Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Packet logs in ipchains

From: Bear Giles <bgiles () coyotesong com>
Date: Wed, 26 Mar 2003 13:30:16 -0700
Sam Dirk wrote:
> The packets
> were seen three times over the course of the day but lasted
> for only one - two seconds so it was impossible to get a
> tcpdump.
Use snort, or something similiar to it, and set it up on a box without ipchains filtering. Set up rules that are essentially the complement of your firewall rules, and you'll catch all traffic that the firewalls are rejecting. There's then no need to run tcpdump explicity (or hit yourself in the head when you realize that tcpdump is running behind the packet filtering so it would never record anything).
You can even take this to an extreme - set it up on your firewall(s) and log ALL traffic trying to enter or leave your network. Let another process prune out the expected traffic, then examine what's left.... 

Bear


-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1
Previous By Date Next
Previous By Thread Next

Current thread: