Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Stealth sniffing and and bridging networks

From: "Marc Quibell" <mquibell () fbfs com>
Date: Tue, 28 Oct 2003 13:56:21 -0600



If you are Spanning/mirroring to two promiscuous adapters, then you are not
bridging the networks. There is no arp'ing or any Layer 2 communications going
on (let alone layer 3); you are merely listening. Even the switch prevents any
bridging by spanning to the port, it is effectively taking it out of forwarding
mode.

I hope this is what you asked?!

Cheese!

Marc


--__--__--



Message: 2
From: "Watson, Ed" <EWatson () lightspan com>
To: "'snort-users () lists sourceforge net'"

      <snort-users () lists sourceforge net>

Date: Tue, 28 Oct 2003 08:58:40 -0800
Subject: [Snort-users] Stealth sniffing and and bridging networks



Hello Everyone,
   I'd like to pose this question with accompanying details.



I have:



RH7.2 / 2.4.20-20.7smp
3 Nic's (1 built-in / 1 dual port)
Snort 2.0.2 /ACID/Mysql



The built-in nic has and internal IP.
The Dual port, neither nic has an IP (Stealth Mode) listening in promisc.

             Built-in NIC ---- internal IP / internal switch

             Dual Port ---- DMZ / NO-IP(Stealth/promisc)
                      \---- Internal switch /
NO-IP(Stealth/promisc)




I'd like to manage the snort box from internal IP console but stealthfully
sniff the DMZ (Cisco 3548/ using 'port monitor') and traffic flowing in/out
of the main LAN at the firewall (Cisco 6006/using 'span' disallowing regular
traffic to that port).



I'd like to make this work without "bridging" the networks or reducing the
risk to an acceptable level? I've tested the read-only cable but read some
stories about switches having problems dealing them. Is it possible to do
this with minimal risk?



Thanks all,



Ed





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: