Re: Kazaa traffic needs explaining

chrisv · ‎01-06-2003

Below is a sample of KaZaA alarms detected by my IDS that is on

the inside of our firewall. My IDS on the outside of the firewall

is not detecting the traffic. That makes sense, since udp 1214 is

blocked at the firewall. The KaZaA user is 132.170.x.y. This user

is transmitting udp traffic to port 1214 to the IP addressed listed

below as “Source.” This I am certain, I have sniffed this traffic.

132.170.x.y received these IP addresses through the initial hello

on port 80 from some “server.”

My question now is, is their something else happening here that

I am not aware of, or is “Source” and “Destination” on this signature

have been reversed?

Thanks,

Chris

Alarm Name: KaZaA v2 UDP Client Probe

Source Dest Details Sensor source port destination. port

12.217.88.31 132.170.x.y KazaA CSBIDS-1 1168 1214

12.247.147.37 132.170.x.y KazaA CSBIDS-1 1168 1214

12.250.218.29 132.170.x.y KazaA CSBIDS-1 1168 1214

12.253.113.184 132.170.x.y KazaA CSBIDS-1 1168 1214

18.242.0.158 132.170.x.y KazaA CSBIDS-1 1168 1214

24.52.199.23 132.170.x.y KazaA CSBIDS-1 1168 1214

24.65.42.160 132.170.x.y KazaA CSBIDS-1 1168 1214

24.73.9.160 132.170.x.y KazaA CSBIDS-1 1168 1214

24.79.125.38 132.170.x.y KazaA CSBIDS-1 1168 1214

24.81.71.137 132.170.x.y KazaA CSBIDS-1 1168 1214

24.130.16.39 132.170.x.y KazaA CSBIDS-1 1168 1214

24.131.112.98 132.170.x.y KazaA CSBIDS-1 1168 1214

24.147.177.71 132.170.x.y KazaA CSBIDS-1 1168 1214

24.153.53.229 132.170.x.y KazaA CSBIDS-1 1168 1214

24.158.73.56 132.170.x.y KazaA CSBIDS-1 1168 1214

mcerha · ‎01-06-2003

This is very strange. The signature is pretty specific, looking for "KaZaA" in the body of a UDP packet destined for for port 1214. Are you sure that you are sorting the data in the correct columns (source vs. dest) from the log files? If you'd like, I'd be happy to look at any log files or traffic samples that you can provide. You can send them to mcerha@cisco.com.