Using TCPdump with NIDS

There’s little point setting up some complicated and expensive NIDS (Network Intrusion Detection System) if you don’t analyse the information it provides.  One of then most popular and useful tools to help with this task is that of TCPdump which provides a host of uses especially when used alongside a signature base detection system.  When a signature based NIDS picks up any sort of potential attack then it will normally because one of the pre-defined signatures has matched up with malicious traffic.   Usually the system will alert on the initial activity and will capture some of the traffic which matches it’s signature files.


Although this is an effective way of picking up malicious packets entering a network there are some drawbacks.   Anyone who has even used a signature based intrusion detection system will now that there is one major issue – that of false alerts.   These are more generally known as false positives and occur when a signature matches up with ordinary non-malicious traffic.  Depending on how well the NIDS is set up these can occur very frequently and usually are resultant of signatures which are not specific enough.   Another cause is when a packet is analysed out of context that is without regards to the preceding and subsequent packets.

This is where TCPdump or a similar tool running in the background can be so useful.  It can be used primarily to capture and analyse all the traffic which is passing through the network and the NIDS it also can be configured to capture specific parts of the data.   You can use this information to analyse the origin, destination and the content of the packet and leave the NIDS to analyse and match the data with it’s signature data.

When a false positive is received you can use the data captured by TCPdump to help distinguish the real alerts from the false positives. This is invaluable in the assessment phase and can be used to both identify real attacks and develop the effectiveness of the intrusion detection system.    Most of the commercial NIDS and all the Open-source ones   will allow access to the signature files which means that you can use the data captured to help improve the detection levels by modifying the signatures and customizing them to a particular environment.   For example if you have uses who are streaming content legitimately perhaps such as watching BBC iPlayer in Ireland over a VPN then you can exclude these events from within the signature files.

If the alert is genuine you can use the data captured by TCPdump to assess the threat and deal with any of the issue resulting.  The data can also be useful in other assessments including prosecutions and hardening any systems which have been targeted.  For example you may discover that particular servers which need patching and are being attacked by the latest viruses in the wild. This data can be extremely useful for helping secure your infrastructure.

John Halfpenny


Leave a Reply