Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort opens ports?

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 04 Jan 2002 17:53:29 -0500
Well, searching the snort FAQ (http://www.snort.org/docs/faq.html) for "port" there's no such claim... Perhaps they got confused while reading 6.21 and didn't realize they were discussing HUB ports, not tcp/udp ports.
Now there are tools that do things like this and open dummy ports.. nuke nabber for windows and DTK (deception toolkit) for *nix, and various other honeynet things come to mind... perhaps they confused snort with DTK or something similar. Who knows... I've made plenty silly mistakes myself.
From what I know of Snort, it uses pcap, which means it operates in the same manner as tcpdump and gets raw ethernet packets more-or-less right off the ethernet driver. This also makes it independent of IP stack weirdness in the OS running it, and allows it to observe attacks on other machines in the network (provided the ethernet card picks them up).
I know of no mode that doesn't operate using pcap, and it is pretty nonsensical to operate an NIDS product by opening dummy ports. That's really closer to being a part of the domain of HIDS (host intrusion detection system instead of network) type products, since you could only monitor attacks on the local host by opening ports. 


At 08:57 PM 1/4/2002 +0100, you wrote:

I read on  another mailing list,  that "according to the faq"  snort attaches
dummy services to the ports it monitors so they may appear to be open.

this sounds distinctly incorrect to me.... is there any mode in which this
could be true?



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: