You can't depend on the port. Standard protocols are being run on non-standard (other than assigned ports) ports and proprietary protocols are being run on standard ports. For a good protocol anomaly detection, I suggest to determine the protocol first and pass it through appropriate protocol anomaly detection engine.
Surya --- NTR <[EMAIL PROTECTED]> wrote: > Hi All, > > I am trying analyze NNTP traffic and i have created > a profile for NNTP > protocol. It's a kind of NNTP protocol anomaly > detection. > I have also observed some time Yahoo Instant > Messenger uses NNTP > port. Though it is using NNTP port the format is > quite different > from NNTP protocol. It is the point where my > parsing engine facing > problem. Each time whenever yahoo connects on NNTP > port > my parsing engine treats it as NNTP protocol anomaly > and start generating > alerts. I am looking for some advise or solution to > solve > this problem. how we should profile NNTP protocol > so that it can > differentiate yahoo traffic from the genuine NNTP > traffic. > > Thanks and anticipating early solutions. > > Thanks and Regards, > NTR > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > ------------------------------------------------------------------------ > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
