[Snort-users] Methodology Verification

John Cherbini cherbini at ...7918...
Wed Jan 15 07:59:30 EST 2003


This is exactly what I was looking for.

> On Tue, 14 Jan 2003, John Cherbini wrote:
> 
> [...snip...]
> 
> > I'm setting up a testing network that does not have a firewall.  I 
> > basically want a snort machine with the external net on one 
> side, and 
> > the victim on the other side.  I really just want to be able to see 
> > the attacks that take place on the victim.
> 
> Well...  Easy enough.  Simply plug everything into a cheap 
> hub.  One interface on the Snort box would see everthing on 
> the entire hub.

I figure that by using a hub and a R/O cable, I should be in the
situation I'm looking for.  (for now)  I'm thinking that I'll hook a
second NIC up to the "trusted" network, so I'll be able to manage it
remotely, and leave the R/O interface, hub, etc.....outside the
firewall.

> > I want the snort box to basically be invisible.  I understand that 
> > this can happen in a number of ways..
> 
> IP-less Interface [0], a R/O cable [1], a ethernet Tap [2], 
> or a bridge.

This is the gap that I was missing.

Thanks very much Erek!

John C.





More information about the Snort-users mailing list