Tcpdump filter
From: Subba Rao (subba9@home.com)Date: 08/17/01
- Previous message: Chowalit Hody: "about shell code(expoit code) detector..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 Aug 2001 11:16:07 +0000 From: Subba Rao <subba9@home.com> To: Focus IDS <FOCUS-IDS@SECURITYFOCUS.COM> Subject: Tcpdump filter Message-ID: <20010817111607.A6159@home.com>
Hi,
I have written a filter to avoid logging,
- ARP broadcasts
- ESP packets
- POP3 mail packets
- News packets
not arp and not ip[9] = 50 and
(
(not (src host 1.1.1.1 and dst port 110)) and
(not (src host M.M.M.M and src port 110))
)
and
(
(not (src host 1.1.1.1 and dst port 119)) and
(not (src host N.N.N.N and src port 119))
)
This filter is not capturing the Code Red probes. IPChains is logging the
Code Red attempts on this machine but the filter fails to capture it.
Can anyone spot what I am doing wrong here? The outbound Web access is being
captured but not the Code Red access. Apart from the above listed packets, I
would like to capture the rest of the packets.
Thank you in advance.
--Subba Rao subba9@home.com http://members.home.net/subba9/
GPG public key ID 27FC9217 Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217
- Previous message: Chowalit Hody: "about shell code(expoit code) detector..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
