[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

5. Usage

Here is an example command that will invoke Impost:

impost -p 500 -s /path/to/scripts/identd.pl

This will load the perl script `/path/to/scripts/identd.pl', which is supplied as an sample script in Impost's source directory. After loading the perl script, Impost will bind a socket to port 500 and act like a honey pot -- everytime a buffer is received or a connection is made a sub routine will be called in the perl script which can be used to control how Impost responds and communicates with clients.

If a script is not supplied in the command-line, Impost will not be able to respond or communicate with clients; however it will still be able to detect and analyze suspicious buffers.

  1. How can I make the buffer detection size larger?

    impost -p 100 -u 500

    Options `-u' and `--unusual' will allow you to do just that. The default value is `256' as configured in the generic configuration script supplied in with Impost. The above example will set the "suspect" buffer size to `500' -- no detections will be trigged by buffers under `500' bytes unless they contain valid operation codes.

  2. How can I monitor an existing service?

    impost --sniff -p 21

    This will enable Impost's packet sniffer and watch incoming packets destined for port `21'. Impost will use the first default device found by Libpcap.

  3. With the packet sniffer, how come I can't see incoming data from localhost?

    You need to set Impost's device setting to your systems local loopback device (for instance linux's local loopback device is `lo' and the local loopback device on OpenBSD is lo0). You can do this by specifying the `--device' option:

    impost --sniff -p 21 --device=lo0

For more info about command-line options:

See section 4. Invoking Impost.

[ << ] [ >> ]           [Top] [Contents] [Index] [ ? ]

This document was generated by ziplock on August, 13 2004 using texi2html