On 10/18/2012 11:10 AM, Rob wrote:
But maybe it implements some exotic NTP packet like a readvar that
allows the botnet to retrieve its info from the C&C server.
Point to a botnet that does that.
How is the intrusion detection system supposed to recognize this
situation without advance knowledge?
How does an IDS identify _any_ threat without prior knowledge? How did
that host get identified as part of a botnet in the first place, and is
that botnet known to use even UDP/123 for communications, let alone NTP
look-alike packets?
_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
