Re: why old libnet?

[Matt Kettler <mkettler () evi-inc com>]

Florin Andrei wrote:

> What is the reason why Snort can only use the old, deprecated,
> libnet-1.0.x?
> Since other apps are likely to use already the newer, supported,
> libnet-1.1, there might be conflicts on systems using both types of
> apps.

Really, the only part of snort that uses libnet is flexresp. If you're
not using flexresp, snort shouldn't be looking for libnet.

As for flexresp itself, it's getting to be a bit on the "aged" side. I
know one of the SF guys (Chris? Jeff?) was working on a "flexresp2", but
it looks like 2.3.2 still only includes the old version.

I also think that while Flexresp is useful, people believe it to be more
useful than it is. Flexresp is really pretty limited. It's useful
against automated probes, but really only acts as a hurdle to jump over
for a skilled manual attack. Even against automated probes, flexresp
isn't 100% effective, since it relies on being able to advance the TCP
sequence number first. Flexresp uses some tricks to give it a major
advantage, but it still boils down to being a race condition.

Now that snort has an official inline module, you really should consider
using it instead of flexresp if inline is feasible in your network and
on your platform.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users