On 12/2/06, Matt Mahoney <[EMAIL PROTECTED]> wrote:
I know a little about network intrusion anomaly detection (it was my dissertation topic), and yes it is an important lessson. The reason such anomalies occur is because when attackers craft exploits, they follow enough of the protocol to make it work but often don't care about the undocumented conventions followed by normal servers and clients. For example, they may use lower case commands where most software uses upper case, or they may put unusual but legal values in the TCP or IP-ID fields or a hundred other things that make the attack stand out.
Yes, that's what I eventually concluded - but I concluded it by studying the input data, not by studying the system's internal data. ----- This list is sponsored by AGIRI: http://www.agiri.org/email To unsubscribe or change your options, please go to: http://v2.listbox.com/member/?list_id=303
