RE: TCP Dump Filters
From: Turner, Elliot (eturner@intrusion.com)Date: 12/21/01
- Previous message: Chris Grout: "RE: Use of Taps for IDS"
- Maybe in reply to: JCFontelera@SolanoCounty.com: "TCP Dump Filters"
- Next in thread: Novak, Judy H.: "RE: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Turner, Elliot" <eturner@intrusion.com> To: "'Mark Coleman'" <mcoleman@uniontown.com>, JCFontelera@SolanoCounty.com, focus-ids@securityfocus.com Date: Fri, 21 Dec 2001 10:44:21 -0600
Actually, TCPDump is capable of grabbing full frames.
You can control the amount of header+payload data that TCPDump captures
using the 'snaplen' command-line parameter.
Regards,
Elliot Turner
-----Original Message-----
From: Mark Coleman [mailto:mcoleman@uniontown.com]
Sent: Thursday, December 20, 2001 1:28 PM
To: JCFontelera@SolanoCounty.com; focus-ids@securityfocus.com
Subject: Re: TCP Dump Filters
I believe that TCPDump just grabs packet headers, so it can't watch for
anything in the payload, thus making it a poor choice for IDS beyond layer
4.
I have seen it used to detect connections to boxen that should never happen
for example, but NOT to see that an email attachment is called README.EXE.
I may be wrong on this one, but I don't think I am. You need something like
Snort for any good payload monitoring.
-Mark
----- Original Message -----
From: <JCFontelera@SolanoCounty.com>
To: <focus-ids@securityfocus.com>
Sent: Wednesday, December 19, 2001 4:25 PM
Subject: TCP Dump Filters
> Does anyone know a good web site that explains how
> to create TCPDUMP or windump filters to detect all sorts of
> attack signatures ?
>
> Thanks,
> Jaime
- Previous message: Chris Grout: "RE: Use of Taps for IDS"
- Maybe in reply to: JCFontelera@SolanoCounty.com: "TCP Dump Filters"
- Next in thread: Novak, Judy H.: "RE: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
