On 27/01/06, Michael Scheidell <scheidell@secnap.net> wrote:
On 27/01/06, Michael Scheidell <scheidell@secnap.net> wrote:
We traced a very large data transfer from the host we had running
aanval to 82.165.229.52
Interesting thing about that ip address:
host www.aanval.com
www.aanval.com is a nickname for aanval.com
aanval.com has address 82.165.229.52
aanval.com mail is handled (pri=10) by mail.aanval.com
82.165.229.51 is also known as oad.aanval.com. OAD stands
for 'Offender Analysis Database'. And default install of
aanval console sends lot's of data to that database. In
aanval console go Aanval -> System Options -> Processor
Options -> uncheck the 'Offender Analysis Database' option ->
press 'Update Options' -> see how the traffic to oad.aanval.com stops.
21GB? 7 hours? Do the math, that will saturate two t1's for 7 hours.
Sorry, in your original post there was no '7 hours'. Have you tried
to look what's inside the packets that went to 82.165.229.51? I'll
still bet that it was something related to OAD, but it just went mad
because of some setting in php, aanval, etc.
BTW, what is the version of aanval you used? Just to see if I was
lucky by not using it or not driving it crazy.
And besides, we turned it off in system options the day we installed it.
Did RTFM.
Thanks for playing, next player?
Well, I'll join you, but just after my work hours (in ~3-4 hours from now). :)
--
http://nk99.org/
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
