Incident: 03-02-02 tcp:6346 Gnutella
Gnutella, KaZaa, and Code Red/Nimda have become incessant background noise
NOTE: I've *never* used Gnutella; this is a combination of what happens when you use a dynamic IP address, and the persistence of Gnutella's connection attempts to IP addresses that are now in use by someone else...
*This* example could be the same guy on two different dynamic IP addresses of his own; when he re-connects, good 'ol Gnutella goes back out and tries to connect to all the people he's been sharing stuff with...
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
syslog/logcheck:
Mar 2 15:32:54 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
207.95.12.112:3504 -> 12.82.129.120:6346
snort packet captures:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-15:32:54.630347 207.95.12.112:3504 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:31988 IpLen:20 DgmLen:48 DF
******S* Seq: 0xEE01EA38 Ack: 0x0 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-15:32:57.590663 207.95.12.112:3504 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:32007 IpLen:20 DgmLen:48 DF
******S* Seq: 0xEE01EA38 Ack: 0x0 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-15:33:03.611243 207.95.12.112:3504 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:32053 IpLen:20 DgmLen:48 DF
******S* Seq: 0xEE01EA38 Ack: 0x0 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
ipchains:
Mar 2 15:32:54 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
207.95.12.112:3504 12.82.129.120:6346
L=48 S=0x00 I=31988 F=0x4000 T=117 SYN (#64)
Mar 2 15:32:57 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
207.95.12.112:3504 12.82.129.120:6346
L=48 S=0x00 I=32007 F=0x4000 T=117 SYN (#64)
Mar 2 15:33:03 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
207.95.12.112:3504 12.82.129.120:6346
L=48 S=0x00 I=32053 F=0x4000 T=117 SYN (#64)
p0f:
Sat Mar 2 15:32:54 2002 207.95.12.112 [12 hops]: Windows 95 or early NT4
207.95.12.112:3504 -> 12.82.129.120:6346
Sat Mar 2 15:32:57 2002 207.95.12.112 [12 hops]: Windows 95 or early NT4
207.95.12.112:3504 -> 12.82.129.120:6346
Sat Mar 2 15:33:03 2002 207.95.12.112 [12 hops]: Windows 95 or early NT4
207.95.12.112:3504 -> 12.82.129.120:6346
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
ICG NetAhead, Inc. (NET-ICGNET-54-B)
161 Inverness Dr. West
Englewood, CO 80112
US
Netname: ICGNET-54-B
Netblock: 207.95.0.0 - 207.95.31.255
Maintainer: ICGN
Coordinator:
Taylor, Stacy (ST452-ARIN) abuse@icgcom.com
408-579-5000
Domain System inverse mapping provided by:
AS1.ICG.NET170.147.45.163
AS2.ICG.NET170.147.45.164
and again...
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
snort2html.plx:
Mar 2 16:44:00 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
207.95.8.148:4665 -> 12.82.129.120:6346
Mar 2 16:44:08 greatwall last message repeated 2 times
snort packet dump:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-16:44:00.062976 207.95.8.148:4665 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:73 IpLen:20 DgmLen:48 DF
******S* Seq: 0x371AB058 Ack: 0x0 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-16:44:02.993287 207.95.8.148:4665 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:96 IpLen:20 DgmLen:48 DF
******S* Seq: 0x371AB058 Ack: 0x0 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-16:44:08.883900 207.95.8.148:4665 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:149 IpLen:20 DgmLen:48 DF
******S* Seq: 0x371AB058 Ack: 0x0 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
ipchains:
Mar 2 16:44:00 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
207.95.8.148:4665 12.82.129.120:6346
L=48 S=0x00 I=73 F=0x4000 T=117 SYN (#64)
Mar 2 16:44:03 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
207.95.8.148:4665 12.82.129.120:6346
L=48 S=0x00 I=96 F=0x4000 T=117 SYN (#64)
Mar 2 16:44:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
207.95.8.148:4665 12.82.129.120:6346
L=48 S=0x00 I=149 F=0x4000 T=117 SYN (#64)
p0f:
Sat Mar 2 16:44:00 2002 207.95.8.148 [12 hops]: Windows 95 or early NT4
+ 207.95.8.148:4665 -> 12.82.129.120:6346
Sat Mar 2 16:44:03 2002 207.95.8.148 [12 hops]: Windows 95 or early NT4
+ 207.95.8.148:4665 -> 12.82.129.120:6346
Sat Mar 2 16:44:08 2002 207.95.8.148 [12 hops]: Windows 95 or early NT4
+ 207.95.8.148:4665 -> 12.82.129.120:6346
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
ICG NetAhead, Inc. (NET-ICGNET-54-B)
161 Inverness Dr. West
Englewood, CO 80112
US
Netname: ICGNET-54-B
Netblock: 207.95.0.0 - 207.95.31.255
Maintainer: ICGN
Coordinator:
Taylor, Stacy (ST452-ARIN) abuse@icgcom.com
408-579-5000
Domain System inverse mapping provided by:
AS1.ICG.NET170.147.45.163
AS2.ICG.NET170.147.45.164
jsage@finchhaven.com
Last modified: Sat Mar 2 20:48:18 2002