Re: [Full-disclosure] NNTP and Yahoo IM conflict



On 8/10/06, NTR <ntr@xxxxxxxxxx> wrote:
Hi All,

I am trying analyze NNTP traffic and i have created a profile for NNTP
protocol. It's a kind of NNTP protocol anomaly detection.
I have also observed some time Yahoo Instant Messenger uses NNTP
port. Though it is using NNTP port the format is quite different
from NNTP protocol. It is the point where my parsing engine facing
problem. Each time whenever yahoo connects on NNTP port
my parsing engine treats it as NNTP protocol anomaly and start generating
alerts. I am looking for some advise or solution to solve
this problem. how we should profile NNTP protocol so that it can
differentiate yahoo traffic from the genuine NNTP traffic.

Thanks and anticipating early solutions.

I guess this would be a start:

ftp://ftp.rfc-editor.org/in-notes/rfc977.txt


Thanks and Regards,
NTR

-- mic

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/