[Snort-users] Newbie questions, Snort on NT, stealth mode vs react/flexresp

Frank Knobbe fknobbe at ...652...
Wed Oct 9 14:27:02 EDT 2002

On Wed, 2002-10-09 at 08:41, Dragos Ruiu wrote:
> > [is it] possible to transmit packets from an interface that has no IP
> > address assigned?
> Interesting question. If you are using a tap it's not possible AFAIK
> Prolbably depends on specific investigation of the "stealth" tap tho.

I don't see why not. After all, you can READ packets from the wire
without having to have an IP address configured :)  (using the pcap
library). Likewise, using the libnet library, you can WRITE packets on
the wire without a configured IP address.

And therein lies the problem. If you really, absolutely, 100% do not
want to be able to send packets, you need to use a tap that prevents
transmission on the hardware layer. As Dragos said, with a tap you can
not send resets. But afaik, you don't need to have an IP address
configured for snort to send resets since snort uses the libnet library.

I haven't looked closely at the code of flexresp and can not offer you
any answer to questions like 'how does it know what adapter to use if my
system is multi-homed' and similar questions. However, with a Google
search, or a search through the snort archive, you might come across
answers there.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021009/5f62143d/attachment.sig>

More information about the Snort-users mailing list