Snort mailing list archives
Interfaces without an ip / no udp capture considerations
From: "Ricardo, Gerson" <gricardo () gableseng com>
Date: Mon, 3 Feb 2003 17:19:50 -0500
Another reason to use the -arp modifier: if you do not disable arp, your interface *will not* capture any UDP traffic. I think i saw a question a few weeks(?) ago surrounding someone whom wasn't getting any UDP notifications via snort/acid when they set no IP on thier DMZ probe interface. gerson j. ricardo network engineer Gables Engineering, Inc. -----Original Message----- From: Slighter, Tim [mailto:tslighter () itc nrcs usda gov] Sent: Monday, February 03, 2003 3:42 PM To: 'snort-users () lists sourceforge net' Subject: FW: [Snort-users] eth0 without ip .. -----Original Message----- From: Slighter, Tim Sent: Monday, February 03, 2003 1:39 PM To: 'Bennett Todd' Subject: RE: [Snort-users] eth0 without ip .. MAC is layer 2 and does not require an IP. Chances are highly unlikely but if a hacker was very determined, they could run an arp discovery tool to pinpoint your IDS and use that information as an attack pivot...or worse yet use that MAC to spoof packets. disabling arp with -arp simply cuts down on any extraneous potential points of ingress for the very determined deviants. If your stealth interface is hooked up onto a cisco switch on a mirrored port, CDP will generate a lot of excess traffic on your stealth interface and thereby impacting the performance of snort...when it should be ONLY analyzing intrusion-based traffic, snort now has the additional load of dealing with CDP or Vlan broadcasts. does that make better sense? -----Original Message----- From: Bennett Todd [mailto:bet () rahul net] Sent: Monday, February 03, 2003 1:06 PM To: Slighter, Tim Subject: Re: [Snort-users] eth0 without ip .. 2003-02-03T14:51:58 Slighter, Tim:
Actually, allow me to rephrase that, if your sensor is directly connected
to
a spanned port or any Broadcast domain switch/Vlan, your stealth interface could potentially receive CDP broadcasts.....in addition to this, without the -arp, one runs the potential risk of allowing the interface to respond with its MAC from an ARP query. Just one more potential target for the devious
I'm still unclear on what problem I may be having. What's CDP? Isn't that something like Cisco Discovery Protocol or thereabouts? Why would it elicit traffic from an unnumbered interface? And what's it have to do with ARP? And if an interface has no address assigned, why would it ever answer ARP? An ARP query, to elicit a response, has to have the IP addr of the destination in the query, no? I'm still missing something. Although if all I'm missing is a possibility for a locally-attached attacker to forge a wonky packet that reveals my insufficiently-stealthy device, I may not worry; I'm only trying to be "stealthy" to guarantee that I don't try and insert anything on a spanned port, lest such insertions disrupt the net. I.e. trying to get the same safety guarantees of passivity that you get with a tap. -Bennett ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Interfaces without an ip / no udp capture considerations Ricardo, Gerson (Feb 03)