Re: Newbie questions, Snort on NT, stealth mode vs react/flexresp

[Frank Knobbe <fknobbe () knobbeits com>]

On Wed, 2002-10-09 at 08:41, Dragos Ruiu wrote:
> > [is it] possible to transmit packets from an interface that has no IP
> > address assigned?
>
> Interesting question. If you are using a tap it's not possible AFAIK
> Prolbably depends on specific investigation of the "stealth" tap tho.


I don't see why not. After all, you can READ packets from the wire
without having to have an IP address configured :)  (using the pcap
library). Likewise, using the libnet library, you can WRITE packets on
the wire without a configured IP address.

And therein lies the problem. If you really, absolutely, 100% do not
want to be able to send packets, you need to use a tap that prevents
transmission on the hardware layer. As Dragos said, with a tap you can
not send resets. But afaik, you don't need to have an IP address
configured for snort to send resets since snort uses the libnet library.

I haven't looked closely at the code of flexresp and can not offer you
any answer to questions like 'how does it know what adapter to use if my
system is multi-homed' and similar questions. However, with a Google
search, or a search through the snort archive, you might come across
answers there.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part