Security Basics mailing list archives
Re: Strange Packet logs in ipchains
From: Bear Giles <bgiles () coyotesong com>
Date: Wed, 26 Mar 2003 13:30:16 -0700
Sam Dirk wrote: > The packets > were seen three times over the course of the day but lasted > for only one - two seconds so it was impossible to get a > tcpdump.Use snort, or something similiar to it, and set it up on a box without ipchains filtering. Set up rules that are essentially the complement of your firewall rules, and you'll catch all traffic that the firewalls are rejecting. There's then no need to run tcpdump explicity (or hit yourself in the head when you realize that tcpdump is running behind the packet filtering so it would never record anything).
You can even take this to an extreme - set it up on your firewall(s) and log ALL traffic trying to enter or leave your network. Let another process prune out the expected traffic, then examine what's left....
Bear ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfsbl1
Current thread:
- Strange Packet logs in ipchains Sam Dirk (Mar 26)
- Re: Strange Packet logs in ipchains Vic Parat (NSS) (Mar 27)
- Re: Strange Packet logs in ipchains Bear Giles (Mar 27)
- RE: Strange Packet logs in ipchains Burton M. Strauss III (Mar 27)
- <Possible follow-ups>
- Re: Strange Packet logs in ipchains Paris Stone (Mar 27)
- RE: Strange Packet logs in ipchains Mike Heitz (Mar 27)
- RE: Strange Packet logs in ipchains Gwydion Mine (Mar 28)