IDS mailing list archives

Re: NNTP and Yahoo IM conflict.

From: Surya Batchu <suryak_batchu () yahoo com>
Date: Sat, 12 Aug 2006 03:54:23 -0700 (PDT)


In my previous email, I mean "determine the protocol
based on the contents (not based on the destination
port) of the packets before running the packets
through the anomaly detection engines."
Surya

--- Surya Batchu <suryak_batchu () yahoo com> wrote:

You can't depend on the port. Standard protocols are
being  run on non-standard (other than assigned
ports)
ports and proprietary protocols are being run on
standard ports.  For a good protocol anomaly
detection, I suggest to determine the protocol first
and pass it through appropriate protocol anomaly
detection engine.

Surya


--- NTR <ntr () intoto com> wrote:

Hi All,

I am trying analyze NNTP traffic and i have

created

a profile for NNTP 
protocol.  It's a kind of NNTP protocol anomaly
detection.
I have also observed some time Yahoo Instant
Messenger uses NNTP 
port.  Though it is using NNTP port the format is
quite different
from NNTP protocol.  It is the point where my
parsing engine facing 
problem.  Each time whenever yahoo connects on

NNTP

port
my parsing engine treats it as NNTP protocol

anomaly

and start generating 
alerts.  I am looking for some advise or solution

to

solve
this problem.  how we should profile NNTP protocol
so that it can 
differentiate yahoo traffic from the genuine NNTP
traffic.

Thanks and anticipating early solutions.

Thanks and Regards,
NTR

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708


to learn more.

------------------------------------------------------------------------



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

NNTP and Yahoo IM conflict. NTR (Aug 11)
- Re: NNTP and Yahoo IM conflict. Surya Batchu (Aug 14)
- <Possible follow-ups>
- Re: NNTP and Yahoo IM conflict. Surya Batchu (Aug 14)