cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
501
Views
5
Helpful
5
Replies

Kazaa Alarms

grant.bain
Level 1
Level 1

Am getting a few 'Kazaa GET Request' (11005) alarms, but suspect they may be false positives. Can anything apart from Kazaa trigger this?

5 Replies 5

travis-dennis_2
Level 7
Level 7

Me personaly, I have never seen a false positive on 11005. just my 2 cents. What makes you think they are false?

are false +ves not possible when the source is a web server or proxy? the signature looks for get/ on the default kazaa port.

Yes in the case of HTTP traffic that has been proxied to the default KaZaa port you could get false fires. I would recommend that you capture trigger packets on the firings and inspect them. If you know the destination if the requests is a proxied web server and these prove to be misfires you can exclude the destination for this alarm.

The reason I thought some were false positives is that on one alarm, the source address was a colleague who I know wasnt using kazaa to a destination address on our intranet. This would tie in with the explanation given in the previous two posts.

Thanks for your help, much appreciated.

With 3.x sensors, it is possible that the server and client get reversed resulting in a flase positive. 4.x does not have this problem. For this to happen, a web server would have to return 'GET /' somewhere in it's data to a client on port 1214. This isn't the normal scenario, but it could happen. We will make a change to the signature that should fix this for the next signature update.