[Snort-users] Methodology Verification

Erek Adams erek at ...950...
Wed Jan 15 06:15:02 EST 2003


On Tue, 14 Jan 2003, John Cherbini wrote:

[...snip...]

> I'm setting up a testing network that does not have a firewall.  I
> basically want a snort machine with the external net on one side, and
> the victim on the other side.  I really just want to be able to see the
> attacks that take place on the victim.

Well...  Easy enough.  Simply plug everything into a cheap hub.  One
interface on the Snort box would see everthing on the entire hub.

[...snip...]

> I want the snort box to basically be invisible.  I understand that this
> can happen in a number of ways..

IP-less Interface [0], a R/O cable [1], a ethernet Tap [2], or a bridge.

[...snip...]

> Can I make snort transparent enough so that the victim machine will be
> able to pull it's own DHCP address on the external subnet?  (a la
> hogwash?)

I'd not bother with DHCP.  If you are creating a test setup, simply use
RFC1918 addresses and be done with it.  Since you want to run a 'stealth'
sensor, you really don't even need an IP.

[...snip...]

> I basically have a logical gap in reasoning here.  Can anyone point me
> to a doc that will clear this up?  Have any suggestions on how to make
> the snort box relatively transparent?

*shrug*  There's not really one document to point you to.  There are a
number of documents!  :)  Have a look at the docs [3] on snort.org.  They
will give you some pointers.  If that's not exactly what you are looking
for, try Google.

Cheers!

-----
Erek Adams

   "When things get weird, the wierd turn pro."   H.S. Thompson


[0]	http://www.snort.org/docs/faq.html#3.1
[1]	http://www.theadamsfamily.net/~erek/snort/
[2]	http://www.netoptics.com/net-96135.html
[3]	http://www.snort.org/docs/




More information about the Snort-users mailing list