Snort mailing list archives
RE: Methodology Verification
From: "John Cherbini" <cherbini () dakotacom net>
Date: Tue, 14 Jan 2003 22:57:05 -0700
I had the feeling that bridging was the gap that I was missing. Unfortunately, I had only dealt with bridging on a wireless network, and not with snort. Whenever I've needed this type of functionality through a linux box, I've always used NAT. So basically, I need to look at hogwash or snort-inline to do the bridging stuff, correct? Otherwise, I do NAT. Now, this brings up the question, do snortcenter and ACID both work with hogwash or snort-inline? After looking through the hogwash archives, there doesn't seem to be a definite answer. Having snortcenter and ACID is not as important to me as having snort running in a bridging mode, but it would be nice! Again, any docs on this type of stuff? Thanks again! John C. -----Original Message----- From: seclists () spiggy net [mailto:seclists () spiggy net] Sent: Tuesday, January 14, 2003 9:20 PM To: cherbini () dakotacom net Subject: Re: [Snort-users] Methodology Verification The logical gap you are not seeing is one-word long: bridge You can have an ip-less machine pass traffic back to your internal production machine as long as it has an external ip address and bridging is enabled on your snort box... snort-inline and hogwash both do this - work below the IP layer of your network stack - and thus don't need an ip on the machine running the IDS software.. The problem you may run into is getting the dhcp address to your internal machine...Im not sure if the system can pass broadcasts or dhcp back, someone else will have to answer that. If you choose to go the NAT route - it's fairly simple to set up and is about as effective for what you want to do as bridging the data. The only significant difference is that, without an ip, your snort-inline/hogwash box is a bit more difficult to attack and much, much less visible on the network. The problem
Currently, the external interface on the snort box is getting a DHCP address. I want the snort box to basically be invisible. I understand that this can happen in a number of ways.. Am I looking at doing NAT to an internal subnet (the victim)? Using IPTables, etc.... Can I make snort transparent enough so that the victim machine will be
able to pull it's own DHCP address on the external subnet? (a la hogwash?) Does the snort-inline do what I'm looking for? It seems to be the same thing as hogwash, is this correct?
------------------------------------------------------- This SF.NET email is sponsored by: Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate - our easy online guide will show you how. Click here to get started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Methodology Verification John Cherbini (Jan 14)
- Re: Methodology Verification seclists (Jan 15)
- Re: Methodology Verification Erek Adams (Jan 15)
- RE: Methodology Verification John Cherbini (Jan 15)
- <Possible follow-ups>
- RE: Methodology Verification John Cherbini (Jan 14)