Usage Examples:
Here is an example command that will invoke Impost:
impost -p 500 -s /path/to/scripts/identd.pl
This will load the perl script `/path/to/scripts/identd.pl', which is supplied as an sample script in Impost's source directory. After loading the perl script, Impost will bind a socket to port 500 and act like a honey pot - everytime a buffer is received or a connection is made a sub routine will be called in the perl script which can be used to control how Impost responds and communicates with clients.
If a script is not supplied in the command-line, Impost will not be able to respond or communicate with clients; however it will still be able to detect and analyze suspicious buffers.
Usage questions and answers:
- How can I make the buffer detection size larger?
impost -p 100 -u 500
Options `-u' and `--unusual' will allow you to do just that. The
default value is `256' as configured in the generic configuration
script supplied in with Impost. The above example will set the
"suspect" buffer size to `500' - no detections will be trigged by
buffers under `500' bytes unless they contain valid operation
codes.
2. How can I monitor an existing service?
impost --sniff -p 21
This will enable Impost's packet sniffer and watch incoming
packets destined for port `21'. Impost will use the first default
device found by Libpcap.
3. With the packet sniffer, how come I can't see incoming data from
localhost?
You need to set Impost's device setting to your systems local
loopback device (for instance linux's local loopback device is
`lo' and the local loopback device on OpenBSD is lo0). You can do
this by specifying the `--device' option:
impost --sniff -p 21 --device=lo0
FOR MORE INFORMATION PLEASE READ THE MANUAL PAGE IF YOU INSTALLED THIS PROGRAM (TYPE: `info impost') OR YOU CAN READ THE MANUAL ONLINE AT: http://impost.sourceforge.net/manual/impost.html
Email: ziplock <sickbeatz@hotmail.com>
IRC: #b4b0 on EFNet