IDS mailing list archives
Re: IDS Stealth Mode
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 14 Jan 2003 22:43:31 -0600
And of course there is the read-only cable that does have an 'air gap' on the send pair. The LAN side should only be used on a single speed hub since it loops output to input (to fake a link). Here is the cable I use: LAN.......Sniffer 1.-----\..../--.1 2.---\.|....\--.2 3.---+-*-------.3 4.-..|........-.4 5.-..|........-.5 6.---*---------.6 7.-...........-.7 8.-...........-.8 Basically, pin 1 and 2 on the sniffer side are connected, 3 and 6 go straight through to the LAN. 1 and 2 on the LAN side connect to 3 and 6 respectively. This fakes a link on both ends but only allows traffic from the LAN to the sniffer. It also causes the 'incoming' traffic to be sent back to the LAN, so this cable only works well on a hub. If you use it on a switch but you will get ...err... interesting results. Since the switch receives the packets back in on the port it sent them out, the MAC table gets confused and after a short while devices start to drop off the switch. Works like a charm on a hub though. You can get by with a cheap 4 port Ethernet hub. Just connect, for example, the router and the firewall into the hub, and then plug in the read-only cable that connects to the IDS box. As mentioned, the read-only cable send packets back onto the LAN, but since you have one shared medium with a hub anyway, it doesn't matter. So, the r-o cable and a $20 hub create a very cost effective tap. And with some patience, you can crimp this stuff right into the connector. I still have images of it (never got around making the how-to mpeg though...): http://www.snortsam.net/1.jpg http://www.snortsam.net/2.jpg http://www.snortsam.net/3.jpg Regards, Frank On Sun, 2003-01-12 at 12:40, Jonas Eriksson wrote:
Here are some more pages about making "sniffing cables" etc http://www.geocities.com/samngms/sniffing_cable/ http://www.ironcomet.com/sniffer.shtml http://www.zweknu.org/technical/rx-only.html http://www.e-secure-db.us/dscgi/ds.py/View/Collection-1842
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- IDS Stealth Mode r)(o)(m (Jan 08)
- Re: IDS Stealth Mode Kurt Seifried (Jan 09)
- Re: IDS Stealth Mode M. Dodge Mumford (Jan 10)
- Re: IDS Stealth Mode Talisker (Jan 11)
- Re: IDS Stealth Mode Dave Mitchell (Jan 11)
- Re: IDS Stealth Mode Matt Harris (Jan 11)
- RE: IDS Stealth Mode Aditya (Jan 12)
- RE: IDS Stealth Mode Brito, Nelson (ISS Brazil) (Jan 21)
- Re: IDS Stealth Mode Matt Simmons (Jan 21)
- Re: IDS Stealth Mode Jonas Eriksson (Jan 12)
- Re: IDS Stealth Mode Frank Knobbe (Jan 19)
- Re: IDS Stealth Mode Jonas Eriksson (Jan 12)