Snort mailing list archives
RE: To TAP or HUB?
From: "Henning, David" <henningd () fortrex com>
Date: Thu, 19 Dec 2002 14:00:18 -0500
Sam, Taps are much too expensive to use for casual home stuff. Taps are most useful in an environment where you can't span all the ports off a large core switch. A hub between the cable modem and fw will work just fine and be very cheap. If you properly stealth the nic on the hub no-one will ever know you have an IDS there (except us of course ;). Make certain you configure the nic to not respond to arp and don't give it an IP address. Unless there is a way to break Snort on the listening interface and reconfigure the nic to respond to traffic an attacker can't get in through that interface. David Henning -----Original Message----- From: Carleton, Sam (SCI TW) To: 'snort-users () lists sourceforge net' Sent: 12/19/02 1:21 PM Subject: [Snort-users] To TAP or HUB? Folks, I understand the point of using a TAP with an IDS, but is it a must? What is the drawback to simply using a HUB? I ask because a TAP is a bit much for the house, or at least right now. My thought is this: I put a HUB between the cable modem and firewall. Then I plug in the second NIC of my IDS Server, but never assign an IP address. Then turn on snort to listen to that NIC. Would that work? Would a hacker be able to get into the IDS Server? It is my understanding that the presents of the IDS would be known, but I can live with that right now. Are there any other drawbacks? Sam ------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users .. . ------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- To TAP or HUB? Carleton, Sam (SCI TW) (Dec 19)
- <Possible follow-ups>
- RE: To TAP or HUB? Henning, David (Dec 19)
- RE: To TAP or HUB? Frank Knobbe (Dec 19)
- RE: To TAP or HUB? Madziarczyk, Jonathan (Dec 19)
- RE: To TAP or HUB? Shane Hickey (Dec 19)
- RE: To TAP or HUB? Eric Joe (Dec 19)
- RE: To TAP or HUB? Shane Hickey (Dec 19)
- RE: To TAP or HUB? Matt Kettler (Dec 19)