RE: TCP Dump Filters
From: Novak, Judy H. (Judy.Novak@jhuapl.edu)Date: 12/27/01
- Previous message: Ivan Hernandez Puga: "RE: questions about a home network"
- Maybe in reply to: JCFontelera@SolanoCounty.com: "TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Novak, Judy H." <Judy.Novak@jhuapl.edu> To: "'Stover, S.f.'" <sstover@enterasys.com>, Derek Walker <derwalke@cisco.com> Date: Thu, 27 Dec 2001 07:47:33 -0500
Sam, et al,
As Crist Clark replied, you can kluge together TCPdump filters for
examination of payload, but I wouldn't suggest doing so. For one, you have
to capture the entire snap length for the packet and frame (1514 because
TCPdump, by default, captures the frame header for Ethernet) and as Crist
mentions, you have to know exactly where in the packet the text falls. As
well, TCPdump can only span up to 4 bytes for a filter so you would have to
have multiple filters to capture longer strings.
I believe the best use of TCPdump is along with a signature-based IDS that
examines payload. TCPdump is good at providing an audit trail of activity
into and out of the network by capturing header information. In this
manner, it can help validate alerts generated by the IDS to discover what
happened before and after the alert was triggered. Additionally, it can be
used to partially capture events (54 bytes of IP datagram, by default) for
which there is no IDS signature. So, I wouldn't attempt to use TCPdump as
the only "IDS-like" tool in a network. Even the Shadow NID which is based
on TCPdump examines only fields found in headers.
Judy Novak
-----Original Message-----
From: Stover, S.f. [mailto:sstover@enterasys.com]
Sent: Friday, December 21, 2001 6:10 PM
To: Derek Walker
Cc: Mark Coleman; JCFontelera@SolanoCounty.com;
focus-ids@securityfocus.com
Subject: Re: TCP Dump Filters
True, but can you FILTER on the contents of the payload? That was the
original question I believe. A man on TCPdump shows me that you can
filter on all kinds of packet characteristics like port, IP (host &
net), TCP flags, options, length, etc. etc., but not on whether or not
there is a "GET /cgi-bin/phf" in the payload. If I'm correct, this
would be a major drawback in the use of TCPdump as an IDS engine. If
you can't filter packets on payload content, you can't write real
filters for attack signatures (outside of aberrant packet
characteristics). Anyone know for sure if TCPdump can do this?? Judy??
SfS
Derek Walker wrote:
> TCP dump can be given arguments as to how much of each packet to capture.
> With a snaplen of 1500 for instance, you will always capture pretty much
> the whole packet.
>
> D.
>
> On Thu, 20 Dec 2001, Mark Coleman wrote:
>
>
>>I believe that TCPDump just grabs packet headers, so it can't watch for
>>anything in the payload, thus making it a poor choice for IDS beyond layer
>>4.
>>
>>I have seen it used to detect connections to boxen that should never
happen
>>for example, but NOT to see that an email attachment is called README.EXE.
>>
>>I may be wrong on this one, but I don't think I am. You need something
like
>>Snort for any good payload monitoring.
>>
>>-Mark
>>
>>
>>----- Original Message -----
>>From: <JCFontelera@SolanoCounty.com>
>>To: <focus-ids@securityfocus.com>
>>Sent: Wednesday, December 19, 2001 4:25 PM
>>Subject: TCP Dump Filters
>>
>>
>>
>>>Does anyone know a good web site that explains how
>>>to create TCPDUMP or windump filters to detect all sorts of
>>>attack signatures ?
>>>
>>>Thanks,
>>>Jaime
>>>
>>
>
- Previous message: Ivan Hernandez Puga: "RE: questions about a home network"
- Maybe in reply to: JCFontelera@SolanoCounty.com: "TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
