Snort mailing list archives
Stealth sniffing and and bridging networks
From: "Marc Quibell" <mquibell () fbfs com>
Date: Tue, 28 Oct 2003 13:56:21 -0600
If you are Spanning/mirroring to two promiscuous adapters, then you are not bridging the networks. There is no arp'ing or any Layer 2 communications going on (let alone layer 3); you are merely listening. Even the switch prevents any bridging by spanning to the port, it is effectively taking it out of forwarding mode. I hope this is what you asked?! Cheese! Marc
--__--__--
Message: 2 From: "Watson, Ed" <EWatson () lightspan com> To: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Date: Tue, 28 Oct 2003 08:58:40 -0800 Subject: [Snort-users] Stealth sniffing and and bridging networks
Hello Everyone, I'd like to pose this question with accompanying details.
I have:
RH7.2 / 2.4.20-20.7smp 3 Nic's (1 built-in / 1 dual port) Snort 2.0.2 /ACID/Mysql
The built-in nic has and internal IP. The Dual port, neither nic has an IP (Stealth Mode) listening in promisc. Built-in NIC ---- internal IP / internal switch Dual Port ---- DMZ / NO-IP(Stealth/promisc) \---- Internal switch / NO-IP(Stealth/promisc)
I'd like to manage the snort box from internal IP console but stealthfully sniff the DMZ (Cisco 3548/ using 'port monitor') and traffic flowing in/out of the main LAN at the firewall (Cisco 6006/using 'span' disallowing regular traffic to that port).
I'd like to make this work without "bridging" the networks or reducing the risk to an acceptable level? I've tested the read-only cable but read some stories about switches having problems dealing them. Is it possible to do this with minimal risk?
Thanks all,
Ed
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth sniffing and and bridging networks Watson, Ed (Oct 28)
- <Possible follow-ups>
- Stealth sniffing and and bridging networks Marc Quibell (Oct 28)