This is the first of three chapters that discusses writing filters or signatures to detect anomalous behavior. The authors have chosen to discuss these particular filters and signatures for a couple of reasons. The first is because these signatures are available with freeware and available to the masses—even the impoverished. The second reason is that there are so many IDS packages today, it is almost impossible to cover them and yet not be accused of bias or favoritism because of omissions. As a fair compromise, we have chosen this chapter to discuss TCPdump and the following two chapters to discuss Snort signatures. ...