Re: How to tell if a firewall alert is suspicious or not

From: Volker Birk (
Date: 09/16/05

Date: 16 Sep 2005 17:06:09 +0200

Art <> wrote:
> Volker, what do you recommend for finding malicious outbound? Is there
> some freeware packet logging sw that can be set to be smart enough to
> alert users? Payware? If so, what would something like that cost?

Unfortunately, it is not possible to reliably detect hidden outgoing
information without dropping connectivity. This is because of the existence
of tunneling.

Even what professional IDSes are doing, is lacking reliability.

Therefore, I don't recommend trying to find "malicious outbound" at all;
instead of this, I'm recommending preventing malware from running on your

I think, this is a much better concept.


"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
                                    Harald Schmidt zum "Weltjugendtag"