[Snort-users] Methodology Verification

John Cherbini cherbini at ...7918...
Tue Jan 14 21:58:03 EST 2003

I had the feeling that bridging was the gap that I was missing.

Unfortunately, I had only dealt with bridging on a wireless network, and
not with snort.  Whenever I've needed this type of functionality through
a linux box, I've always used NAT.

So basically, I need to look at hogwash or snort-inline to do the
bridging stuff, correct?

Otherwise, I do NAT.

Now, this brings up the question, do snortcenter and ACID both work with
hogwash or snort-inline?

After looking through the hogwash archives, there doesn't seem to be a
definite answer.

Having snortcenter and ACID is not as important to me as having snort
running in a bridging mode, but it would be nice!

Again, any docs on this type of stuff?

Thanks again!

John C.

-----Original Message-----
From: seclists at ...8003... [mailto:seclists at ...8003...] 
Sent: Tuesday, January 14, 2003 9:20 PM
To: cherbini at ...7918...
Subject: Re: [Snort-users] Methodology Verification

The logical gap you are not seeing is one-word long: bridge

You can have an ip-less machine pass traffic back to your internal
production machine as long as it has an external ip address and bridging
is enabled on your snort box... snort-inline and hogwash both do this -
work below the IP layer of your network stack - and thus don't need an
ip on the machine running the IDS software.. The problem you may run
into is getting the dhcp address to your internal machine...Im not sure
if the system can pass broadcasts or dhcp back, someone else will have
to answer that. If you choose to go the NAT route - it's fairly simple
to set up and is about as effective for what you want to do as bridging
the data. The only significant difference is that, without an ip, your
snort-inline/hogwash box is a bit more difficult to attack and much,
much less visible on the network. The problem
> Currently, the external interface on the snort box is getting a DHCP 
> address.
> I want the snort box to basically be invisible.  I understand that 
> this can happen in a number of ways..
> Am I looking at doing NAT to an internal subnet (the victim)?  Using 
> IPTables, etc....
> Can I make snort transparent enough so that the victim machine will be

> able to pull it's own DHCP address on the external subnet?  (a la
> hogwash?)
> Does the snort-inline do what I'm looking for?  It seems to be the 
> same thing as hogwash, is this correct?

More information about the Snort-users mailing list