Snort mailing list archives
FW: eth0 without ip ..
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Mon, 3 Feb 2003 13:42:08 -0700
-----Original Message----- From: Slighter, Tim Sent: Monday, February 03, 2003 1:39 PM To: 'Bennett Todd' Subject: RE: [Snort-users] eth0 without ip .. MAC is layer 2 and does not require an IP. Chances are highly unlikely but if a hacker was very determined, they could run an arp discovery tool to pinpoint your IDS and use that information as an attack pivot...or worse yet use that MAC to spoof packets. disabling arp with -arp simply cuts down on any extraneous potential points of ingress for the very determined deviants. If your stealth interface is hooked up onto a cisco switch on a mirrored port, CDP will generate a lot of excess traffic on your stealth interface and thereby impacting the performance of snort...when it should be ONLY analyzing intrusion-based traffic, snort now has the additional load of dealing with CDP or Vlan broadcasts. does that make better sense? -----Original Message----- From: Bennett Todd [mailto:bet () rahul net] Sent: Monday, February 03, 2003 1:06 PM To: Slighter, Tim Subject: Re: [Snort-users] eth0 without ip .. 2003-02-03T14:51:58 Slighter, Tim:
Actually, allow me to rephrase that, if your sensor is directly connected
to
a spanned port or any Broadcast domain switch/Vlan, your stealth interface could potentially receive CDP broadcasts.....in addition to this, without the -arp, one runs the potential risk of allowing the interface to respond with its MAC from an ARP query. Just one more potential target for the devious
I'm still unclear on what problem I may be having. What's CDP? Isn't that something like Cisco Discovery Protocol or thereabouts? Why would it elicit traffic from an unnumbered interface? And what's it have to do with ARP? And if an interface has no address assigned, why would it ever answer ARP? An ARP query, to elicit a response, has to have the IP addr of the destination in the query, no? I'm still missing something. Although if all I'm missing is a possibility for a locally-attached attacker to forge a wonky packet that reveals my insufficiently-stealthy device, I may not worry; I'm only trying to be "stealthy" to guarantee that I don't try and insert anything on a spanned port, lest such insertions disrupt the net. I.e. trying to get the same safety guarantees of passivity that you get with a tap. -Bennett ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- eth0 without ip .. David Alonso De La Vega Tapage (Jan 31)
- Re: eth0 without ip .. Demetri Mouratis (Jan 31)
- <Possible follow-ups>
- RE: eth0 without ip .. Gonzalez, Albert (Jan 31)
- RE: eth0 without ip .. Slighter, Tim (Feb 03)
- FW: eth0 without ip .. Slighter, Tim (Feb 03)