> Date: Mon, 26 Mar 2001 18:37:21 +0200
> From: Luca Deri <[EMAIL PROTECTED]>
>
> Hi all,
> although you don't hear from me quite often (busy as usual) the
> development is not over (remember ntop 2 is on the way): I still have to
> fix a few problems (core dumps on some systems with high traffic).
Greetings Luca
>
> In the meantime I've added a new check (it's inside CVS already).
> Basically for a few known protocols (SSH, FTP, HTTP for the moment) ntop
> checks if the protocol being used is the correct one. For instance if
> ntop sees traffic on port 80 it checks if the request (the first few
> bytes) are a valid HTTP request (some apps are using port 80 for
> transfering anything but HTTP!). In addition, for each new connection,
> ntop checks if this connection is using a known protocol at a wrong
> port. For instance if you see SSH traffic at a port != 22 then somebody
> might have installed a trojan on your host! Of course there are some
> exceptions (ntop is sending HTTP at port 3000 and not 80), and they need
> to be properly handled. Hovewer this is let to future work.
>
> What do you think? What other protocols (easy to detect of course
> otherwise it slows down ntop too much) could I add?
NNTP, SMTP, POP-3 all seem 'simple' candidates. A classic covert channel
is ICMP with the echo-reply data being filled with useful information.
Regards
--
Anthony David | Save Ferris
Anthony David & Associates Pty Limited | Free Truman
http://adavid.com.au/ | Redeem Londo
0xA72CE1ED fingerprint = EA1E C69E FE59 BBE1 AA4B F354 BD09 9765 A72C E1ED
