Re: TCP Dump Filters
From: Jared C. Lovell (lovell@blindfaith.org)Date: 12/21/01
- Previous message: Turner, Elliot: "RE: TCP Dump Filters"
- In reply to: Mark Coleman: "Re: TCP Dump Filters"
- Next in thread: Derek Walker: "Re: TCP Dump Filters"
- Next in thread: Turner, Elliot: "RE: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Dec 2001 09:00:34 -0800 (PST) From: "Jared C. Lovell" <lovell@blindfaith.org> To: Mark Coleman <mcoleman@uniontown.com>
tcpdump can dump entire packets:
tcpdump -s 0 -w filename -i interface
Still not an IDS on it's own...
On Thu, 20 Dec 2001, Mark Coleman wrote:
> I believe that TCPDump just grabs packet headers, so it can't watch for
> anything in the payload, thus making it a poor choice for IDS beyond layer
> 4.
>
> I have seen it used to detect connections to boxen that should never happen
> for example, but NOT to see that an email attachment is called README.EXE.
>
> I may be wrong on this one, but I don't think I am. You need something like
> Snort for any good payload monitoring.
>
> -Mark
>
>
> ----- Original Message -----
> From: <JCFontelera@SolanoCounty.com>
> To: <focus-ids@securityfocus.com>
> Sent: Wednesday, December 19, 2001 4:25 PM
> Subject: TCP Dump Filters
>
>
> > Does anyone know a good web site that explains how
> > to create TCPDUMP or windump filters to detect all sorts of
> > attack signatures ?
> >
> > Thanks,
> > Jaime
>
>
- Previous message: Turner, Elliot: "RE: TCP Dump Filters"
- In reply to: Mark Coleman: "Re: TCP Dump Filters"
- Next in thread: Derek Walker: "Re: TCP Dump Filters"
- Next in thread: Turner, Elliot: "RE: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
