Incident: 03-02-02 tcp:6346 Gnutella

Gnutella, KaZaa, and Code Red/Nimda have become incessant background noise

NOTE: I've *never* used Gnutella; this is a combination of what happens when you use a dynamic IP address, and the persistence of Gnutella's connection attempts to IP addresses that are now in use by someone else...

*This* example could be the same guy on two different dynamic IP addresses of his own; when he re-connects, good 'ol Gnutella goes back out and tries to connect to all the people he's been sharing stuff with...



Unusual System Events
=-=-=-=-=-=-=-=-=-=-=

syslog/logcheck:

Mar  2 15:32:54 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 207.95.12.112:3504 -> 12.82.129.120:6346


snort packet captures:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-15:32:54.630347 207.95.12.112:3504 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:31988 IpLen:20 DgmLen:48 DF
******S* Seq: 0xEE01EA38  Ack: 0x0  Win: 0x16D0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-15:32:57.590663 207.95.12.112:3504 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:32007 IpLen:20 DgmLen:48 DF
******S* Seq: 0xEE01EA38  Ack: 0x0  Win: 0x16D0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-15:33:03.611243 207.95.12.112:3504 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:32053 IpLen:20 DgmLen:48 DF
******S* Seq: 0xEE01EA38  Ack: 0x0  Win: 0x16D0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


ipchains:

Mar  2 15:32:54 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.95.12.112:3504 12.82.129.120:6346
 L=48 S=0x00 I=31988 F=0x4000 T=117 SYN (#64)
Mar  2 15:32:57 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.95.12.112:3504 12.82.129.120:6346
 L=48 S=0x00 I=32007 F=0x4000 T=117 SYN (#64)
Mar  2 15:33:03 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.95.12.112:3504 12.82.129.120:6346
 L=48 S=0x00 I=32053 F=0x4000 T=117 SYN (#64)


p0f:

Sat Mar  2 15:32:54 2002 207.95.12.112 [12 hops]: Windows 95 or early NT4
 207.95.12.112:3504 -> 12.82.129.120:6346
Sat Mar  2 15:32:57 2002 207.95.12.112 [12 hops]: Windows 95 or early NT4
 207.95.12.112:3504 -> 12.82.129.120:6346
Sat Mar  2 15:33:03 2002 207.95.12.112 [12 hops]: Windows 95 or early NT4
 207.95.12.112:3504 -> 12.82.129.120:6346


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

ICG NetAhead, Inc. (NET-ICGNET-54-B)
   161 Inverness Dr. West
   Englewood, CO 80112
   US    

Netname: ICGNET-54-B
   Netblock: 207.95.0.0 - 207.95.31.255
   Maintainer: ICGN    

Coordinator:
      Taylor, Stacy  (ST452-ARIN)  abuse@icgcom.com
      408-579-5000    

Domain System inverse mapping provided by: 
   AS1.ICG.NET170.147.45.163
   AS2.ICG.NET170.147.45.164


and again...


Unusual System Events
=-=-=-=-=-=-=-=-=-=-=

snort2html.plx:

Mar  2 16:44:00 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 207.95.8.148:4665 -> 12.82.129.120:6346
Mar  2 16:44:08 greatwall last message repeated 2 times


snort packet dump:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-16:44:00.062976 207.95.8.148:4665 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:73 IpLen:20 DgmLen:48 DF
******S* Seq: 0x371AB058  Ack: 0x0  Win: 0x16D0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-16:44:02.993287 207.95.8.148:4665 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:96 IpLen:20 DgmLen:48 DF
******S* Seq: 0x371AB058  Ack: 0x0  Win: 0x16D0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-16:44:08.883900 207.95.8.148:4665 -> 12.82.129.120:6346
TCP TTL:117 TOS:0x0 ID:149 IpLen:20 DgmLen:48 DF
******S* Seq: 0x371AB058  Ack: 0x0  Win: 0x16D0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


ipchains:

Mar  2 16:44:00 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.95.8.148:4665 12.82.129.120:6346
 L=48 S=0x00 I=73 F=0x4000 T=117 SYN (#64)
Mar  2 16:44:03 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.95.8.148:4665 12.82.129.120:6346
 L=48 S=0x00 I=96 F=0x4000 T=117 SYN (#64)
Mar  2 16:44:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.95.8.148:4665 12.82.129.120:6346
 L=48 S=0x00 I=149 F=0x4000 T=117 SYN (#64)


p0f:

Sat Mar  2 16:44:00 2002 207.95.8.148 [12 hops]: Windows 95 or early NT4
 + 207.95.8.148:4665 -> 12.82.129.120:6346
Sat Mar  2 16:44:03 2002 207.95.8.148 [12 hops]: Windows 95 or early NT4
 + 207.95.8.148:4665 -> 12.82.129.120:6346
Sat Mar  2 16:44:08 2002 207.95.8.148 [12 hops]: Windows 95 or early NT4
 + 207.95.8.148:4665 -> 12.82.129.120:6346



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

ICG NetAhead, Inc. (NET-ICGNET-54-B)
   161 Inverness Dr. West
   Englewood, CO 80112
   US    

Netname: ICGNET-54-B
   Netblock: 207.95.0.0 - 207.95.31.255
   Maintainer: ICGN    

Coordinator:
      Taylor, Stacy  (ST452-ARIN)  abuse@icgcom.com
      408-579-5000    

Domain System inverse mapping provided by: 
   AS1.ICG.NET170.147.45.163
   AS2.ICG.NET170.147.45.164


jsage@finchhaven.com
Last modified: Sat Mar 2 20:48:18 2002