Re: TCP Dump Filters

From: Marcin Dobrucki (siili@nixu.com)
Date: 12/20/01

• Previous message: Adkins, Matthew: "RE: Winxp, blackice and ie"
• In reply to: JCFontelera@SolanoCounty.com: "TCP Dump Filters"
• Next in thread: McCammon, Keith: "RE: TCP Dump Filters"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 20 Dec 2001 12:16:20 +0200 (EET)
From: Marcin Dobrucki <siili@nixu.com>
To: focus-ids@securityfocus.com

On Wed, 19 Dec 2001 JCFontelera@SolanoCounty.com wrote:

> Does anyone know a good web site that explains how
> to create TCPDUMP or windump filters to detect all sorts of
> attack signatures ?

        For an example of how such filters are created, look at the
        SHADOW system (http://www.nswc.navy.mil/ISSEC/CID/). Download
        the source, and check out the ./filters directory

        For more information, you could check out the older edition
        of Northcutt's book: "Network Intrusion Detection, An Analyst
        handbook".

        Windump and tcpdump work in the same way.

        Cheers,
                Marcin Dobrucki

---

• Previous message: Adkins, Matthew: "RE: Winxp, blackice and ie"
• In reply to: JCFontelera@SolanoCounty.com: "TCP Dump Filters"
• Next in thread: McCammon, Keith: "RE: TCP Dump Filters"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2001-12