
SHADOW Version 1.7

Written by Bill Ralph <RalphWD@nswc.navy.mil>
Last Changed:  5 Sep 2001

This directory contains example filters for the tcpddump engine that generates
SHADOW web pages. There is one file for each IP protocol of interest:

filter.getall.doc: Used by the find_scan.pl script to identify all networks
                   to be considered as "ours."

goodhost.filter.doc: Used by the fetchem.pl script to pay special attention to
                     our infrastructure machines: mail relays, web servers,
                     DNS servers, etc.

icmp.filter.doc:     Causes little used and problematical ICMP  packets to be
                     written to the SHADOW pages.

ip.filter.doc:       Causes IP misuse, broadcasts, and IP options to be 
                     written to the SHADOW pages.

tcp.filter.doc:      Causes TCP misuse and well known possible TCP port 
                     exploits to be written to the SHADOW web pages.

udp.filter.doc:      Causes UDP misuse and well known possible UDP port 
                     exploits to be written to the SHADOW web pages.

All of the files contain comments to identify the individual characteristis
for which to look. They must all be run through 
/usr/local/SHADOW/comment_stip.pl to remove the comments before 
fetchem.pl can use them. See docs/Install.*
for more details about configuring these files.
