[Snort-users] snort opens ports?
mkettler at ...4108...
Fri Jan 4 14:53:01 EST 2002
Well, searching the snort FAQ (http://www.snort.org/docs/faq.html) for
"port" there's no such claim... Perhaps they got confused while reading
6.21 and didn't realize they were discussing HUB ports, not tcp/udp ports.
Now there are tools that do things like this and open dummy ports.. nuke
nabber for windows and DTK (deception toolkit) for *nix, and various other
honeynet things come to mind... perhaps they confused snort with DTK or
something similar. Who knows... I've made plenty silly mistakes myself.
From what I know of Snort, it uses pcap, which means it operates in the
same manner as tcpdump and gets raw ethernet packets more-or-less right off
the ethernet driver. This also makes it independent of IP stack weirdness
in the OS running it, and allows it to observe attacks on other machines in
the network (provided the ethernet card picks them up).
I know of no mode that doesn't operate using pcap, and it is pretty
nonsensical to operate an NIDS product by opening dummy ports. That's
really closer to being a part of the domain of HIDS (host intrusion
detection system instead of network) type products, since you could only
monitor attacks on the local host by opening ports.
At 08:57 PM 1/4/2002 +0100, you wrote:
>I read on another mailing list, that "according to the faq" snort attaches
>dummy services to the ports it monitors so they may appear to be open.
>this sounds distinctly incorrect to me.... is there any mode in which this
>could be true?
More information about the Snort-users