Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: NNTP and Yahoo IM conflict.

from [Surya Batchu] Network Security [Permanent Link]
Subject: Re: NNTP and Yahoo IM conflict.
Date: Sat, 12 Aug 2006 03:54:23 -0700 (PDT) 

In my previous email, I mean "determine the protocol
based on the contents (not based on the destination
port) of the packets before running the packets
through the anomaly detection engines."
Surya

--- Surya Batchu <suryak_batchu@yahoo.com> wrote:


You can't depend on the port. Standard protocols are
being  run on non-standard (other than assigned
ports)
ports and proprietary protocols are being run on
standard ports.  For a good protocol anomaly
detection, I suggest to determine the protocol first
and pass it through appropriate protocol anomaly
detection engine.

Surya


--- NTR <ntr@intoto.com> wrote:


Hi All,

I am trying analyze NNTP traffic and i have

created

a profile for NNTP 
protocol.  It's a kind of NNTP protocol anomaly
detection.
I have also observed some time Yahoo Instant
Messenger uses NNTP 
port.  Though it is using NNTP port the format is
quite different
from NNTP protocol.  It is the point where my
parsing engine facing 
problem.  Each time whenever yahoo connects on

NNTP

port
my parsing engine treats it as NNTP protocol

anomaly

and start generating 
alerts.  I am looking for some advise or solution

to

solve
this problem.  how we should profile NNTP protocol
so that it can 
differentiate yahoo traffic from the genuine NNTP
traffic.

Thanks and anticipating early solutions.

Thanks and Regards,
NTR






------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to




http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708


to learn more.




------------------------------------------------------------------------






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: detecting network crowd surges, Jose Nazario
Next by Date:  Re: NNTP and Yahoo IM conflict., Surya Batchu
Previous by Thread:  Re: NNTP and Yahoo IM conflict., Surya Batchu
Next by Thread:  Export ethereal cap file to SQL database with all details, nksdata
Indexes:  [Date] [Thread] [Top] [All Lists]