I just installed snort and am logging some of my traffic.
The snort logger is running on one host 192.168.1.4 and I am currently logged into 192.168.1.3 running opera, emacs and a bunch of xterms. I notice there is a shitload of data about my web searches and web pages I have visited that date back to last week that are being sent to 192.168.1.4 (don't ask me why they are being sent there, I'm asking you). Below are some examples (there are shitloads more, as I say dating back to sites I visited last week). Is opera sending this? And if so, to whom? And I wonder why it is going to 192.168.1.4 (that is the NFS NIS server for the LAN, but not the firewall router. Paranoid in Chicago; please advise. I'm about to shut down opera and rerun snort to see if opera is sending the data. John Hunter 04/17-18:09:24.452061 192.168.1.3 -> 192.168.1.4 UDP TTL:64 TOS:0x0 ID:28007 IpLen:20 DgmLen:308 DF Frag Offset: 0x022B Frag Size: 0xFFFFFEF5 67 6C 65 20 53 65 61 72 63 68 3A 20 72 61 77 20 gle Search: raw 64 65 76 69 63 65 73 20 61 6E 61 63 72 6F 6E 20 devices anacron 00 50 68 74 74 70 3A 2F 2F 77 77 77 2E 67 6F 6F .Phttp://www.goo 67 6C 65 2E 63 6F 6D 2F 73 65 61 72 63 68 3F 71 gle.com/search?q 3D 6F 6D 73 65 72 76 26 62 74 6E 47 3D 47 6F 6F =omserv&btnG=Goo 67 6C 65 2B 53 65 61 72 63 68 26 68 6C 3D 65 6E gle+Search&hl=en 26 69 65 3D 75 74 66 2D 38 26 6F 65 3D 75 74 66 &ie=utf-8&oe=utf 2D 38 00 06 00 16 47 6F 6F 67 6C 65 20 53 65 61 -8....Google Sea 72 63 68 3A 20 6F 6D 73 65 72 76 20 00 38 68 74 rch: omserv .8ht 74 70 3A 2F 2F 77 77 77 2E 73 68 6D 6F 6F 2E 63 tp://www.shmoo.c 6F 6D 2F 6D 61 69 6C 2F 66 69 72 65 77 61 6C 6C om/mail/firewall 73 2F 73 65 70 30 30 2F 6D 73 67 30 30 30 30 37 s/sep00/msg00007 2E 73 68 74 6D 6C 00 06 00 1E 52 65 3A 20 6F 6D .shtml....Re: om 73 65 72 76 20 73 65 72 76 69 63 65 20 6F 6E 20 serv service on 70 6F 72 74 20 37 36 34 00 16 68 74 74 70 3A 2F port 764..http:/ 2F 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F /www.google.com/ 00 06 00 16 68 74 74 70 3A 2F 2F 77 77 77 2E 67 ....http://www.g 6F 6F 67 6C 65 2E 63 6F 6D 2F 00 00 00 0B 00 00 oogle.com/...... 04/17-18:09:24.452387 192.168.1.3 -> 192.168.1.4 UDP TTL:64 TOS:0x0 ID:28007 IpLen:20 DgmLen:1500 DF MF Frag Offset: 0x0172 Frag Size: 0x0456 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 73 65 61 72 63 google.com/searc 68 3F 71 3D 6E 6D 61 70 26 73 6F 75 72 63 65 69 h?q=nmap&sourcei 64 3D 6F 70 65 72 61 26 6E 75 6D 3D 30 26 69 65 d=opera&num=0&ie 3D 75 74 66 2D 38 26 6F 65 3D 75 74 66 2D 38 00 =utf-8&oe=utf-8. 