Re: Detecting break-ins
On Tue, Jan 15, 2002 at 09:04:07PM +0100, Balazs Javor wrote:
> Hi,
>
> Recently I've installed some IP logging deamons
> (snort, ippl along with logcheck) and I was amazed
Strangely, ippl is an extremely popular tool. Using ippl is inadvisable, it
provides a false sense of information. ippl is unversatile, the filter
language is too simple to allow complex operations.
* ippl is limited only to UDP and TCP.
* ippl logs only TCP syn packets, many port scanners apply scanning methods
which include the transmission of non-syn packets. If these methods are
used, ippl will not detect them.
* Finally, ippl provides little information about connection attempts.
Perhaps you should consider using alternative tools, such as argus.
Regards, Yotam Rubin
Reply to: