[Snort-users] Re: Wiring a "read only" cable (Joe Pampel)

Josh Oshiro josh at ...155...
Fri Nov 30 01:26:04 EST 2001


The silicon defense diagram is an AUI socket for ethernet I believe they
called it a D15 connecter. I only see these on older network cards. With
that pinout you can easlily cut the transmit pins to prevent transmit.
However we are all using rj45 now and its not that easy anymore. If you cut
the transmit pins on cat5 cable the hub/switch will think the link is dead
and connectivity with the hub/switch will be lost. The one way i know of to
make a recieve only network cable for rj45 port NICs (although very flaky
and haven't tried it myself) is to force a 100mb transfer, use a max length
cable and untwist the transmit pair to corupt the transmit signal enough to
prevent communication while still allowing the "keep alive signal" to be
present. I would not expect that to work reliabily if it even works at all.
----- Original Message -----
From: "Chris Schuler" <cschuler at ...2467...>
To: <slivergun at ...4215...>; <snort-users at lists.sourceforge.net>
Sent: Thursday, November 29, 2001 8:38 PM
Subject: Re: [Snort-users] Re: Wiring a "read only" cable (Joe Pampel)


> There are still ways to discover a NIC in promiscuous mode.  L0pht makes
> such a program.  Just becuast a NIC doesnt have an IP address doesnt mean
> ARPing cant reveal it.
> ----- Original Message -----
> From: "Donal Graeme" <slivergun at ...4215...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Thursday, November 29, 2001 10:47 PM
> Subject: [Snort-users] Re: Wiring a "read only" cable (Joe Pampel)
>
>
> > My experience is that you can run a NIC in promiscuous mode without an
IP
> address, thus eliminating the need for the transmit wires to maintain any
> sort of link at all.
> >
> > I have set up Snort to run on a NIC that is connected via a cable with
> only the 2 receive wires active. I did only what Bill Cheswick in
"Firewalls
> and Internet Security," and Steven Northcutt in "Network Intrusion
> Detection: An Analyst's handbook" suggest. I have this arrangement working
> on a P4 system running RedHat 7.1. It is exactly as you have described
> below. The key is to remember that a NIC need not have an address to be in
> promiscuous mode.
> >
> >
> > >-----Original Message-----
> > >From: Joe Pampel [mailto:joe at ...3851...]
> > >Sent: Thursday, November 29, 2001 4:30 PM
> > >To: snort-users at lists.sourceforge.net;
> > >snort-users-request at lists.sourceforge.net
> > >Subject: [Snort-users] Re: Wiring a "read only" cable
> > >
> > >What am I missing here?
> > >
> > >Trying to make a read only 100Base-T cable for a sensor and it has 8
> > >pins -
> > >4 pairs. So far so good.
> > >www.silicondefense.com has a schematic showing 14 pins and cutting pins
> > >3
> > >and 10...
> > >
> > >Can you see my confusion?  My understanding of this kind of connector
is
> > >like this:
> > >from : http://yoda.uvi.edu/InfoTech/rj45.htm
> > >
> > >-----------------------------------------------------------------------
> > >Pin Number Designations
> > >
> > >   Color Codes for T568B
> > >Pin     color  pair  name
> > >---     -----  ---- ---------
> > >1       wh/or   2   TxData +
> > >2       or      2   TxData -
> > >3       wh/grn  3   RecvData+
> > >4       blu     1
> > >5       wh/blu  1
> > >6       grn     3   RecvData-
> > >7       wh/brn  4
> > >8       brn     4
> > >
> > >------------------------------------------------
> > >
> > >This would indicate not crimping the Orange pair to pins 1 & 2. And of
> > >course if you're a wise-guy you put a splitter on the jack and plug an
> > >RJ-11
> > >in and use the middle pair for a POTS line.. but anyhow... ;-)
> > >Anyone else run into this?
> > >
> > >ps: wiring sucks when you're color blind. :-)
> > >
> > >- Joe
> >
> >
> > _____________________________________________________________
> > Are you a Techie? Get Your Free Tech Email Address Now! Visit
> http://www.TechEmail.com
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list