Re: Detecting break-ins

To: debian-security@lists.debian.org
Subject: Re: Detecting break-ins
From: Yotam Rubin <yotam@makif.omer.k12.il>
Date: Wed, 16 Jan 2002 16:58:33 +0200
Message-id: <[🔎] 20020116145833.GA4010@insomnia17>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20020115200407.GC1815@zhadum.bjavor.d2g.com>
References: <[🔎] 20020115200407.GC1815@zhadum.bjavor.d2g.com>

On Tue, Jan 15, 2002 at 09:04:07PM +0100, Balazs Javor wrote:
> Hi,
> 
> Recently I've installed some IP logging deamons
> (snort, ippl along with logcheck) and I was amazed

Strangely, ippl is an extremely popular tool. Using ippl is inadvisable, it
provides a false sense of information. ippl is unversatile, the filter 
language is too simple to allow complex operations. 
 * ippl is limited only to UDP and TCP. 
 * ippl logs only TCP syn packets, many port scanners apply scanning methods 
    which include the transmission of non-syn packets. If these methods are 
    used, ippl will not detect them.
 * Finally, ippl provides little information about connection attempts.
 
Perhaps you should consider using alternative tools, such as argus.

	Regards, Yotam Rubin

Reply to:

Follow-Ups:
- Re: Detecting break-ins
  - From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
- Re: Detecting break-ins
  - From: "Noah L. Meyerhans" <frodo@morgul.net>

References:
- Detecting break-ins
  - From: Balazs Javor <jb3@freemail.hu>

Prev by Date: Help with Firewall section in the Debian Security Manual
Next by Date: Re: Detecting break-ins
Previous by thread: Re: Detecting break-ins
Next by thread: Re: Detecting break-ins
Index(es):
- Date
- Thread