RE: Snort sensor placement

From: Dave Vehrs (davev@spiremedia.com)
Date: 09/28/01


From: "Dave Vehrs" <davev@spiremedia.com>
To: "'Florin Andrei'" <florin@sgi.com>, <focus-ids@securityfocus.com>
Subject: RE: Snort sensor placement
Date: Thu, 27 Sep 2001 16:48:16 -0600
Message-ID: <004d01c147a6$7ff5c140$9701010a@spiremedia.com>

No, its not quite the same because the interface can still respond to MAC
based traffic (i.e. broadcasts, arping, etc). With the right tools, someone
on your local network can still interact with the system.

On Linux/Unix you can turn off MAC responses with the ifconfig command and
the "-arp" flag. AFAIK, that is as close as you can get to a true
receive-only from the software level. Additionally, I'm not aware of any
way to turn off MAC responses on Windows Or MacOS.

If you use Linux and want to play with the ARP protocol to see what can be
revealed, then download/install ARPING. (You can find it on Freshmeat.com
or if you use Debian just to a "apt-get install arping".)

Enjoy!

Dave V.

> -----Original Message-----
> From: Florin Andrei [mailto:florin@sgi.com]
> Sent: Thursday, September 27, 2001 4:25 PM
> To: focus-ids@securityfocus.com
> Subject: Re: Snort sensor placement
>
>
> On Thu, 2001-09-27 at 09:39, Rui Lapa wrote:
> > Ever heard of receive only cables?
> >
> > http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/
>
> But, isn't this functionally identical to running the sensor on an
> interface without an IP address?
> If you activate the interface, but don't assign an IP
> address, Snort is
> still able to run, but no IP connection could be made. It's the same
> thing as with RO-cables, but simpler.
>
> --
> Florin Andrei
>
> "This is a Klingon." "Where did it came from?" "Oklahoma."
> (from Star Trek Enterprise series premiere)



Relevant Pages

  • Re: arp problem?
    ... your own interface is configured for that ip and someone else is trying to use it. ... try using arping to find host with that mac and hosts with that ip. ...
    (freebsd-questions)
  • Re: Logic Fachsimpeleien
    ... VST vermeide ich am Mac, ... Die nehme ich dann mit dem iBook ... Heisst ja nicht, dass ein Rechner innerhalb von 3a sofort kaputt gehen ... Zugangsberechtigungen und simplem POST Interface auf einem Server ...
    (de.comp.sys.mac.misc)
  • Re: the new interface
    ... If you are going to use the Mac version of RB ... If you used a Mac for years then you'd know the new interface does not ... one window interfaces are WHY I don't use Windows products (lets see here, ... actually a Mac user as he/she claims. ...
    (comp.lang.basic.realbasic)
  • Re: ng_one2many v.s. AFT (NIC Fault Tolerance/Fail Over/Redundancy Revisited)
    ... > hosts weren't seeing the usual warnings about MAC address changes. ... regardless of what network segment/port a host ... > physical interface ifconfig'd with the IP. ... > tree root and switch 1 is the backup spanning tree root. ...
    (freebsd-questions)
  • Re: kern/109815: wrong interface identifier at pfil_hooks for vlans + if_bridge
    ... +on the interface with the MAC address equal to the packet's destination ... the filter for processing. ... +table according to the packet destination address (not the MAC ...
    (freebsd-net)