TCPdump & Snort - Intrusion Detection Systems

More documents

Recommendations

Info

Interpreting TCPdump output Output contains IP header followed by payload Payload may be any embedded protocol: TCP, UDP, . . . Capture size is set to 96 (default, may differ) Includes 14 bytes for MAC header (Ethernet frame) Switch -s changes size (e. g. -s 1514 ) Interpreting a hex dump 4500 0048 9799 4000 4011 10b5 c10b 6029 c10a b017 a976 0035 0034 929c 3c5d 0100 0001 0000 0000 000235 3703 3133 3603 3137 3802 3431 0769 6e2d 6164 6472 0461 7270 6100 000c 0001 Protocol IP length IP protocol version UDP destination port UDP length UDP payload start TCPdump & Snort Thomas Fischer February 3, 2010 Page 4
Wireshark Previously know as Ethereal Graphical tool to read and analyze TCPdump output 1. Capture and dump traffic with tcpdump -w file.dump 2. Open file with Wireshark to get graphical representation TCPdump & Snort Thomas Fischer February 3, 2010 Page 5
Page 1 and 2: TCPdump & Snort Intrusion Detection
Page 3: Starting with TCPdump TCPdump is a
Page 7 and 8: Writing TCPdump Filters II Bitmask
Page 9 and 10: About Snort Network Intrusion Detec
Page 11 and 12: Configuring Snort Central configura
Page 13 and 14: Preprocessors II Stream5 tracks ses
Page 15 and 16: Snort Rules I General syntax of rul
Page 17 and 18: Internal Rule Options msg: "some lo
Page 19 and 20: Rule Options for Payload II Modifie
Page 21 and 22: Rule Options for Non-Payload I frag
Page 23 and 24: Rule Options after Detection I logt
Page 25 and 26: Tips for Writing Rules Rules should
Page 27 and 28: Output II Logging to Unix socket ou
Page 29 and 30: Inline Mode with IPtables Inline Mo
Page 31 and 32: Visual Examples FTP security proble
Page 37 and 38: Visual Example: Byte Jump content:"
Page 47 and 48: Examples II alert tcp $EXTERNAL_NET
Page 49 and 50: Examples IV alert tcp $EXTERNAL_NET

TCPdump & Snort - Intrusion Detection Systems

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?