RE: TCP Dump Filters

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 12/20/01 

Date: Thu, 20 Dec 2001 09:31:06 -0500
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: <JCFontelera@SolanoCounty.com>, <focus-ids@securityfocus.com>

You can do a search for BPF syntax (man tcpdump), but tcpdump is not
intended, nor is it optimized, for use as an intrusion detection system.
You can create very restrictive filters, and even decode application
data and output it to a database, but in the end (analysis, matching,
and alerting) you're just re-inventing the wheel.

Snort (http://www.snort.org), on the other hand, is exactly what you're
looking for!

Cheers

Keith

-----Original Message-----
From: JCFontelera@SolanoCounty.com [mailto:JCFontelera@SolanoCounty.com]
Sent: Wednesday, December 19, 2001 7:26 PM
To: focus-ids@securityfocus.com
Subject: TCP Dump Filters

Does anyone know a good web site that explains how
to create TCPDUMP or windump filters to detect all sorts of
attack signatures ?

Thanks,
Jaime

Relevant Pages

  • RE: TCP Dump Filters
    ... examination of payload, but I wouldn't suggest doing so. ... TCPdump, by default, captures the frame header for Ethernet) and as Crist ... you have to know exactly where in the packet the text falls. ... have multiple filters to capture longer strings. ...
    (Focus-IDS)
  • Re: How to use tcpdump
    ... >the packets roll by to fast.. ... The tcpdump man page has tons of info on how to do ... Perl script that pipes in the output of tcpdump and filters that; ... plain old grep and a regular expression could do the job. ...
    (Security-Basics)
  • Re: Evaluation for IDS
    ... The SHADOW ids is built around tcpdump ... SfS ... > Is there a good site that discusses writing filters for TCPDump or Windump. ...
    (Focus-IDS)
  • Tips for Using tcpdump
    ... click on the Resource tab and then "Tips for Using tcpdump". ... find the Port Report helpful. ...
    (Focus-IDS)