Re: TCP Dump Filters
From: Derek Walker (derwalke@cisco.com)Date: 12/21/01
- Previous message: Jared C. Lovell: "Re: TCP Dump Filters"
- In reply to: Mark Coleman: "Re: TCP Dump Filters"
- Next in thread: Matt Bing: "Re: TCP Dump Filters"
- Next in thread: Turner, Elliot: "RE: TCP Dump Filters"
- Reply: Matt Bing: "Re: TCP Dump Filters"
- Reply: Stover, S.f.: "Re: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Dec 2001 09:05:40 -0800 (PST) From: Derek Walker <derwalke@cisco.com> To: Mark Coleman <mcoleman@uniontown.com>
TCP dump can be given arguments as to how much of each packet to capture.
With a snaplen of 1500 for instance, you will always capture pretty much
the whole packet.
D.
On Thu, 20 Dec 2001, Mark Coleman wrote:
> I believe that TCPDump just grabs packet headers, so it can't watch for
> anything in the payload, thus making it a poor choice for IDS beyond layer
> 4.
>
> I have seen it used to detect connections to boxen that should never happen
> for example, but NOT to see that an email attachment is called README.EXE.
>
> I may be wrong on this one, but I don't think I am. You need something like
> Snort for any good payload monitoring.
>
> -Mark
>
>
> ----- Original Message -----
> From: <JCFontelera@SolanoCounty.com>
> To: <focus-ids@securityfocus.com>
> Sent: Wednesday, December 19, 2001 4:25 PM
> Subject: TCP Dump Filters
>
>
> > Does anyone know a good web site that explains how
> > to create TCPDUMP or windump filters to detect all sorts of
> > attack signatures ?
> >
> > Thanks,
> > Jaime
>
>
- Previous message: Jared C. Lovell: "Re: TCP Dump Filters"
- In reply to: Mark Coleman: "Re: TCP Dump Filters"
- Next in thread: Matt Bing: "Re: TCP Dump Filters"
- Next in thread: Turner, Elliot: "RE: TCP Dump Filters"
- Reply: Matt Bing: "Re: TCP Dump Filters"
- Reply: Stover, S.f.: "Re: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