06 00 14 47 6F 6F 67 6C 65 20 53 65 61 72 63 68 ...Google Search 3A 20 6E 6D 61 70 20 00 1D 68 74 74 70 3A 2F 2F : nmap ..http:// 77 77 77 2E 69 6E 73 65 63 75 72 65 2E 6F 72 67 www.insecure.org 2F 6E 6D 61 70 2F 00 06 00 80 4E 6D 61 70 20 2D /nmap/....Nmap - 2D 20 46 72 65 65 20 53 74 65 61 6C 74 68 20 50 - Free Stealth P 6F 72 74 20 53 63 61 6E 6E 65 72 20 46 6F 72 20 ort Scanner For 4E 65 74 77 6F 72 6B 20 45 78 70 6C 6F 72 61 74 Network Explorat 69 6F 6E 20 26 20 53 65 63 75 72 69 74 79 20 41 ion & Security A 75 64 69 74 73 2E 20 52 75 6E 73 20 6F 6E 20 4C udits. Runs on L 69 6E 75 78 2F 57 69 6E 64 6F 77 73 2F 55 4E 49 inux/Windows/UNI 58 2F 53 6F 6C 61 72 69 73 2F 46 72 65 65 42 53 X/Solaris/FreeBS 44 2F 4F 70 65 6E 42 53 44 20 00 2F 68 74 74 70 D/OpenBSD ./http 3A 2F 2F 77 77 77 2E 69 6E 73 65 63 75 72 65 2E ://www.insecure. 6F 72 67 2F 6E 6D 61 70 2F 6E 6D 61 70 5F 64 6F org/nmap/nmap_do 77 6E 6C 6F 61 64 2E 68 74 6D 6C 00 06 00 80 4E wnload.html....N 6D 61 70 20 2D 2D 20 46 72 65 65 20 53 74 65 61 map -- Free Stea 6C 74 68 20 50 6F 72 74 20 53 63 61 6E 6E 65 72 lth Port Scanner 20 46 6F 72 20 4E 65 74 77 6F 72 6B 20 45 78 70 For Network Exp 6C 6F 72 61 74 69 6F 6E 20 26 20 53 65 63 75 72 loration & Secur 69 74 79 20 41 75 64 69 74 73 2E 20 52 75 6E 73 ity Audits. Runs 20 6F 6E 20 4C 69 6E 75 78 2F 57 69 6E 64 6F 77 on Linux/Window 73 2F 55 4E 49 58 2F 53 6F 6C 61 72 69 73 2F 46 s/UNIX/Solaris/F 72 65 65 42 53 44 2F 4F 70 65 6E 42 53 44 20 00 reeBSD/OpenBSD . 27 68 74 74 70 3A 2F 2F 77 77 77 2E 69 6E 73 65 'http://www.inse 63 75 72 65 2E 6F 72 67 2F 6E 6D 61 70 2F 69 6E cure.org/nmap/in 64 65 78 2E 68 74 6D 6C 00 06 00 80 4E 6D 61 70 dex.html....Nmap 20 2D 2D 20 46 72 65 65 20 53 74 65 61 6C 74 68 -- Free Stealth 20 50 6F 72 74 20 53 63 61 6E 6E 65 72 20 46 6F Port Scanner Fo 72 20 4E 65 74 77 6F 72 6B 20 45 78 70 6C 6F 72 r Network Explor 61 74 69 6F 6E 20 26 20 53 65 63 75 72 69 74 79 ation & Security 20 41 75 64 69 74 73 2E 20 52 75 6E 73 20 6F 6E Audits. Runs on 20 4C 69 6E 75 78 2F 57 69 6E 64 6F 77 73 2F 55 Linux/Windows/U 4E 49 58 2F 53 6F 6C 61 72 69 73 2F 46 72 65 65 NIX/Solaris/Free 42 53 44 2F 4F 70 65 6E 42 53 44 20 00 34 68 74 BSD/OpenBSD .4ht 74 70 3A 2F 2F 77 77 77 2E 69 6E 73 65 63 75 72 tp://www.insecur 65 2E 6F 72 67 2F 6E 6D 61 70 2F 6E 6D 61 70 5F e.org/nmap/nmap_ 64 6F 63 75 6D 65 6E 74 61 74 69 6F 6E 2E 68 74 documentation.ht 6D 6C 00 06 00 80 4E 6D 61 70 20 2D 2D 20 46 72 ml....Nmap -- Fr 65 65 20 53 74 65 61 6C 74 68 20 50 6F 72 74 20 ee Stealth Port 53 63 61 6E 6E 65 72 20 46 6F 72 20 4E 65 74 77 Scanner For Netw 6F 72 6B 20 45 78 70 6C 6F 72 61 74 69 6F 6E 20 ork Exploration 26 20 53 65 63 75 72 69 74 79 20 41 75 64 69 74 & Security Audit 73 2E 20 52 75 6E 73 20 6F 6E 20 4C 69 6E 75 78 s. Runs on Linux 2F 57 69 6E 64 6F 77 73 2F 55 4E 49 58 2F 53 6F /Windows/UNIX/So 6C 61 72 69 73 2F 46 72 65 65 42 53 44 2F 4F 70 laris/FreeBSD/Op 65 6E 42 53 44 20 00 2A 68 74 74 70 3A 2F 2F 77 enBSD .*http://w 77 77 2E 69 6E 73 65 63 75 72 65 2E 6F 72 67 2F ww.insecure.org/ 6E 6D 61 70 2F 6E 6D 61 70 5F 64 6F 63 2E 68 74 nmap/nmap_doc.ht 6D 6C 00 06 00 1E 4E 6D 61 70 3A 20 54 68 65 20 ml....Nmap: The 41 72 74 20 6F 66 20 50 6F 72 74 20 53 63 61 6E Art of Port Scan 6E 69 6E 67 00 2A 68 74 74 70 3A 2F 2F 77 77 77 ning.*http://www 2E 69 6E 73 65 63 75 72 65 2E 6F 72 67 2F 6E 6D .insecure.org/nm 61 70 2F 6E 6D 61 70 5F 64 6F 63 2E 68 74 6D 6C ap/nmap_doc.html 00 06 00 1E 4E 6D 61 70 3A 20 54 68 65 20 41 72 ....Nmap: The Ar 74 20 6F 66 20 50 6F 72 74 20 53 63 61 6E 6E 69 t of Port Scanni 6E 67 00 00 00 0A 01 01 00 00 01 00 00 00 00 00 ng.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 00 ................ B8 03 62 01 6B 02 03 01 00 64 01 00 00 00 00 00 ..b.k....d...... 00 00 00 02 00 00 00 3C 00 00 00 02 00 00 04 EC .......<........ 00 02 00 02 00 03 78 78 78 00 03 78 78 78 00 03 ......xxx..xxx.. 78 78 78 00 03 78 78 78 00 02 00 02 00 02 00 00 xxx..xxx........ 00 00 00 00 00 00 00 01 00 01 00 39 68 74 74 70 ...........9http 3A 2F 2F 73 74 61 66 66 2E 77 61 73 68 69 6E 67 ://staff.washing 74 6F 6E 2E 65 64 75 2F 64 69 74 74 72 69 63 68 ton.edu/dittrich 2F 6D 69 73 63 2F 74 72 69 6E 6F 6F 2E 61 6E 61 /misc/trinoo.ana 6C 79 73 69 73 00 06 00 39 68 74 74 70 3A 2F 2F lysis...9http:// 73 74 61 66 66 2E 77 61 73 68 69 6E 67 74 6F 6E staff.washington 2E 65 64 75 2F 64 69 74 74 72 69 63 68 2F 6D 69 .edu/dittrich/mi 73 63 2F 74 72 69 6E 6F 6F 2E 61 6E 61 6C 79 73 sc/trinoo.analys 69 73 00 00 00 0B 01 01 00 00 01 00 00 00 00 00 is.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CF 00 ................ CF 03 62 01 6B 02 03 01 00 64 01 00 00 00 00 00 ..b.k....d...... 00 00 00 02 00 00 00 3C 00 00 00 02 00 00 00 00 .......<........ 00 02 00 02 00 03 78 78 78 00 03 78 78 78 00 03 ......xxx..xxx.. 78 78 78 00 03 78 78 78 00 02 00 02 00 02 00 00 xxx..xxx........ 00 00 00 00 00 00 00 05 00 05 00 4C 68 74 74 70 ...........Lhttp 3A 2F 2F 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F ://www.google.co 6D 2F 73 65 61 72 63 68 3F 71 3D 71 75 6F 74 61 m/search?q=quota 64 26 73 6F 75 72 63 65 69 64 3D 6F 70 65 72 61 d&sourceid=opera 26 6E 75 6D 3D 30 26 69 65 3D 75 74 66 2D 38 26 &num=0&ie=utf-8& 6F 65 3D 75 74 66 2D 38 00 06 00 16 47 6F 6F 67 oe=utf-8....Goog 6C 65 20 53 65 61 72 63 68 3A 20 71 75 6F 74 61 le Search: quota 64 20 00 5D 68 74 74 70 3A 2F 2F 77 77 77 2E 67 d .]http://www.g 6F 6F 67 6C 65 2E 63 6F 6D 2F 73 65 61 72 63 68 oogle.com/search 3F 68 6C 3D 65 6E 26 69 65 3D 75 74 66 2D 38 26 ?hl=en&ie=utf-8& 6F 65 3D 75 74 66 2D 38 26 71 3D 72 61 77 2B 64 oe=utf-8&q=raw+d 65 76 69 63 65 73 2B 61 6E 61 63 72 6F 6E 26 62 evices+anacron&b 74 6E 47 3D 47 6F 6F 67 6C 65 2B 53 65 61 72 63 tnG=Google+Searc 68 00 06 00 23 47 6F 6F h...#Goo =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Here are searches from last week, when I was google whacking =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/17-18:09:24.456823 192.168.1.3 -> 192.168.1.4 UDP TTL:64 TOS:0x0 ID:28008 IpLen:20 DgmLen:956 DF Frag Offset: 0x039D Frag Size: 0x000B 3A 20 22 7A 6F 70 65 20 66 69 6C 65 73 79 73 74 : "zope filesyst 65 6D 22 0A 68 74 74 70 3A 2F 2F 67 72 6F 75 70 em".http://group 73 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 67 72 6F s.google.com/gro 75 70 73 3F 68 6C 3D 65 6E 26 71 3D 25 32 32 7A ups?hl=en&q=%22z 6F 70 65 2B 66 69 6C 65 73 79 73 74 65 6D 25 32 ope+filesystem%2 32 26 62 74 6E 47 3D 47 6F 6F 67 6C 65 2B 53 65 2&btnG=Google+Se 61 72 63 68 0A 31 30 31 38 36 33 32 30 34 31 0A arch.1018632041. 47 6F 6F 67 6C 65 20 53 65 61 72 63 68 3A 20 22 Google Search: " 7A 6F 70 65 20 66 69 6C 65 20 73 79 73 74 65 6D zope file system 22 0A 68 74 74 70 3A 2F 2F 77 77 77 2E 67 6F 6F ".http://www.goo 67 6C 65 2E 63 6F 6D 2F 73 65 61 72 63 68 3F 71 gle.com/search?q 3D 25 32 32 7A 6F 70 65 25 32 30 66 69 6C 65 25 =%22zope%20file% 32 30 73 79 73 74 65 6D 25 32 32 26 68 6C 3D 65 20system%22&hl=e 6E 26 73 61 3D 4E 26 74 61 62 3D 67 77 0A 31 30 n&sa=N&tab=gw.10 31 38 36 33 32 30 34 39 0A 47 6F 6F 67 6C 65 20 18632049.Google 53 65 61 72 63 68 3A 20 7A 6F 70 65 20 77 68 61 Search: zope wha 63 6B 65 64 0A 68 74 74 70 3A 2F 2F 77 77 77 2E cked.http://www. 