Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Acid and Mysql with Snort

From: James Hoagland <hoagland () SiliconDefense com>
Date: Sat, 13 Jul 2002 08:53:25 -0700
At 4:48 PM +0200 7/12/02, Richard Menedetter wrote:

Spade question:
everytime I do a FTP transfer spade shows me a higy anomaly value from
ftp:20 to me:xxx.
Can't spade ignore such FTP connections ??
Not presently. It is non-trivial to tell if this is really part of an FTP session of just some clever scanner trying to avoid detection by making it look like FTP traffic. One would need to do FTP protocol and session analysis.
If someone is looking for a good project, they could write a facility for snort to identify packets that are part of an FTP session and those that aren't. Spade could use this to ignore those that are port of a FTP session. Other parts of Snort might be able get benefit from this too. 

Best regards,

  Jim
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: