[Snort-users] Methodology Verification
erek at ...950...
Wed Jan 15 06:15:02 EST 2003
On Tue, 14 Jan 2003, John Cherbini wrote:
> I'm setting up a testing network that does not have a firewall. I
> basically want a snort machine with the external net on one side, and
> the victim on the other side. I really just want to be able to see the
> attacks that take place on the victim.
Well... Easy enough. Simply plug everything into a cheap hub. One
interface on the Snort box would see everthing on the entire hub.
> I want the snort box to basically be invisible. I understand that this
> can happen in a number of ways..
IP-less Interface , a R/O cable , a ethernet Tap , or a bridge.
> Can I make snort transparent enough so that the victim machine will be
> able to pull it's own DHCP address on the external subnet? (a la
I'd not bother with DHCP. If you are creating a test setup, simply use
RFC1918 addresses and be done with it. Since you want to run a 'stealth'
sensor, you really don't even need an IP.
> I basically have a logical gap in reasoning here. Can anyone point me
> to a doc that will clear this up? Have any suggestions on how to make
> the snort box relatively transparent?
*shrug* There's not really one document to point you to. There are a
number of documents! :) Have a look at the docs  on snort.org. They
will give you some pointers. If that's not exactly what you are looking
for, try Google.
"When things get weird, the wierd turn pro." H.S. Thompson
More information about the Snort-users