold, Jamie" <harnold () binghamton edu>
To: "Jim Dueltgen" <jimd () lmi net>; <keith () keithbergen com>;
<incidents () securityfocus com>
Sent: Thursday, May 01, 2003 8:36 PM
Subject: RE: Logs showing GET /.hash=...


> Kazaa and others also use HTTP tunneling or now encryption to get around
> NBAR and packet shapers.
>
>
> -----Original Message-----
> From: Jim Dueltgen [mailto:jimd () lmi net]
> Sent: Thursday, May 01, 2003 1:28 PM
> To: keith () keithbergen com; incidents () securityfocus com
>
> I've been working recently with Cisco's Network Based Application
> Recognition (NBAR) trying to keep Kazaa traffic under control in a
> multi-tenant installation and I've only ever found this snippet in the
> documentation:
>
> 2.  KaZaA version 2 might use port 80 to get around the Firewall. You can
> control it be adding
>
> match protocol http url \.hash=*
>
> I'm not sure about the \ vs / as it shows in your logs and as one would
> expect to see in a URL but the above is what's in Cisco's documentation.
My
> understanding is that the actual download of a file via kazaa v2 happens
> over port 80 in an attempt to get around passive packet filtering
firewalls.
> Regards,
>
> Jim Dueltgen
>    LMi.net
>
> At 9:54 AM -0400 4/30/03, Keith Bergen wrote:
> > I have seen log entries in the form:
> > dormtw.isu.edu.tw - - [29/Apr/2003:22:04:17 - 0400] "GET
> > /.hash=8a8a30842bc6698dd1cbcb31191fc9e76018ea4c
> > HTTP/1.1" 404 323
> > dormtw.isu.edu.tw - - [29/Apr/2003:22:04:22 - 0400] "GET
> > /.hash=355bcee01e59b87d9cc33d4ae3cc8edf5f022d2a
> > HTTP/1.1" 404 323
> > dormtw.isu.edu.tw - - [29/Apr/2003:22:04:24 - 0400] "GET
> > /.hash=51f6ec2b496fa6fac83a88d7978321c7b64a5969
> > HTTP/1.1" 404 323
> >
> > I looked at past posts, and one indicates that this might be KaZaa
> > traffic. The other post indicated it was "WinMX". Can somebody expand
> > on this? For example, what is WinMX? Also, why would KaZaa connect to
> > port 80?


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------