RE: Snort Sniffing vs. Snort Database

[Erek Adams <erek () snort org>]

On Sat, 8 Mar 2003, Jan van den Berg wrote:

> Thanks for the input, it cleared up a lot!

Dandy!

> But this however is confusing:
>
> "Quite often, you want to use an interface to sniff with that has no ip
> for security.  With no IP you can't send out alerts."
>
> Could you explain this a little more, because if the machine has no IP
> how am I gonna write the data to another machine; I can't make a
> connection (unless serial or otherwise). And what do you mean with, with
> no IP you can't send out alerts?

Short answer:  If you can't see it, it's not there--So you can't attack
it.

Long answer:  To safeguard the IDS, many times a 'stealth' interface is
used.  This interface is nothing special.  It's just configured without an
IP address.  W/O an IP, you can't get to it at all.  It can't send traffic
out of that interface, so it's effectively 'not there'.  But...  Due to
the way that IP works, it can _still_ see the traffic on the wire if
placed in promiscuous mode.  Quite often this setup is paired with a 'Read
Only' cable [0] so that there is no physical way someone could ever talk
to the sensor.  A R/O cable is a very handy bit of cabling to have lying
around for an IDS.  :)  Now, the question you are most likely asking is
'how the hell do I use/manage that sensor if I can't get to it?!?'  Use a
console cable or a second nic (with an IP) that's on another separate
network.  If you'll notice most of those diagrams refer to a 'management
network' on the back end of the sensor.  Connect your DB onto that,
segment it off from the rest of the world, and simply connect who needs
access to the DB.  The sensor doesn't watch it, so no extra traffic==no
extra load on Snort.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.theadamsfamily.net/~erek/snort/


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users