Snort mailing list archives
RE: Snort Sniffing vs. Snort Database
From: Erek Adams <erek () snort org>
Date: Sat, 8 Mar 2003 10:31:26 -0500 (EST)
On Sat, 8 Mar 2003, Jan van den Berg wrote:
Thanks for the input, it cleared up a lot!
Dandy!
But this however is confusing: "Quite often, you want to use an interface to sniff with that has no ip for security. With no IP you can't send out alerts." Could you explain this a little more, because if the machine has no IP how am I gonna write the data to another machine; I can't make a connection (unless serial or otherwise). And what do you mean with, with no IP you can't send out alerts?
Short answer: If you can't see it, it's not there--So you can't attack it. Long answer: To safeguard the IDS, many times a 'stealth' interface is used. This interface is nothing special. It's just configured without an IP address. W/O an IP, you can't get to it at all. It can't send traffic out of that interface, so it's effectively 'not there'. But... Due to the way that IP works, it can _still_ see the traffic on the wire if placed in promiscuous mode. Quite often this setup is paired with a 'Read Only' cable [0] so that there is no physical way someone could ever talk to the sensor. A R/O cable is a very handy bit of cabling to have lying around for an IDS. :) Now, the question you are most likely asking is 'how the hell do I use/manage that sensor if I can't get to it?!?' Use a console cable or a second nic (with an IP) that's on another separate network. If you'll notice most of those diagrams refer to a 'management network' on the back end of the sensor. Connect your DB onto that, segment it off from the rest of the world, and simply connect who needs access to the DB. The sensor doesn't watch it, so no extra traffic==no extra load on Snort. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.theadamsfamily.net/~erek/snort/ ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Sniffing vs. Snort Database Jan van den Berg (Mar 07)
- Re: Snort Sniffing vs. Snort Database Erek Adams (Mar 07)
- RE: Snort Sniffing vs. Snort Database Jan van den Berg (Mar 08)
- RE: Snort Sniffing vs. Snort Database Erek Adams (Mar 08)
- RE: Snort Sniffing vs. Snort Database Jan van den Berg (Mar 08)
- Re: Snort Sniffing vs. Snort Database Erek Adams (Mar 07)