Re: TCP Dump Filters

From: Stover, S.f. (sstover@enterasys.com)
Date: 12/22/01 

Date: Fri, 21 Dec 2001 18:10:17 -0500
From: "Stover, S.f." <sstover@enterasys.com>
To: Derek Walker <derwalke@cisco.com>

True, but can you FILTER on the contents of the payload? That was the
original question I believe. A man on TCPdump shows me that you can
filter on all kinds of packet characteristics like port, IP (host &
net), TCP flags, options, length, etc. etc., but not on whether or not
there is a "GET /cgi-bin/phf" in the payload. If I'm correct, this
would be a major drawback in the use of TCPdump as an IDS engine. If
you can't filter packets on payload content, you can't write real
filters for attack signatures (outside of aberrant packet
characteristics). Anyone know for sure if TCPdump can do this?? Judy??

SfS

Derek Walker wrote:

> TCP dump can be given arguments as to how much of each packet to capture.
> With a snaplen of 1500 for instance, you will always capture pretty much
> the whole packet.
>
> D.
>
> On Thu, 20 Dec 2001, Mark Coleman wrote:
>
>
>>I believe that TCPDump just grabs packet headers, so it can't watch for
>>anything in the payload, thus making it a poor choice for IDS beyond layer
>>4.
>>
>>I have seen it used to detect connections to boxen that should never happen
>>for example, but NOT to see that an email attachment is called README.EXE.
>>
>>I may be wrong on this one, but I don't think I am. You need something like
>>Snort for any good payload monitoring.
>>
>>-Mark
>>
>>
>>----- Original Message -----
>>From: <JCFontelera@SolanoCounty.com>
>>To: <focus-ids@securityfocus.com>
>>Sent: Wednesday, December 19, 2001 4:25 PM
>>Subject: TCP Dump Filters
>>
>>
>>
>>>Does anyone know a good web site that explains how
>>>to create TCPDUMP or windump filters to detect all sorts of
>>>attack signatures ?
>>>
>>>Thanks,
>>>Jaime
>>>
>>
>

Relevant Pages

  • RE: TCP Dump Filters
    ... examination of payload, but I wouldn't suggest doing so. ... TCPdump, by default, captures the frame header for Ethernet) and as Crist ... you have to know exactly where in the packet the text falls. ... have multiple filters to capture longer strings. ...
    (Focus-IDS)
  • Re: TCP Dump Filters
    ... but can you FILTER on the contents of the payload? ... > would be a major drawback in the use of TCPdump as an IDS engine. ... To only look inside of the TCP segment. ...
    (Focus-IDS)
  • odd tcpdump output w/ 6.0-BETA2 ...
    ... I get useless output from tcpdump (no ... header or protocol decode) but only when I specify a filter on the ... use -v or -vv for full protocol decode ... packets received by filter ...
    (freebsd-net)
  • Re: Packet capturing, iptables and eth0 vs. dummy0
    ... That's because when you try locally, you end up using lo0, not eth0. ... > Let's say that I'm filtering all incoming TCP SYN packets on all ... > I'm listening, with tcpdump, to all packets in eth0. ... > connect (without the filter I can do it normally), ...
    (Linux-Kernel)
  • RE: newbie tcpdump question
    ... And tcpdump will allow you to see data between points. ... On my local network there are two totally different subnets together ... traffic between the ordinary IP numbered hosts and other ordinary IP ... not been able to come up with a tcpdump filter that actually works to do ...
    (Focus-IDS)