This is the fifth and final installment in a series of articles on understanding and developing signatures for network intrusion detection systems. In the previous article, we looked at the topic of protocol analysis, meaning that the intrusion detection system actually understands how various protocols, such as FTP, are supposed to work. We initially looked at protocol analysis as it applied to a single request or response. In this article, we will extend this discussion by looking closely at stateful protocol analysis, which involves performing protocol analysis for an entire connection or session, capturing and storing certain pieces of relevant data seen in the session, and using that data to identify attacks that involve multiple requests and responses.
Read Entire Paper
E-Mail Link
Your IP address will be sent with this e-mail
