P2P or emu connection?

[Penetration Test <penetration.test () gmail com>]

Hi All,

The network which we are monitoring has a lot of connections with the
following combination of ports.

src_port    dst_port    
----------- ----------- 
2764        22946
2784        22962
2786        22965
2819        23081
2838        23105
2901        23296
2947        45898
2949        45900
3116        47645
3132        47662
3135        47664
3175        47945
3234        48890
3252        48926
3291        49364
3311        49518
3330        49541

All the destination IP is identical, and having 5 source IPs. We
recorded the payload, here is some of the payload.

c:77e4d5e1#s:420e5aaf187e297b371830ebd5787675cff6177b# sa_a_08.bin
c:f2a5a093#s:66d482cc3f45ff7bf1363cf3c88e2dabc902a299# sa_a_01.bin
c:41ec6491#s:c0bd66409bc6ea969f4c45cc006fde891ba8b4d7# sa_a_03.bin
c:e0dff10d#s:3aa18b05f06b4b0a88ba4df86dfc0ca650c2684e# sa_a_05.bin
c:62169d31#s:294887b6ce0d56e053e7f7583b8a160afeef4ce5# sa_a_07.bin
c:a6f5966f#s:00319b96dacc4dcfd70935e1626da0ae6aa63e5a# sa_a_11.bin

It looks like a listing of r0m with checksum calculated, I would like
to know is the connection a kind of P2P file sharing or connection by
emulator ?? Thanks.

-- 
<<penetration dot test **AT** gmail dot com>>


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users