ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button
Article:
  Detecting Network Intrusions with Packet Filtering
Subject:   Filtering Outbound Traffic
Date:   2006-10-18 20:21:15
From:   J.Butler
In the filter: -nXvSs 0 tcp and src net 10.10
and src port (21 or 22 or 25 or 80 or 8080) and tcp[13] = 18 shouldn't src port (21.. infact be dst port? since these server ports are on the destination servers.


Also in the filter -nXvSs 0 tcp and src net 10.10 and tcp[0:2] > 1024 and tcp[13] = 18 be re-written as
-nXvSs 0 tcp and dst net 10.10 and tcp[2:0] > 1024 and tcp[13] = 18


Thanks