FW: eth0 without ip ..

["Slighter, Tim" <tslighter () itc nrcs usda gov>]

-----Original Message-----
From: Slighter, Tim 
Sent: Monday, February 03, 2003 1:39 PM
To: 'Bennett Todd'
Subject: RE: [Snort-users] eth0 without ip ..


MAC is layer 2 and does not require an IP.  Chances are highly unlikely but
if a hacker was very determined, they could run an arp discovery tool to
pinpoint your IDS and use that information as an attack pivot...or worse yet
use that MAC to spoof packets.  disabling arp with -arp simply cuts down on
any extraneous potential points of ingress for the very determined deviants.
If your stealth interface is hooked up onto a cisco switch on a mirrored
port, CDP will generate a lot of excess traffic on your stealth interface
and thereby impacting the performance of snort...when it should be ONLY
analyzing intrusion-based traffic, snort now has the additional load of
dealing with CDP or Vlan broadcasts.

does that make better sense?

-----Original Message-----
From: Bennett Todd [mailto:bet () rahul net]
Sent: Monday, February 03, 2003 1:06 PM
To: Slighter, Tim
Subject: Re: [Snort-users] eth0 without ip ..


2003-02-03T14:51:58 Slighter, Tim:
> Actually, allow me to rephrase that, if your sensor is directly connected
to
> a spanned port or any Broadcast domain switch/Vlan, your stealth interface
> could potentially receive CDP broadcasts.....in addition to this, without
> the -arp, one runs the potential risk of allowing the interface to respond
> with its MAC from an ARP query.  Just one more potential target for the
> devious

I'm still unclear on what problem I may be having. What's CDP? Isn't
that something like Cisco Discovery Protocol or thereabouts? Why
would it elicit traffic from an unnumbered interface? And what's it
have to do with ARP?

And if an interface has no address assigned, why would it ever
answer ARP? An ARP query, to elicit a response, has to have the IP
addr of the destination in the query, no? I'm still missing
something.

Although if all I'm missing is a possibility for a
locally-attached attacker to forge a wonky packet that reveals my
insufficiently-stealthy device, I may not worry; I'm only trying to
be "stealthy" to guarantee that I don't try and insert anything on a
spanned port, lest such insertions disrupt the net. I.e. trying to
get the same safety guarantees of passivity that you get with a tap.

-Bennett


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users