On Tue, 2002-04-16 at 17:06, Banai Zoltan wrote: > HI! > > I have a question: > Is it possible to detect ftp and http session in all routed connecions > with firestorm? > > I have a subnet where is need to detect ftp and http connections to > ftp/www servers in our subnet(to _any_ port). > So i think there is need to reassembly all tcp streams and > analyze if the connection is that type. Hi, Probably the easiest thing to do is look for distinctive characteristics eg: "GET http://"; or "HTTP/1.1" etc.. If you were to reassemble all TCP streams fully and perform protocol analysis it could be a major performance overhead. You could maybe implement it that way as a preprocessor module which rebuilt the first few hundred bytes of the stream and did a basic protocol check but getting it reliable enough might prove a bit tricky. Either way thats 0.4.x stuff ;) There are plans to do more kind of application layer stuff so detecting the presense of a protocol in a given stream maybe something really interesting for us to implement. Hope that helps.. -- // Gianni Tedesco <gianni@xxxxxxxxxx> 8646BE7D: 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D Connect yourself to the main computer and let me take you to a cybernetic ride. Are you connected to the right cybernet? If you are, finally you are connected to my brain.
Attachment:
signature.asc
Description: This is a digitally signed message part