Re: TCP Dump Filters
From: Mark Coleman (mcoleman@uniontown.com)Date: 12/20/01
- Previous message: Jonkman, Matthew A.: "RE: Use of Taps for IDS"
- In reply to: JCFontelera@SolanoCounty.com: "TCP Dump Filters"
- Next in thread: Jared C. Lovell: "Re: TCP Dump Filters"
- Next in thread: Turner, Elliot: "RE: TCP Dump Filters"
- Reply: Jared C. Lovell: "Re: TCP Dump Filters"
- Reply: Derek Walker: "Re: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mark Coleman" <mcoleman@uniontown.com> To: <JCFontelera@SolanoCounty.com>, <focus-ids@securityfocus.com> Date: Thu, 20 Dec 2001 11:28:00 -0800
I believe that TCPDump just grabs packet headers, so it can't watch for
anything in the payload, thus making it a poor choice for IDS beyond layer
4.
I have seen it used to detect connections to boxen that should never happen
for example, but NOT to see that an email attachment is called README.EXE.
I may be wrong on this one, but I don't think I am. You need something like
Snort for any good payload monitoring.
-Mark
----- Original Message -----
From: <JCFontelera@SolanoCounty.com>
To: <focus-ids@securityfocus.com>
Sent: Wednesday, December 19, 2001 4:25 PM
Subject: TCP Dump Filters
> Does anyone know a good web site that explains how
> to create TCPDUMP or windump filters to detect all sorts of
> attack signatures ?
>
> Thanks,
> Jaime
- Previous message: Jonkman, Matthew A.: "RE: Use of Taps for IDS"
- In reply to: JCFontelera@SolanoCounty.com: "TCP Dump Filters"
- Next in thread: Jared C. Lovell: "Re: TCP Dump Filters"
- Next in thread: Turner, Elliot: "RE: TCP Dump Filters"
- Reply: Jared C. Lovell: "Re: TCP Dump Filters"
- Reply: Derek Walker: "Re: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
