Snort mailing list archives
Re: Methodology Verification
From: <seclists () spiggy net>
Date: Tue, 14 Jan 2003 22:22:02 -0600 (CST)
The logical gap you are not seeing is one-word long: bridge You can have an ip-less machine pass traffic back to your internal production machine as long as it has an external ip address and bridging is enabled on your snort box... snort-inline and hogwash both do this - work below the IP layer of your network stack - and thus don't need an ip on the machine running the IDS software.. The problem you may run into is getting the dhcp address to your internal machine...Im not sure if the system can pass broadcasts or dhcp back, someone else will have to answer that. If you choose to go the NAT route - it's fairly simple to set up and is about as effective for what you want to do as bridging the data. The only significant difference is that, without an ip, your snort-inline/hogwash box is a bit more difficult to attack and much, much less visible on the network. It's really an either/or situation I think.. -jofny The problem
Currently, the external interface on the snort box is getting a DHCP address. I want the snort box to basically be invisible. I understand that this can happen in a number of ways.. Am I looking at doing NAT to an internal subnet (the victim)? Using IPTables, etc.... Can I make snort transparent enough so that the victim machine will be able to pull it's own DHCP address on the external subnet? (a la hogwash?) Does the snort-inline do what I'm looking for? It seems to be the same thing as hogwash, is this correct?
------------------------------------------------------- This SF.NET email is sponsored by: Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate - our easy online guide will show you how. Click here to get started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Methodology Verification John Cherbini (Jan 14)
- Re: Methodology Verification seclists (Jan 15)
- Re: Methodology Verification Erek Adams (Jan 15)
- RE: Methodology Verification John Cherbini (Jan 15)
- <Possible follow-ups>
- RE: Methodology Verification John Cherbini (Jan 14)