I've just started the forensics on this, but wanted to see if anyone had a similiar experience with this software... A user downloaded/installed/used a TV viewer (http://tvunetworks.com/) -- the our IDS guy received a report from SourceFire that there was an unusually large OUTbound data stream... Basically, during the timeframe the user noted a process still running that was associated with this application, anywhere from 113 - 163 megs had been downloaded (the TV data stream -- expected) but at the same time about 1.5 gigs of data was outbound (NOT expected!). All done over the course of a few hours.

The destination of the data streams was to seven different IPs. IT troops claim the system is free of known viruses and bad-ware. We don't know yet what data was actually outbound; only have the SourceFire report to run on so far. Yes, lots to do yet (ports, dest lookups, etc.).

Here's a summary:

MB MB rate nslookup known hostname
sent recv hrs KB/s hostname

1435 163 1 36.1 NEW ip72-196-228-82.dc.dc.cox.net ==>NEW user's_computer
1519 111 0 46.3 NEW cpe-075-182-097-243.nc.res.rr.com ==>NEW user's_computer
1469 116 0 66.6 NEW d207-216-101-241.bchsia.telus.net ==>NEW user's_computer
1443 129 0 71.0 NEW 79.178.24.103 ==>NEW user's_computer
1492 118 0 71.6 NEW c-71-63-102-62.hsd1.va.comcast.net ==>NEW user's_computer
1437 112 0 81.7 NEW din-15-189-235-87.ipcom.comunitel.net ==>NEW user's_computer
1539 113 0 110.7 NEW 66.186.178.140 ==>NEW user's_computer

Ideas? Any Experience with TVU?

Thanks!
Miguel