[Bro] reliable off-line protocol detection
Vern Paxson
vern at icir.org
Fri Aug 26 15:21:24 PDT 2005
> smtp.dump
>
> > 1124785239.632272 127.0.0.1/56034 > 127.0.0.1/778 ftp-sig
> > 1124785306.080354 127.0.0.1/56037 > 127.0.0.1/778 ftp-sig
> > 1124785591.602025 127.0.0.1/56048 > 127.0.0.1/778 ftp-sig
> > 1124785606.143460 127.0.0.1/56050 > 127.0.0.1/778 ftp-sig
>
> WHY? ( =A91992 Annie Lennox)
The FTP backdoor detector isn't precise - it looks for initial 220 or 426
replies, which SMTP servers can generate too. Ideally, the SMTP detector
would trigger first (based on seeing EHLO or HELO). If you have a simple
trace that shows it's failing to do so, go ahead and send it to me and
I'll see what's up.
Vern
More information about the Bro
mailing list