Protocols > Network News Transfer Protocol

The Network News Transfer Protocol, or NNTP, is a protocol that has existed for quite some time on the internet.  Long enough in fact that is has fallen into the status of legacy, while no protocol has necessarily replaced it for function.  There are still users of NNTP around, but this has fallen back into more of an underground status.  However, it is a decent protocol to be looking out for and classifying, because when it is operational, it can consume quite large quantities of bandwidth based on the information available in it.  Currently, the signature for NNTP in HiPPIE only supports client-mode sessions, though I intend to support full usage of the protocol.  Regardless, identifying NNTP is rather straightforward. 

The first thing that occurs in an NNTP session is that the server sends a 200 state command back to the client that looks similar to below.  Once this occurs, the client will respond by setting itself into client mode, as demonstrated below that.  Based on these two pieces, you can build a state table which looks first for a 200, and upon reception of a 200 (which is extremely common in many other protocols,  such as FTP, start looking for the client mode statement, and upon that point start tagging the session as NNTP.

200 mynewshost.com InterNetNews NNRP server INN blah blah

After this header comes the message for reader mode.

MODE READER

Once this reader mode has been established, we know we've got NNTP traffic.