On Wed, Jan 16, 2002 at 04:58:33PM +0200, Yotam Rubin wrote: > > Strangely, ippl is an extremely popular tool. Using ippl is inadvisable, it > provides a false sense of information. ippl is unversatile, the filter > language is too simple to allow complex operations. I tend to agree with your assessment of it as a security tool. It is too easy to bypass its loggin (a FIN scan (-sF) in nmap will do it easily). However, I still think it's quite useful, and I tend to run it on most of my systems. It is very simple to set up, and provides some interesting, concise logs about what traffic is reaching your machine and where it's coming from. > * ippl is limited only to UDP and TCP. And ICMP. What else did you have in mind? > * Finally, ippl provides little information about connection attempts. To me that's often a benefit. It's concise. Often, while reading my ippl logs, I'll see something that indicates that some unusual traffic showed up, and I should check my snort logs. > > Perhaps you should consider using alternative tools, such as argus. > Provided you recognize IPPL's capabilities and limitation, it can be a very useful tool. As always, it can be dangerous if misused. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpCNbXhhqrXG.pgp
Description: PGP signature