[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Detecting break-ins

On Tue, Jan 15, 2002 at 09:04:07PM +0100, Balazs Javor wrote:
> Hi,
> Recently I've installed some IP logging deamons
> (snort, ippl along with logcheck) and I was amazed

Strangely, ippl is an extremely popular tool. Using ippl is inadvisable, it
provides a false sense of information. ippl is unversatile, the filter 
language is too simple to allow complex operations. 
 * ippl is limited only to UDP and TCP. 
 * ippl logs only TCP syn packets, many port scanners apply scanning methods 
    which include the transmission of non-syn packets. If these methods are 
    used, ippl will not detect them.
 * Finally, ippl provides little information about connection attempts.
Perhaps you should consider using alternative tools, such as argus.

	Regards, Yotam Rubin

Reply to: