L-7 Protocol analysis

by Karthik
Oct. 7, 2017 0 comments INFOSEC Institute Detection & Response

Traditional intrusion detection systems have always relied on protocol specific analysers to extract the context of the traffic stream. Basically, an intrusion detection system checks for the pattern of packets running inside the network, checking for any anomalous behaviour in the stream of packets running within the network. Traditional methods rely on the analysis of standard well-known port numbers that may not hold well in the current network landscape. Due to evolution of attacks of more sophisticated means, the defence landscape needs to evolve and adapt itself to the newer attacks. Few of the measures already implemented are detecting applications that do not use their standard ports. For each transfer of data in the FTP protocol, the payload is analysed and detects the C&C server that runs using IRC as their underlying base.

http://resources.infosecinstitute.com/l-7-protocol-analysis/