Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS engines put this together

From: mjr () nfr net (Marcus J. Ranum)
Date: Mon, 12 Jun 2000 09:33:52 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Lance Spitzner wrote:

Today one of my honeypots was probed for spam relay.  Do
IDS engines have the 'intelligence' to put this session
together and realize the remote system is probing for
spam relay sites?


Yeah, NFRs can do very detailed protocol analysis. We have
a filter that parses the whole SMTP dialog, including keeping
its state (whether it's in DATA or processing directives)
and counts RCPTs. I don't think the filter we have checks
for source and origin != my network but that's a pretty
simple addition. One of the many advantages of having a
real programming language in your IDS engine. ;)

mjr.

-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://pubweb.nfr.net/~mjr
Previous By Date Next
Previous By Thread Next

Current thread: