RE: Snort-Machine = Security Hole?

[Andreas Steinmetz <ast () domdv de>]

You should be careful to believe an ethernet interface with no ip address
assigned will not process any packets. Try the following on linux 2.2.19
(possibly other versions, too, but I'm running this kernel on my production
systems):

Set up a network interface with no IP address.
Use ipchains to deny and log all packets on this interface.

Send a udp packet with destination address 255.255.255.255 to this interface
and watch the firewall log.

Or, if the kernel supports multicasts, send a multicast packet to this
interface and watch the firewall log.

In both cases the the firewall happily reports the packet was rejected on input
(at least on my systems) which just means that without firewalling the kernel
would have processed and delivered these packets even as there is no ip assigned
to the interface.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users