Re: [PEN-TEST] IDS identification and a personal cry for help :)

[Domenico De Vitto <dom () DEVITTO DEMON CO UK>]

Yep, this works too, but if you've a switch, you just put that port
as a recieve-everything-on-all-vlans mode.

Strangely, nobody has mentioned simply not having an IP stack on the
interface - al la SunScreens.

I am right in saying that the very first IDS (by Texas Uni ) was a external
DOS box that just sniff'd & logged without having a network stack at all?

Dom

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Michael Schubert
Sent: 18 August 2000 02:59
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] IDS identification and a personal cry for help
:)


>  The correctly paranoid install Ethernet or optical (depending on
> flavor of sniffed connection) condoms aka the Shomiti Century tap for
> 10/100/1000 Ethernet utp or optical from  www.shomiti.com or the netoptics
> %80/%20 optical splitters from www.netoptics.com. With them in place
> and either no management connection or a properly isolated management
> connection (i.e. no connection to the Internet) it really doesn't matter
> what ports are or are not open on your IDS because the tap is one way, it
> doesn't have a connection to the transmit side of your IDS (except to

Along this same line the poor-man's solution to this, I believe would be
to simply use a hub between box A and box B with box C on the hub with
the transmit pair of the rj45 disconnected (cut-out), I'm thinking this
would achieve the same effect of a completely muted promisc box,
although this wouldn't be possible with fiber. Anyone ever tried this?

-- Michael Schubert -- schubert () fsck org