[Snort-users] Methodology Verification

Erek Adams erek at ...950...
Wed Jan 15 06:15:02 EST 2003

On Tue, 14 Jan 2003, John Cherbini wrote:


> I'm setting up a testing network that does not have a firewall.  I
> basically want a snort machine with the external net on one side, and
> the victim on the other side.  I really just want to be able to see the
> attacks that take place on the victim.

Well...  Easy enough.  Simply plug everything into a cheap hub.  One
interface on the Snort box would see everthing on the entire hub.


> I want the snort box to basically be invisible.  I understand that this
> can happen in a number of ways..

IP-less Interface [0], a R/O cable [1], a ethernet Tap [2], or a bridge.


> Can I make snort transparent enough so that the victim machine will be
> able to pull it's own DHCP address on the external subnet?  (a la
> hogwash?)

I'd not bother with DHCP.  If you are creating a test setup, simply use
RFC1918 addresses and be done with it.  Since you want to run a 'stealth'
sensor, you really don't even need an IP.


> I basically have a logical gap in reasoning here.  Can anyone point me
> to a doc that will clear this up?  Have any suggestions on how to make
> the snort box relatively transparent?

*shrug*  There's not really one document to point you to.  There are a
number of documents!  :)  Have a look at the docs [3] on snort.org.  They
will give you some pointers.  If that's not exactly what you are looking
for, try Google.


Erek Adams

   "When things get weird, the wierd turn pro."   H.S. Thompson

[0]	http://www.snort.org/docs/faq.html#3.1
[1]	http://www.theadamsfamily.net/~erek/snort/
[2]	http://www.netoptics.com/net-96135.html
[3]	http://www.snort.org/docs/

More information about the Snort-users mailing list