[Snort-users] Stealth interface
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Wed Feb 16 02:08:57 EST 2005
--On 15 February 2005 12:14 -0800 Bob Konigsberg <bobkberg at ...12746...>
> That's a good place to start.
> One additional thing that some people do is to cut the transmit pair (or
> never connect them) so that the interface cannot be seen at all by other
> network hardware.
...or use a tap in between two switches and *two* stealth interfaces:
SW -->--+-->-- SW
SW --<--|+-<-- SW
NIDS <==> private admin network
On the NIDS, either run two instances of snort, one on each stealth
interface, or bond them together and run a single instance of snort
listening to the bonded interface. The former will make better use of
multi-processor machines, the latter will be able to track state better
because it's able to see both sides of any communication.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users