In my previous email, I mean "determine the protocol based on the contents (not based on the destination port) of the packets before running the packets through the anomaly detection engines." Surya
--- Surya Batchu <[EMAIL PROTECTED]> wrote: > You can't depend on the port. Standard protocols are > being run on non-standard (other than assigned > ports) > ports and proprietary protocols are being run on > standard ports. For a good protocol anomaly > detection, I suggest to determine the protocol first > and pass it through appropriate protocol anomaly > detection engine. > > Surya > > > --- NTR <[EMAIL PROTECTED]> wrote: > > > Hi All, > > > > I am trying analyze NNTP traffic and i have > created > > a profile for NNTP > > protocol. It's a kind of NNTP protocol anomaly > > detection. > > I have also observed some time Yahoo Instant > > Messenger uses NNTP > > port. Though it is using NNTP port the format is > > quite different > > from NNTP protocol. It is the point where my > > parsing engine facing > > problem. Each time whenever yahoo connects on > NNTP > > port > > my parsing engine treats it as NNTP protocol > anomaly > > and start generating > > alerts. I am looking for some advise or solution > to > > solve > > this problem. how we should profile NNTP protocol > > so that it can > > differentiate yahoo traffic from the genuine NNTP > > traffic. > > > > Thanks and anticipating early solutions. > > > > Thanks and Regards, > > NTR > > > > > > > ------------------------------------------------------------------------ > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > > with real-world attacks from CORE IMPACT. > > Go to > > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > > > to learn more. > > > ------------------------------------------------------------------------ > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