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 73 65 61 72 63 google.com/searc 68 3F 71 3D 7A 6F 70 65 2B 77 68 61 63 6B 65 64 h?q=zope+whacked 26 62 74 6E 47 3D 47 6F 6F 67 6C 65 2B 53 65 61 &btnG=Google+Sea 72 63 68 26 68 6C 3D 65 6E 0A 31 30 31 38 36 33 rch&hl=en.101863 33 39 38 34 0A 47 6F 6F 67 6C 65 20 53 65 61 72 3984.Google Sear 63 68 3A 20 7A 6F 70 65 20 77 68 61 63 6B 65 72 ch: zope whacker 0A 68 74 74 70 3A 2F 2F 77 77 77 2E 67 6F 6F 67 .http://www.goog 6C 65 2E 63 6F 6D 2F 73 65 61 72 63 68 3F 68 6C le.com/search?hl 3D 65 6E 26 71 3D 7A 6F 70 65 2B 77 68 61 63 6B =en&q=zope+whack 65 72 26 62 74 6E 47 3D 47 6F 6F 67 6C 65 2B 53 er&btnG=Google+S 65 61 72 63 68 0A 31 30 31 38 36 33 33 39 39 32 earch.1018633992 0A 47 6F 6F 67 6C 65 20 53 65 61 72 63 68 3A 20 .Google Search: 7A 6F 70 65 20 70 72 6F 70 61 65 64 65 75 74 69 zope propaedeuti 63 0A 68 74 74 70 3A 2F 2F 77 77 77 2E 67 6F 6F c.http://www.goo 67 6C 65 2E 63 6F 6D 2F 73 65 61 72 63 68 3F 68 gle.com/search?h 6C 3D 65 6E 26 71 3D 7A 6F 70 65 2B 70 72 6F 70 l=en&q=zope+prop 61 65 64 65 75 74 69 63 26 62 74 6E 47 3D 47 6F aedeutic&btnG=Go 6F 67 6C 65 2B 53 65 61 72 63 68 0A 31 30 31 38 ogle+Search.1018 36 33 34 30 31 31 0A 47 6F 6F 67 6C 65 77 68 61 634011.Googlewha 63 6B 20 61 75 74 6F 6D 61 74 69 63 61 6C 6C 79 ck automatically 20 77 69 74 68 20 67 6F 6F 67 6C 65 77 68 61 63 with googlewhac 6B 65 72 2E 20 47 6F 6F 67 6C 65 77 68 61 63 6B ker. Googlewhack 69 6E 67 20 3D 20 6F 62 73 65 73 73 69 76 65 20 ing = obsessive 66 75 6E 2E 0A 68 74 74 70 3A 2F 2F 77 77 77 2E fun..http://www. 67 6F 6F 67 6C 65 77 68 61 63 6B 65 72 2E 63 6F googlewhacker.co 6D 2F 74 6F 70 77 68 61 63 6B 73 2E 61 73 70 3F m/topwhacks.asp? 74 79 70 65 3D 77 68 61 63 6B 73 26 69 6E 64 65 type=whacks&inde 78 3D 74 69 6D 65 26 6F 72 64 65 72 3D 44 45 53 x=time&order=DES 43 26 6E 75 6D 62 65 72 3D 31 30 30 0A 31 30 31 C&number=100.101 38 36 33 34 31 39 36 0A 47 6F 6F 67 6C 65 20 53 8634196.Google S 65 61 72 63 68 3A 20 67 6F 6F 67 6C 65 20 6D 6F earch: google mo 73 74 20 66 72 65 71 75 65 6E 74 20 73 65 61 72 st frequent sear 63 68 20 74 65 72 6D 73 0A 68 74 74 70 3A 2F 2F ch terms.http:// 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 73 www.google.com/s 65 61 72 63 68 3F 68 6C 3D 65 6E 26 71 3D 67 6F earch?hl=en&q=go 6F 67 6C 65 2B 6D 6F 73 74 2B 66 72 65 71 75 65 ogle+most+freque 6E 74 2B 73 65 61 72 63 68 2B 74 65 72 6D 73 26 nt+search+terms& 62 74 6E 47 3D 47 6F 6F 67 6C 65 2B 53 65 61 72 btnG=Google+Sear 63 68 0A 31 30 31 38 36 33 34 33 35 38 0A 57 69 ch.1018634358.Wi 72 65 64 20 38 2E 31 31 3A 20 4D 75 73 74 20 52 red 8.11: Must R 65 61 64 0A 68 74 74 70 3A 2F 2F 77 77 77 2E 77 ead.http://www.w 69 72 65 64 2E 63 6F 6D ired.com =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
