Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fingerprinting Port80 Attacks Part 2 Relased

Posted by timothy on from the strange-knockings-in-the-night dept.

jimmi writes: "A couple of months ago cgisecurity.com released a paper called 'Fingerprinting Port80 Attacks.' Today they released Part 2, which is even bigger then the first. Part two can be found here. This paper deals with web application attacks and how to detect them, along with figuring out what the data means."

18 comments

  1. Snort??? by arberya · · Score: 1

    Have these ideas been rolled into possible attack signatures in Snort, etc?? The last time I looked at the Snort sigs, they were very attack specific sigs and not generic "please avoid every request taht has an *"

  2. HTML version of the article by selan · · Score: 3, Informative

    ...is here.

  3. Interesting... by Anonymous Coward · · Score: 2, Informative

    Fingerprinting is a fertile area of research. For example, I wrote a program that sits between port 25 and an SMTP server; it uses nmap-like fingerprinting techniques to detect known spam distribution programs. Since I implemented this, the total amount of spam on my network decreased by 150% and we expect a lower total cost of ownership to result as well. I think fingerprinting is the future for security; imagine only letting certified programs from accessing your network, thus stopping 'cracking' and 'sniffing' tools dead in their tracks. This is exactly what open source is all about, and commercial software can't give you: innovation.

    1. Re:Interesting... by Anonymous Coward · · Score: 0

      your total amount of spam decreased 150%? it's
      now rejecting spam before it's even sent?

    2. Re:Interesting... by paulsomm · · Score: 2, Insightful

      nice comment, except for the lame open source plug at the end. anyone can innovate, open or closed.

    3. Re:Interesting... by Anonymous Coward · · Score: 0

      You say your spam "decreased by 150%". So that means spam is sucked out of your network and back onto the net?

      You can't decrease something by 150% - you can only indicate your inability with math by statements such as you made.

      If your code is as well written as your math skills would indicate, I'm very glad there was no posting of the source. Please send it to Bill G; you'll probably get a job offer.

    4. Re:Interesting... by Anonymous Coward · · Score: 0

      Nice, so now you open yourself up as a spam relay with no ability for the smtp server to validate the peer connection address. You would have been better off rewritting some of the MX rules in your sendmail.cf to accomplish this.

  4. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion