[Snort-users] Bothersome portscans and some conjecture

Gene R. Gomez ggomez at ...677...
Mon Nov 20 16:27:08 EST 2000


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Todd,
You're correct that an interface with no IP would not be sending ARP
requests...there would be no need, unless for some reason ARP support
broadcast requests.
Anyway, I need to have an IP on this interface...the IP is used to
download newer versions of vision.rules as they are released.
Actually, along this thread, I COULD create a script that would bind
an IP to the interface when I need to download this file, then remove
it immediately after...
Hmmm................

- -Gene

- -----Original Message-----
From: Todd Ransom [mailto:TRansom at ...197...]
Sent: Monday, November 20, 2000 11:58 AM
To: 'emf at ...367...'; Gene R. Gomez
Cc: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Bothersome portscans and some conjecture


On OpenBSD you bring up an interface with no ip address that will not
ARP
like this:

ifconfig ep0 0.0.0.0 netmask 255.255.255.255 -arp

Don't know about other platforms.  But I can't figure out why an
interface
with no ip would be ARPing in the first place.  I haven't actually
verified
this, but if ARP is used to resolve an ip address to a MAC address
before
sending an IP datagram, why would a system with no ip be ARPing?  I
would be
interested to hear about scenarios where it would.

TR

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOhmXKyMV0otagQpeEQLIoACgjqx7V987PZMw+fcAIukifWRdaZQAn2fL
zY3QY/zhH4gNjbpoYFnHenKs
=XsT/
-----END PGP SIGNATURE-----



More information about the Snort-users mailing list