Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Stealth interface

From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Wed, 16 Feb 2005 10:08:29 +0000
--On 15 February 2005 12:14 -0800 Bob Konigsberg <bobkberg () networkeval com> wrote: 



That's a good place to start.

One additional thing that some people do is to cut the transmit pair (or
never connect them) so that the interface cannot be seen at all by other
network hardware.


...or use a tap in between two switches and *two* stealth interfaces:


SW -->--+-->-- SW
SW --<--|+-<-- SW
       ||
       vv
      NIDS <==> private admin network
On the NIDS, either run two instances of snort, one on each stealth interface, or bond them together and run a single instance of snort listening to the bonded interface. The former will make better use of multi-processor machines, the latter will be able to track state better because it's able to see both sides of any communication. 


Bob


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: