Re: Network & Systems Cloaking Tool

[Frank Knobbe <fknobbe () knobbeits com>]

On Fri, 2002-11-08 at 11:53, twig les wrote:
> Now I'm curious.  I looked at the site, but it seems a
> bit geared toward management.  Exactly how does this
> box decide what traffic is legit and what isn't?  This
> has been the crux of the computer security world's
> problem since the get-go.  I understand the whole
> do-it-in-asic part for wire speed, but the black box
> thing is a tough for me to trust.  Is there a more
> detailed doc about this?  Sorry to hammer you, but
> this is an open-source list you're posting to.


All it does is return a syn-ack for all IP's and all ports. Legitimate
listening ports will receive traffic, but a non-existent port is
reported as open even though there is nothing behind it. Kinda like
LaBrea on per-port basis, except that it doesn't trap the remote.

I didn't want to respond at first since this list is about Snort, and
not some commercial product. Unless their box is free, I consider their
posting spam.

Frank

Attachment: signature.asc
Description: This is a digitally signed message part