[Snort-users] snort opens ports?

Matt Kettler mkettler at ...4108...
Fri Jan 4 14:53:01 EST 2002


Well, searching the snort FAQ (http://www.snort.org/docs/faq.html) for 
"port" there's no such claim... Perhaps they got confused while reading 
6.21 and didn't realize they were discussing HUB ports, not tcp/udp ports.

Now there are tools that do things like this and open dummy ports.. nuke 
nabber for windows and DTK (deception toolkit) for *nix, and various other 
honeynet things come to mind... perhaps they confused snort with DTK or 
something similar. Who knows... I've made plenty silly mistakes  myself.

 From what I know of Snort, it uses pcap, which means it operates in the 
same manner as tcpdump and gets raw ethernet packets more-or-less right off 
the ethernet driver. This also makes it independent of IP stack weirdness 
in the OS running it, and allows it to observe attacks on other machines in 
the network (provided the ethernet card picks them up).

I know of no mode that doesn't operate using pcap, and it is pretty 
nonsensical to operate an NIDS product by opening dummy ports. That's 
really closer to being a part of the domain of HIDS (host intrusion 
detection system instead of network) type products, since you could only 
monitor attacks on the local host by opening ports.


At 08:57 PM 1/4/2002 +0100, you wrote:
>I read on  another mailing list,  that "according to the faq"  snort attaches
>dummy services to the ports it monitors so they may appear to be open.
>
>this sounds distinctly incorrect to me.... is there any mode in which this
>could be true?





More information about the Snort-users mailing list