RE: stealth ports and IDS

[Frank Knobbe <fknobbe () knobbeits com>]

On Fri, 2002-10-04 at 13:47, Ben Nagy wrote:
> This appears to be security urban myth. I (and others) have tried it. It
> doesn't work.
>
> (The problem is that most network devices will not bring up layer 1,
> because not all the wires are connected.)


The RO Cable I use works like a charm, so don't be so quick writing it
off as an urban legend. The only drawback is that you can only use it on
a plain-old, dumb hub, since my cable fakes the 'missing link' by
crossing the receive pair back to send. That will confuse the heck out
of switches (MAC table blow-up), but works fine on a hub.

In those cases the line you are monitoring can only be half-duplex. If
you want to monitor full-duplex links, you need to use a switch and
configure a monitor port (or use taps and pipe their output onto a
switch with a monitor port).

If you want a diagram for that cable, let me know (or just look at the
Snort FAQ).

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part