[Snort-users] Snort "invisible"

Dan Ferris dferris at ...9997...
Thu Sep 4 12:11:31 EDT 2003


The only drawback (that I've found so far) to not having IP addresses 
assigned to the interfaces is pcap will complain when snort starts up, 
which can be annoying.

You could also cut the transmit wires on the ethernet cables, which 
won't work if you plug into a switch instead of a hub (haven't done this 
so I could be wrong).

Or you could use try cable taps, which aren't completely stealthy, since 
they can be detected by a TDR.

Cable taps and modified cables do not allow you to use the flexible 
response features of Snort.

Good luck!

Ricardo Pires wrote:

>I think you have two choices.
>The first one is to do not assign an IP address to the interface, as Dan
>Ferris told you.
>Another way, which one I do, is to assign a completly different IP to that
>interface.
>Lets suppose your network has a C class 192.168.1
>You can use an IP address outside this class, with no route to that IP, like
>1.1.1.2
>
>Ricardo Pires
>
>----- Original Message ----- 
>From: "Dan Ferris" <dferris at ...9997...>
>To: <snort-users at lists.sourceforge.net>
>Sent: Wednesday, September 03, 2003 1:13 PM
>Subject: Re: [Snort-users] Snort "invisible"
>
>
>Don't assign an IP address to the interfaces Snort listens on.
>
>Be careful with Snortsam, because you can hurt yourself with it.
>
>Daniel Hondo Tedesque wrote:
>
>  
>
>>Hello
>>
>>My name and Daniel, I am implanting the Snort tool (RedHat 9,0) in the
>>    
>>
>company
>  
>
>>where work, and I structuralized the security of the following form: Will
>>    
>>
>be 3
>  
>
>>sensors spread in internal, external net and DMZ, each sensor have two
>>interfaces where the interface eth0 will be responsible for the listening
>>    
>>
>of the
>  
>
>>net and the interface eth1 responsavel for the exchange of information
>>    
>>
>between
>  
>
>>the sensors, being, two distinct nets of form that the sensors are
>>    
>>
>"invisible"
>  
>
>>the net of the company. The external sensor will receive the packages
>>    
>>
>before
>  
>
>>firewall from form that in case that some activity registers suspicion,
>>immediately creates a rule in firewall to block the suspicious IP
>>    
>>
>(SnortSam). It
>  
>
>>would like to know if ha one forms to modify stack TCP of form that the
>>interfaces eth0 are inhibited of possible attacks or that they only listen
>>    
>>
>to
>  
>
>>the net, being registered for none another one does not scheme.
>>
>>Thanks, Daniel Hondo - UNOESTE - Brasil.
>>
>>
>>-------------------------------------------------
>>UNOESTE - Universidade do Oeste Paulista
>>FIPP - Faculdade de Informática de Pres. Prudente
>>
>>
>>-------------------------------------------------------
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>http://thinkgeek.com/sf
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>>
>>
>>
>>    
>>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>  
>





More information about the Snort-users mailing list