On Wed, 31 Mar 2004, Markus Hofmann wrote:
an OPES callout server attached to a gateway or firewall may
scan outgoing traffic for signs of worm or virus activity and notify
a local Intrusion Detection System (IDS) of potentially compromised
hosts inside the network. Such notifications may use OPES tracing
information to pinpoint the infected host (which could be another
OPES entity).
Although I believe to understand the intent of using the term "host"
here, I'm wondering wether it might be easier to understand if we talk
about a "server" in this example. I had to read the example twice to
understand that the "host" you're talking about is a content source
rather than the content consumer. But it might just be me :)
Hmm... I meant the host inside a network. It could be a user PC, a web
server, or some other kind of a server/agent. In case of a user PC,
the PC is the content producer where content is whatever that infected
PC is sending outside of the network (malformed GET requests, port
probes, etc.). In case of a web server, the server is the content
producer where content is a web page with scripting bugs or other bad
things inside. In either case, the host is infected and is the content
producer.
Is that how you interpreted it? The "host" to "server" change would
eliminate an important case of an infected client PC. Any other
suggestions on how to polish the above?
Note that OPES services may not have enough information to contact
the content producer directly in this case.
The last sentecne could be explained a little more (e.g. what
information might be missing etc.).
Will do.
Alex.