LOL Wow....try some decaf my friend ;) This isn't a problem for me at all...just thought someone at Ntop would like to know really. Didn't know about the violation of the RFC though, so thanks for the tip. God bless and keep up the good work.
James On Mon, 28 Nov 2005 18:04:01 -0600 "Burton Strauss" <[EMAIL PROTECTED]> wrote: > Bite me. Try reading docs/FAQ - the sections about support. > > Q. I posted to the list and nobody answered me. > A. ntop is open source, and the lists are a community resource. If > nobody answered your question, then nobody knew the answers off-hand > and nobody wanted to spend THEIR time solving YOUR problem. > > > Q. Do you offer paid support? > A. Yes - contact us through http://www.ntop.org/consultancy.html > > And: > > RESPONSES > ========= > > Despite any individual's frequent postings, nobody is "responsible" > for answering your question. It's all on a "best efforts" basis. This > is equally true of the entries in ntop's Wiki. Our responses may be > incomplete, inaccurate, > even dead wrong. Caveat Emptor! The only "guarantee" is that free > support will > be worth what you've paid for it. It may be worth MORE, it won't be > worth LESS. > > Just because you post a question does NOT mean that you are OWED an > answer. > > If nobody answers, then maybe it's because: > > * Nobody knows. > * People are busy. > * You've asked the same question multiple times and it's already > been answered. > * You have been asked for additional information and are > unable/unwilling to supply it. > > or, well, any one of a dozen other reasons. > > Asking the same question multiple times - or asking it again because > you don't > like the answer you received - is a slap in the face of the person > who took the > time to answer you in the first place and will more than likely not > get a different response. If you're not sure that your message > posted, check the archives to see if your message is there -- please > don't just keep reposting it. > > You can always use gmane (http://www.gmane.org) to see the last 600 > or so postings to the lists. > > Please direct all original postings and subsequent replies to the > list, not to > someone privately. Most of us will reply solely to the mailing list, > unless you specifically request otherwise. If you do request > otherwise, the individual > you sent it to may choose not to respond. Our posting here is NOT a > public invitation to invade our e-mail boxes for your free private > support. > > > Or you could get off your butt and try helping yourself - looking for > that message in the source finds this in sessions.c: > > /* > This is a brand new session: let's check whether this is > not a faked session (i.e. a known protocol is running at > an unknown port) > */ > ... > } else if(((sport == IP_TCP_PORT_FTP) || (sport == > IP_TCP_PORT_SMTP)) && > (!isInitialFtpData(tmpStr))) { > if(myGlobals.runningPref.enableSuspiciousPacketDump) { > traceEvent(CONST_TRACE_WARNING, "Unknown protocol (no > FTP/SMTP) detected (trojan?) " > "at port %d %s:%d -> %s:%d [%s]", sport, > dstHost->hostResolvedName, dport, > srcHost->hostResolvedName, sport, > tmpStr); > dumpSuspiciousPacket(actualDeviceId); > } > > Where the isInitialFtpData() is in traffic.c: > > int isInitialFtpData(char* packetData) { > /* 220 linux.local FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.16) > ready. */ > if((strncmp(packetData, "220 ", 4) == 0) > || (strncmp(packetData, "530", 3) == 0)) > return(1); > else > return(0); > } > > > So, ntop found a packet which was sent to port 21 or 25 and yet > didn't look like an SMTP reply. And issued a warning... > > > Could be a bug, could be the data, could be a false positive. It is > way better to cry wolf a few times instead of missing the sky falling > - that's why we issue WARNINGS - so people will look at their data > and maybe catch a bad guy. Or determine it's a false positive. Get > over it... > > Actually, if you look at the RFC, > http://www.faqs.org/rfcs/rfc821.html, specifically section 4.2.1. > REPLY CODES BY FUNCTION GROUPS, the bug is AOLs, because the 220 > message is followed by a space, not a -. > > 220 <domain> Service ready > > > > > -----Burton > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of James Lay > Sent: Monday, November 28, 2005 3:46 PM > To: Ntop > Subject: [Ntop] 3rd times a charm > > So I've put this to the list twice...this will be the 3rd and final > time I submit this. I think this is a bug in ntop. Below is the > result of postfix on this box email someone at AOL: > > Nov 28 14:42:10 homebox ntop[12396]: **WARNING** Unknown protocol > (no FTP/SMTP) detected (trojan?) at port 25 > www.slave-tothe-box.net:33387 -> mailin-04.mx.aol.com:25 > [220-rly-yh02.mx.aol.com ESMTP mail_relay_in-yh2.7; Mon, 28 Nov 2005 > 16:42:07 -0500^M 220-America Online (AOL) and its affiliated > companies do not^M 220- authorize the use of its proprietary > computers and computer^M 220- networks to accept, transmit, ] > > Two points: > > 1. This is on port 25, yet Ntop says no SMTP 2. This is a simple > MOTD type message that Ntop should really be aware of. > > Anywhere else I can send this too? Apparently nobody on this list is > a developer or cares about this =D > > Thanks people. > > James > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
