[Snort-users] Stealth interface

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Wed Feb 16 02:08:57 EST 2005

--On 15 February 2005 12:14 -0800 Bob Konigsberg <bobkberg at ...12746...> 

> That's a good place to start.
> One additional thing that some people do is to cut the transmit pair (or
> never connect them) so that the interface cannot be seen at all by other
> network hardware.

...or use a tap in between two switches and *two* stealth interfaces:

SW -->--+-->-- SW
SW --<--|+-<-- SW
       NIDS <==> private admin network

On the NIDS, either run two instances of snort, one on each stealth 
interface, or bond them together and run a single instance of snort 
listening to the bonded interface. The former will make better use of 
multi-processor machines, the latter will be able to track state better 
because it's able to see both sides of any communication.

> Bob

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list