This is Definitely Not A BlueCoat Device In Syria.

RE: BlueCoat Refutal of BlueCoat Devices in SyriaBlueCoat and Syria: Indicators and Culpability (me)

Mr. Steve Schick,

The device attached to 77.44.210.15 is not a BlueCoat SG-400 Appliance. Not a chance. None at all. And if it were, it would definitely not be an address owned by the Syrian Computer Society.

Nmap scan report for 77.44.210.15
Host is up (1.1s latency).
Not shown: 985 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain?
80/tcp open http Blue Coat proxy server
|_html-title: Access Denied
81/tcp open http-proxy BlueCoat SG-400 http proxy
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
2000/tcp filtered cisco-sccp
3128/tcp open squid-http?
4444/tcp filtered krb524
5060/tcp filtered sip
8080/tcp open http Blue Coat proxy server
|_html-title: Access Denied
8082/tcp open ssl/http Blue Coat SG210 http proxy config
|_sslv2: server still supports SSLv2
|_html-title: Site doesn't have a title (text/plain; charset=utf-8).
| http-auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = 77.44.210.15
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=5.21%I=7%D=10/11%Time=4E94A92C%P=x86_64-redhat-linux-gnu%r
SF:(DNSVersionBindReq,44,"\0B\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version
SF:\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\n\t\[secured\]\xc0
SF:\x0c\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3128-TCP:V=5.21%I=7%D=10/11%Time=4E94A930%P=x86_64-redhat-linux-gnu
SF:%r(GetRequest,2F3,"HTTP/1\.1\x20403\x20Forbidden\r\nCache-Control:\x20n
SF:o-cache\r\nPragma:\x20no-cache\r\nContent-Type:\x20text/html;\x20charse
SF:t=utf-8\r\nConnection:\x20close\r\nContent-Length:\x20606\r\n\r\n
SF:\nAccess\x20Denied\n\n\n SF:=\"Helvetica\">\n
\n\n
SF:>\n\n\n SF:NT\x20face=\"Helvetica\">\nAccess\x20Denied\x20\(policy_denied\) SF:big>\n
\n
\n\n\n\n SF:ica\">\nYour\x20system\x20policy\x20has\x20denied\x20access\x20to\x20th
SF:e\x20requested\x20URL\.\n\n\n\n SF:"Helvetica\">\n\n\n\n\n SF:ca\"\x20SIZE=2>\n
\nFor\x20assistance,\x20contact\x20your\x20network
SF:\x20support\x20team\.\n\n\n\n

\n SF:FONT>\n\n")%r(HTTPOptions,2F3,"HTTP/1\.1\x20403\x20Forbid
SF:den\r\nCache-Control:\x20no-cache\r\nPragma:\x20no-cache\r\nContent-Typ
SF:e:\x20text/html;\x20charset=utf-8\r\nConnection:\x20close\r\nContent-Le
SF:ngth:\x20606\r\n\r\n\nAccess\x20Denied\n SF:AD>\n\n\n
SF:
\n\n

\n SF:th=\"80%\">\n\n\nAccess\x20Den
SF:ied\x20\(policy_denied\)
\n
\n
\n\n\n SF:D>\n\nYour\x20system\x20policy\x20has\x20de
SF:nied\x20access\x20to\x20the\x20requested\x20URL\.\n\n\
SF:n\n\n\n\n\n SF:>\n\n
\nFor\x20assistance,\x20
SF:contact\x20your\x20network\x20support\x20team\.\n\n\n<
SF:/TABLE>\n

\n\n\n")%r(Socks5,363,"HTTP/
SF:1\.1\x20400\x20Bad\x20Request\r\nCache-Control:\x20no-cache\r\nPragma:\
SF:x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nProxy-Co
SF:nnection:\x20close\r\nConnection:\x20close\r\nContent-Length:\x20691\r\
SF:n\r\n\nRequest\x20Error\n\n\n SF:ONT\x20face=\"Helvetica\">\n
\n\n
SF:

\n\n SF:R>\n\nRequest\x20Error\x20\(invali
SF:d_request\)
\n
\n
\n\n\n\n SF:face=\"Helvetica\">\nYour\x20request\x20could\x20not\x20be\x20processed
SF:\.\x20Request\x20could\x20not\x20be\x20handled\n\n\n SF:R>\n\nThis\x20could\x20be\x20caused\x20
SF:by\x20a\x20misconfiguration,\x20or\x20possibly\x20a\x20malformed\x20req
SF:uest\.\n\n\n\n SF:IZE=2>\n
\nFor\x20assistance,\x20contact\x20your\x20network\x20suppo
SF:rt\x20team\.\n\n\n\n

\n\n SF:BODY>\n");
Device type: proxy server|general purpose|WAP|firewall
Running (JUST GUESSING) : Blue Coat SGOS 5.X (90%), FreeBSD 6.X (89%), AirSpan embedded (88%), Apple Mac OS X 10.5.X (87%), Netasq embedded (85%)
Aggressive OS guesses: Blue Coat SG200 proxy server (SGOS 5.1.4.4) (90%), FreeBSD 6.2-RELEASE (89%), AirSpan ProST WiMAX access point (88%), Apple Mac OS X 10.5 (Leopard) (Darwin 9.2.2, x86) (87%), Apple Mac OS X 10.5.5 - 10.6.1 (Leopard - Snow Leopard) (Darwin 9.5.0 - 10.0.0) (87%), FreeBSD 6.1-RELEASE (86%), Netasq U70 firewall (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 18 hops
Service Info: OS: SGOS; Device: proxy server

TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 0.53 ms 10.240.80.2
2 5.39 ms ip-10-1-4-9.ec2.internal (10.1.4.9)
3 15.70 ms ip-10-1-2-128.ec2.internal (10.1.2.128)
4 0.57 ms 216.182.232.12
5 0.58 ms 216.182.232.50
6 14.98 ms 72.21.222.148
7 2.08 ms 72.21.220.156
8 2.87 ms dca-edge-18.inet.qwest.net (63.233.113.177)
9 2.51 ms ae-3.r01.asbnva02.us.bb.gin.ntt.net (129.250.2.210)
10 1487.82 ms lon-sb2-i.LON.GB.NET.DTAG.DE (62.154.5.137)
11 -- lon-sb2-i.LON.GB.NET.DTAG.DE (62.156.131.149)
12 -- 80.156.162.202
13 -- 80.156.162.194
14 ... 16
17 -- 77.44.201.206
18 -- 77.44.210.15

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 401.84 seconds

% Information related to '77.44.128.0 - 77.44.255.255'
inetnum: 77.44.128.0 - 77.44.255.255
org: ORG-SCSs1-RIPE
netname: SY-SCS-NET-20061220
descr: Syrian Computer Society, scs
country: SY
admin-c: SN2832-RIPE
tech-c: SN2832-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: SCS-NOC
mnt-domains: NOC-domains
mnt-routes: SCS-NOC
mnt-routes: STEMNT-1
source: RIPE # Filtered
organisation: ORG-SCSs1-RIPE
org-name: Syrian Computer Society, scs
org-type: LIR
address: Syrian Computer Society, scs Beirut Street, Tishreen park 13365 Damascus Syrian Arab Republic
phone: +963 11 371 2003
fax-no: +963 11 37298030
e-mail: noc@scs-net.org
mnt-ref: SCS-NOC
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
admin-c: SH5359-RIPE
source: RIPE # Filtered
role: SCS NOC
address: Damascus, Syia
mnt-by: SCS-NOC
e-mail: noc@scs-net.org
admin-c: SH5359-RIPE
admin-c: ML9004-RIPE
tech-c: SH5359-RIPE
nic-hdl: SN2832-RIPE
source: RIPE # Filtered

I’m glad we have this resolved, Sir.

Cordially,

Collin Anderson