Snort mailing list archives
Re: Network & Systems Cloaking Tool
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 08 Nov 2002 12:23:45 -0600
On Fri, 2002-11-08 at 11:53, twig les wrote:
Now I'm curious. I looked at the site, but it seems a bit geared toward management. Exactly how does this box decide what traffic is legit and what isn't? This has been the crux of the computer security world's problem since the get-go. I understand the whole do-it-in-asic part for wire speed, but the black box thing is a tough for me to trust. Is there a more detailed doc about this? Sorry to hammer you, but this is an open-source list you're posting to.
All it does is return a syn-ack for all IP's and all ports. Legitimate listening ports will receive traffic, but a non-existent port is reported as open even though there is nothing behind it. Kinda like LaBrea on per-port basis, except that it doesn't trap the remote. I didn't want to respond at first since this list is about Snort, and not some commercial product. Unless their box is free, I consider their posting spam. Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Network & Systems Cloaking Tool Tommy (Nov 06)
- Message not available
- Re: Network & Systems Cloaking Tool Tommy (Nov 08)
- Re: Network & Systems Cloaking Tool twig les (Nov 08)
- Re: Network & Systems Cloaking Tool Tommy (Nov 08)
- Re: Network & Systems Cloaking Tool Frank Knobbe (Nov 08)
- Re: Network & Systems Cloaking Tool Frank Knobbe (Nov 08)
- Re: Network & Systems Cloaking Tool Tommy (Nov 08)
- Message not available
- Re: Network & Systems Cloaking Tool Tommy (Nov 08)
- Message not available