[Snort-users] Bothersome portscans and some conjecture

Erik Fichtner emf at ...367...
Mon Nov 20 13:50:39 EST 2000


On Mon, Nov 20, 2000 at 08:15:18AM -0800, Gene R. Gomez wrote:
> This should mean that the Snort box is in full stealth mode, with the 
> exception of ARP requests (which I'm not really sure how to get rid of yet). 

Since ARP is only valid for your broadcast domain, you presumably know all
of the hosts that you're going to communicate with.  Just load up static arp
table entries on your snort box (and any that might have to communicate with
it, eg: routers and such).

That's one way to make the arp requests go away.   Of course, if someone
compromises a box that knows how to talk to the snort machine, that's just
as bad as if they happened to be in a position to spot the arp traffic on
your lan segment anyway.. (potentially worse, actually, because if static
arp tables arn't the norm for your network, it's an immediate clue that
this box is something special.)

Just a thought..

-- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900



More information about the Snort-users mailing list