reliable off-line protocol detection

Vern · August 26, 2005, 10:21pm

smtp.dump

> 1124785239.632272 127.0.0.1/56034 > 127.0.0.1/778 ftp-sig
> 1124785306.080354 127.0.0.1/56037 > 127.0.0.1/778 ftp-sig
> 1124785591.602025 127.0.0.1/56048 > 127.0.0.1/778 ftp-sig
> 1124785606.143460 127.0.0.1/56050 > 127.0.0.1/778 ftp-sig

WHY? ( =A91992 Annie Lennox)

The FTP backdoor detector isn't precise - it looks for initial 220 or 426
replies, which SMTP servers can generate too. Ideally, the SMTP detector
would trigger first (based on seeing EHLO or HELO). If you have a simple
trace that shows it's failing to do so, go ahead and send it to me and
I'll see what's up.

Vern

Topic		Replies	Views
reliable off-line protocol detection Zeek	1	94	May 6, 2022
protocol recognition Zeek	1	118	May 6, 2022
smtp url extraction logs Zeek	2	120	May 6, 2022
Detection Capabilities and Extensions Zeek	1	191	May 6, 2022
Bro behind a TLS reverse proxy Zeek	1	103	May 6, 2022

reliable off-line protocol detection

Related topics