IDS mailing list archives
Re: NNTP and Yahoo IM conflict.
From: Surya Batchu <suryak_batchu () yahoo com>
Date: Sat, 12 Aug 2006 03:54:23 -0700 (PDT)
In my previous email, I mean "determine the protocol based on the contents (not based on the destination port) of the packets before running the packets through the anomaly detection engines." Surya --- Surya Batchu <suryak_batchu () yahoo com> wrote:
You can't depend on the port. Standard protocols are being run on non-standard (other than assigned ports) ports and proprietary protocols are being run on standard ports. For a good protocol anomaly detection, I suggest to determine the protocol first and pass it through appropriate protocol anomaly detection engine. Surya --- NTR <ntr () intoto com> wrote:Hi All, I am trying analyze NNTP traffic and i havecreateda profile for NNTP protocol. It's a kind of NNTP protocol anomaly detection. I have also observed some time Yahoo Instant Messenger uses NNTP port. Though it is using NNTP port the format is quite different from NNTP protocol. It is the point where my parsing engine facing problem. Each time whenever yahoo connects onNNTPport my parsing engine treats it as NNTP protocolanomalyand start generating alerts. I am looking for some advise or solutiontosolve this problem. how we should profile NNTP protocol so that it can differentiate yahoo traffic from the genuine NNTP traffic. Thanks and anticipating early solutions. Thanks and Regards, NTR
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- NNTP and Yahoo IM conflict. NTR (Aug 11)
- Re: NNTP and Yahoo IM conflict. Surya Batchu (Aug 14)
- <Possible follow-ups>
- Re: NNTP and Yahoo IM conflict. Surya Batchu (Aug 14)