[Snort-users] 2 Qs: Snort and subnets + Linux stealth boxes

Erik Engberg Erik.Engberg at ...511...
Mon Sep 25 15:08:46 EDT 2000


You can do "stealth" config on most OSs (including NT).

On linux and BSD (for interface eth1) just activate the interface:

ifconfig eth1 up

and be sure to specify the interface with snort -i eth1

On NT you just disable all bindings for a network card. I haven´t tried this
with snort but it works just fine with other IDS´s.

As for the first question, it shouldn´t matter what your box mask is. You
just specify what network and mask you want to have as HOME_NET in the rules
file.
If it really is a hub you should have no problem seeing the traffic if you
are in promiscous even if the router changes the mask. If it does NAT that
it´s another story.

/Erik

-----Original Message-----
From: daedalus at ...494... [mailto:daedalus at ...494...]
Sent: den 21 september 2000 15:57
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] 2 Qs: Snort and subnets + Linux stealth boxes


Hi all,

I recently started playing with a pretty standard setup of Snort to monitor
what's going on on my network, but I've run into a bit of a snag with
subnets.
I have a class C routed into one location via T1 where it is then split off
into smaller subnets which are routed back out T1s to different locations.
All of the locations are the same company and I would like to monitor
traffic
to all the locations from one Snort installation. Does anyone have any
suggestions?  If I place the machine on the hub with the routers it has an
address still with the class C mask but the traffic I want to monitor now
has had it's mask changed by the incomming router so I can't see it.  Which
leads me to my second question.  In a list, I don't remember which one, a
guy was writing about using "stealth boxes" that were linux machine with
no IP address but were in promiscuous mode doing IDS and acting as logging
hosts. Does anyone know the location of any documentation about doing this
and will it work with Snort?

Thanks all,
-Bill

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list