[Snort-devel] a doozie of a metaphysical question

tlewis at ...255... tlewis at ...255...
Wed Jun 13 00:06:29 EDT 2001


On Tue, 12 Jun 2001, Bill Gercken wrote:

> The answer that you seek young grass hopper, is in the question.
> Does not one first need to analyze the content to help determine the
> protocol?

	"Our master's views concerning culture and the outward insignia of
	goodness, we are permitted to hear; but about man's nature and the
	ways of heaven, he will not tell us anything at all." (Analects
	5:12)

The outward insignia of a packet I can, through my program, understand,
but to understand the inner nature of a packet is beyond my understanding,
and beyond the teachings of my teachers.

Having stuck your foot in the proverbial doggy-doo, you may now rise
to your own challenge: given a char* that contains a payload encoded
according to one of a random set of protocols, how does one determine,
conclusively, which protocol that payload represents?  Feel free to use
NTP and DNS as examples.  Having seen server code for both protocols,
I venture that there are legal NTP packets that can't be distinguished
from legal DNS packets.

I do not believe that there exists an answer to this question.  I believe
that the best that we can do is to leave to the NIDS administrator a means
of mapping certain traffic characteristics (port, address, interface)
to protocol decomposition targets.  I would love for someone to explain
to me why I a wrong.

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list