Alex Rousskov wrote:
On Wed, 31 Mar 2004, Markus Hofmann wrote:
an OPES callout server attached to a gateway or firewall may
scan outgoing traffic for signs of worm or virus activity and notify
a local Intrusion Detection System (IDS) of potentially compromised
hosts inside the network. Such notifications may use OPES tracing
information to pinpoint the infected host (which could be another
OPES entity).
Although I believe to understand the intent of using the term "host"
here, I'm wondering wether it might be easier to understand if we talk
about a "server" in this example. I had to read the example twice to
understand that the "host" you're talking about is a content source
rather than the content consumer. But it might just be me :)
Hmm... I meant the host inside a network. It could be a user PC, a web
server, or some other kind of a server/agent. In case of a user PC,
the PC is the content producer where content is whatever that infected
PC is sending outside of the network (malformed GET requests, port
probes, etc.). In case of a web server, the server is the content
producer where content is a web page with scripting bugs or other bad
things inside. In either case, the host is infected and is the content
producer.
>
Is that how you interpreted it? The "host" to "server" change would
eliminate an important case of an infected client PC. Any other
suggestions on how to polish the above?
Yup, that's the way I interpreted it. And, yes, the "host" to "server"
change would eliminate the case of an infected client PC. However,
since this is just an example for illustration, I felt that simplicity
is more important than completness. But that's minor suggestion, I
don't have a problem with the current phrasing.
-Markus