Snort mailing list archives
Re: Snort "invisible"
From: Dan Ferris <dferris () maad com>
Date: Thu, 04 Sep 2003 11:09:48 -0600
The only drawback (that I've found so far) to not having IP addresses assigned to the interfaces is pcap will complain when snort starts up, which can be annoying.
You could also cut the transmit wires on the ethernet cables, which won't work if you plug into a switch instead of a hub (haven't done this so I could be wrong).
Or you could use try cable taps, which aren't completely stealthy, since they can be detected by a TDR.
Cable taps and modified cables do not allow you to use the flexible response features of Snort.
Good luck! Ricardo Pires wrote:
I think you have two choices. The first one is to do not assign an IP address to the interface, as Dan Ferris told you. Another way, which one I do, is to assign a completly different IP to that interface. Lets suppose your network has a C class 192.168.1 You can use an IP address outside this class, with no route to that IP, like 1.1.1.2 Ricardo Pires----- Original Message ----- From: "Dan Ferris" <dferris () maad com>To: <snort-users () lists sourceforge net> Sent: Wednesday, September 03, 2003 1:13 PM Subject: Re: [Snort-users] Snort "invisible" Don't assign an IP address to the interfaces Snort listens on. Be careful with Snortsam, because you can hurt yourself with it. Daniel Hondo Tedesque wrote:Hello My name and Daniel, I am implanting the Snort tool (RedHat 9,0) in thecompanywhere work, and I structuralized the security of the following form: Willbe 3sensors spread in internal, external net and DMZ, each sensor have two interfaces where the interface eth0 will be responsible for the listeningof thenet and the interface eth1 responsavel for the exchange of informationbetweenthe sensors, being, two distinct nets of form that the sensors are"invisible"the net of the company. The external sensor will receive the packagesbeforefirewall from form that in case that some activity registers suspicion, immediately creates a rule in firewall to block the suspicious IP(SnortSam). Itwould like to know if ha one forms to modify stack TCP of form that the interfaces eth0 are inhibited of possible attacks or that they only listentothe net, being registered for none another one does not scheme. Thanks, Daniel Hondo - UNOESTE - Brasil. ------------------------------------------------- UNOESTE - Universidade do Oeste Paulista FIPP - Faculdade de Informática de Pres. Prudente ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort "invisible" Daniel Hondo Tedesque (Sep 03)
- Re: Snort "invisible" Dan Ferris (Sep 03)
- Re: Snort "invisible" Ricardo Pires (Sep 04)
- Re: Snort "invisible" Dan Ferris (Sep 04)
- Re: Snort "invisible" Ricardo Pires (Sep 04)
- <Possible follow-ups>
- RE: Snort "invisible" SecurityAdmin (Sep 08)
- Re: Snort "invisible" Dan Ferris (Sep 03)