RE: TCP Dump FiltersFrom: Turner, Elliot (email@example.com)
- Previous message: Chris Grout: "RE: Use of Taps for IDS"
- Maybe in reply to: JCFontelera@SolanoCounty.com: "TCP Dump Filters"
- Next in thread: Novak, Judy H.: "RE: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Turner, Elliot" <firstname.lastname@example.org> To: "'Mark Coleman'" <email@example.com>, JCFontelera@SolanoCounty.com, firstname.lastname@example.org Date: Fri, 21 Dec 2001 10:44:21 -0600
Actually, TCPDump is capable of grabbing full frames.
You can control the amount of header+payload data that TCPDump captures
using the 'snaplen' command-line parameter.
From: Mark Coleman [mailto:email@example.com]
Sent: Thursday, December 20, 2001 1:28 PM
To: JCFontelera@SolanoCounty.com; firstname.lastname@example.org
Subject: Re: TCP Dump Filters
I believe that TCPDump just grabs packet headers, so it can't watch for
anything in the payload, thus making it a poor choice for IDS beyond layer
I have seen it used to detect connections to boxen that should never happen
for example, but NOT to see that an email attachment is called README.EXE.
I may be wrong on this one, but I don't think I am. You need something like
Snort for any good payload monitoring.
> Does anyone know a good web site that explains how
> to create TCPDUMP or windump filters to detect all sorts of
> attack signatures ?