Snort mailing list archives
RE: Stealth interface
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Wed, 16 Feb 2005 10:08:29 +0000
--On 15 February 2005 12:14 -0800 Bob Konigsberg <bobkberg () networkeval com> wrote:
That's a good place to start. One additional thing that some people do is to cut the transmit pair (or never connect them) so that the interface cannot be seen at all by other network hardware.
...or use a tap in between two switches and *two* stealth interfaces: SW -->--+-->-- SW SW --<--|+-<-- SW || vv NIDS <==> private admin networkOn the NIDS, either run two instances of snort, one on each stealth interface, or bond them together and run a single instance of snort listening to the bonded interface. The former will make better use of multi-processor machines, the latter will be able to track state better because it's able to see both sides of any communication.
Bob
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth interface Willy, Andrew (Feb 15)
- RE: Stealth interface Bob Konigsberg (Feb 15)
- <Possible follow-ups>
- RE: Stealth interface Willy, Andrew (Feb 15)
- RE: Stealth interface Bob Konigsberg (Feb 15)
- RE: Stealth interface Alex Butcher, ISC/ISYS (Feb 16)
- RE: Stealth interface Bob Konigsberg (Feb 15)