RE: [Ntop] HTTP detected at wrong port (trojan?)

Burton M. Strauss III Tue, 28 Oct 2003 07:13:18 -0800

I'm back at my machine ...

the code is this:


        if(myGlobals.enablePacketDecoding) {
          if((dport != 80)
             && (dport != 3000  /* ntop  */)
             && (dport != 3128  /* squid */)
             && isInitialHttpData(tmpStr)) {
            if(myGlobals.enableSuspiciousPacketDump) {
              traceEvent(CONST_TRACE_WARNING, "HTTP detected at wrong port
(trojan?) "
                         "%s:%d -> %s:%d [%s]",
                         srcHost->hostSymIpAddress, sport,
                         dstHost->hostSymIpAddress, dport,
                         tmpStr);
              dumpSuspiciousPacket(actualDeviceId);
            }

So if you disable the suspicious packet dump option, it won't do the
tests...

-----Burton


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Burton Strauss
Sent: Tuesday, October 28, 2003 7:36 AM
To: [EMAIL PROTECTED]
Subject: Re: [Ntop] HTTP detected at wrong port (trojan?)


Search for the message and #if (0) it out.

ntop looks at the 1st few bytes and if it sees an http request on a
non-standard port, that's what generates the message.

-----Burton

---------- Original Message ----------------------------------
From: "Mathew Davies" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Tue, 28 Oct 2003 12:18:09 -0000

>
>I have been noticing a lot of warnings on ntop syslogs of the type below
warning of a trojan
>which I am pretty sure are incorrect.
>
>If this is because I have a proxy server would this be the same if I was
using
>the proxy server on non standard port 4321 not squid default of 3128, if so
can
>I is there a way of teaching ntop this is ok?
>
>ntop[13929]: **WARNING** WARNING: HTTP detected at wrong port (trojan?)
>internal_client_ip:1177 -> internal_proxyserver_ip:4321
>[GET http://www.flyaerlingus.com/css/webdeals.css HTTP/1.0^M Accept:
>*/*^M Referer: http://www.aerlingus.ie/cgi-bin/obel01im1/index.jsp^M
>Accept-Language: en-gb^M If-Modified-Since: Mon
>
>Mathew Davies
>
>________________________________________________________________________
>This e-mail has been scanned for all viruses by Star Internet. The
>service is powered by MessageLabs. For more information on a proactive
>anti-virus service working around the clock, around the globe, visit:
>http://www.star.net.uk
>________________________________________________________________________
>_______________________________________________
>Ntop mailing list
>[EMAIL PROTECTED]
>http://listgateway.unipi.it/mailman/listinfo/ntop
>


____________________________________________________________
Free 20MB Web Site Hosting and Personalized E-mail Service!
Get It Now At Doteasy.com http://www.doteasy.com/et/
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

RE: [Ntop] HTTP detected at wrong port (trojan?)

Reply via email to