[Snort-users] Stealth Interface and Flexible Response

alex alex at ...1255...
Wed Jan 31 18:52:54 EST 2001


I checked back through the archives and have not seen the answer to this
one, so...

I'm planning a snort box which will bypass a firewall.
The external interface as a "Stealth" or unplumbed interface to sniff
all the traffic coming from the isp into my firewall, 'cause it's a
RAMdisk firewall/router and has no room for snort, and the internal
interface back onto my LAN for ssh access and sending syslog messages
from the snort box.

Just sat through Martin Roesch's talk here at SANS New Orleans,
excellent by the way, and the only info I got about this is from the
course guide, he was quite busy fending off about 50 people asking
questions in person afterwards which is why I'm asking here, which
says--
"Some of the options that are available are of questionable value in
certain configurations, such as flexible response on "stealthed"
interfaces..."

So, question:  If an interface is in in stealth or unplumbed mode, can
it still send flexible response messages, such as 'rst_all' to knock
down connections or is it of "questionable value" because nobody thought
of a reason to do it yet?

thanks
alex





More information about the Snort-users mailing list