[Snort-users] Methodology Verification

seclists at ...8003... seclists at ...8003...
Wed Jan 15 05:45:15 EST 2003


The logical gap you are not seeing is one-word long: bridge

You can have an ip-less machine pass traffic back to your internal
production machine as long as it has an external ip address and bridging
is enabled on your snort box...
snort-inline and hogwash both do this - work below the IP layer of your
network stack - and thus don't need an ip on the machine running the IDS
software..
The problem you may run into is getting the dhcp address to your internal
machine...Im not sure if the system can pass broadcasts or dhcp back,
someone else will have to answer that.
If you choose to go the NAT route - it's fairly simple to set up and is
about as effective for what you want to do as bridging the data. The only
significant difference is that, without an ip, your snort-inline/hogwash
box is a bit more difficult to attack and much, much less visible on the
network.

It's really an either/or situation I think..

-jofny

The problem
>
> Currently, the external interface on the snort box is getting a DHCP
> address.
>
> I want the snort box to basically be invisible.  I understand that this
> can happen in a number of ways..
>
> Am I looking at doing NAT to an internal subnet (the victim)?  Using
> IPTables, etc....
>
> Can I make snort transparent enough so that the victim machine will be
> able to pull it's own DHCP address on the external subnet?  (a la
> hogwash?)
>
> Does the snort-inline do what I'm looking for?  It seems to be the same
> thing as hogwash, is this correct?









More information about the Snort-users mailing list