I posted the code snippet in my last msg - it's from sessions.c. As a quick & dirty you could add the extra port #.
The right way would be to build a list from the -p parm of those items aliased to 80 and use that list. If you're willing to sponsor that work, contact me off list. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mathew Davies Sent: Tuesday, October 28, 2003 8:00 AM To: [EMAIL PROTECTED] Subject: RE: [Ntop] HTTP detected at wrong port (trojan?) Trying not to remove this rule from the source as it is a very useful one alot of trojan do make http servers. I more want to know if it is possible to teach ntop that requests to internal_proxyserver_ip on port 4321 are ok. Preferably in a way that can be done in a config file rather than recompiling the code and so not using a standard code base. I am guessing though that ntop hasn't advanced to level of recongising authorised network proxy servers and that if I want this I have to sponsor some dev? -Mat -----Original Message----- From: Burton Strauss [mailto:[EMAIL PROTECTED] Sent: 28 October 2003 13:36 To: [EMAIL PROTECTED] Subject: Re: [Ntop] HTTP detected at wrong port (trojan?) Search for the message and #if (0) it out. ntop looks at the 1st few bytes and if it sees an http request on a non-standard port, that's what generates the message. -----Burton ---------- Original Message ---------------------------------- From: "Mathew Davies" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 28 Oct 2003 12:18:09 -0000 > >I have been noticing a lot of warnings on ntop syslogs of the type below warning of a trojan >which I am pretty sure are incorrect. > >If this is because I have a proxy server would this be the same if I was using >the proxy server on non standard port 4321 not squid default of 3128, if so can >I is there a way of teaching ntop this is ok? > >ntop[13929]: **WARNING** WARNING: HTTP detected at wrong port (trojan?) >internal_client_ip:1177 -> internal_proxyserver_ip:4321 >[GET http://www.flyaerlingus.com/css/webdeals.css HTTP/1.0^M Accept: >*/*^M Referer: http://www.aerlingus.ie/cgi-bin/obel01im1/index.jsp^M >Accept-Language: en-gb^M If-Modified-Since: Mon > >Mathew Davies > >________________________________________________________________________ >This e-mail has been scanned for all viruses by Star Internet. The >service is powered by MessageLabs. For more information on a proactive >anti-virus service working around the clock, around the globe, visit: >http://www.star.net.uk >________________________________________________________________________ >_______________________________________________ >Ntop mailing list >[EMAIL PROTECTED] >http://listgateway.unipi.it/mailman/listinfo/ntop > ____________________________________________________________ Free 20MB Web Site Hosting and Personalized E-mail Service! Get It Now At Doteasy.com http://www.doteasy.com/et/ _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
