Snort mailing list archives

Re: Methodology Verification

From: Erek Adams <erek () snort org>
Date: Wed, 15 Jan 2003 09:04:52 -0500 (EST)

On Tue, 14 Jan 2003, John Cherbini wrote:

[...snip...]

I'm setting up a testing network that does not have a firewall.  I
basically want a snort machine with the external net on one side, and
the victim on the other side.  I really just want to be able to see the
attacks that take place on the victim.


Well...  Easy enough.  Simply plug everything into a cheap hub.  One
interface on the Snort box would see everthing on the entire hub.

[...snip...]

I want the snort box to basically be invisible.  I understand that this
can happen in a number of ways..


IP-less Interface [0], a R/O cable [1], a ethernet Tap [2], or a bridge.

[...snip...]

Can I make snort transparent enough so that the victim machine will be
able to pull it's own DHCP address on the external subnet?  (a la
hogwash?)


I'd not bother with DHCP.  If you are creating a test setup, simply use
RFC1918 addresses and be done with it.  Since you want to run a 'stealth'
sensor, you really don't even need an IP.

[...snip...]

I basically have a logical gap in reasoning here.  Can anyone point me
to a doc that will clear this up?  Have any suggestions on how to make
the snort box relatively transparent?


*shrug*  There's not really one document to point you to.  There are a
number of documents!  :)  Have a look at the docs [3] on snort.org.  They
will give you some pointers.  If that's not exactly what you are looking
for, try Google.

Cheers!

-----
Erek Adams

   "When things get weird, the wierd turn pro."   H.S. Thompson


[0]     http://www.snort.org/docs/faq.html#3.1
[1]     http://www.theadamsfamily.net/~erek/snort/
[2]     http://www.netoptics.com/net-96135.html
[3]     http://www.snort.org/docs/


-------------------------------------------------------
This SF.NET email is sponsored by: Take your first step towards giving 
your online business a competitive advantage. Test-drive a Thawte SSL 
certificate - our easy online guide will show you how. Click here to get 
started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Methodology Verification John Cherbini (Jan 14)
- Re: Methodology Verification seclists (Jan 15)
- Re: Methodology Verification Erek Adams (Jan 15)
  - RE: Methodology Verification John Cherbini (Jan 15)
- <Possible follow-ups>
- RE: Methodology Verification John Cherbini (Jan 14)