[Snort-users] RE: VERY simple 'virtual' honeypot

Ashley Thomas athomas at ...3539...
Fri Mar 8 12:07:18 EST 2002

Yes. Why i made that statement is:

- allows for finger-printing as you said.

- that might be an area which can be attacked by the Attacker.
  (if he knows IDS is going to respond to such and such packets, he can
just flood some spoofed packets to those ip/port and IDS will be busy
sending out response.)


On Fri, 8 Mar 2002, Ryan Russell wrote:

> On Fri, 8 Mar 2002, Ashley Thomas wrote:
> > I would think that it is best if the IDS remains in the stealth mode
> > without doing anything "active"
> I agree.  Any response allows for fingerprinting, and potentially being
> able to identify the IDS.  If I were trying to evade an IDS, the first
> thing I would want to know is which one I'm dealing with.
> 					Ryan

More information about the Snort-users mailing list