[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Detecting break-ins

On Wed, Jan 16, 2002 at 04:58:33PM +0200, Yotam Rubin wrote:
> Strangely, ippl is an extremely popular tool. Using ippl is inadvisable, it
> provides a false sense of information. ippl is unversatile, the filter 
> language is too simple to allow complex operations. 

I tend to agree with your assessment of it as a security tool.  It is
too easy to bypass its loggin (a FIN scan (-sF) in nmap will do it

However, I still think it's quite useful, and I tend to run it on most
of my systems.  It is very simple to set up, and provides some
interesting, concise logs about what traffic is reaching your machine
and where it's coming from.

>  * ippl is limited only to UDP and TCP. 

And ICMP.  What else did you have in mind?

>  * Finally, ippl provides little information about connection attempts.

To me that's often a benefit.  It's concise.  Often, while reading my
ippl logs, I'll see something that indicates that some unusual traffic
showed up, and I should check my snort logs.

> Perhaps you should consider using alternative tools, such as argus.

Provided you recognize IPPL's capabilities and limitation, it can be a
very useful tool.  As always, it can be dangerous if misused.


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpCNbXhhqrXG.pgp
Description: PGP signature

Reply to: