RE: Snort sensor placement

From: Dave Vehrs (davev@spiremedia.com)
Date: 09/28/01


From: "Dave Vehrs" <davev@spiremedia.com>
To: "'Florin Andrei'" <florin@sgi.com>, <focus-ids@securityfocus.com>
Subject: RE: Snort sensor placement
Date: Thu, 27 Sep 2001 16:48:16 -0600
Message-ID: <004d01c147a6$7ff5c140$9701010a@spiremedia.com>

No, its not quite the same because the interface can still respond to MAC
based traffic (i.e. broadcasts, arping, etc). With the right tools, someone
on your local network can still interact with the system.

On Linux/Unix you can turn off MAC responses with the ifconfig command and
the "-arp" flag. AFAIK, that is as close as you can get to a true
receive-only from the software level. Additionally, I'm not aware of any
way to turn off MAC responses on Windows Or MacOS.

If you use Linux and want to play with the ARP protocol to see what can be
revealed, then download/install ARPING. (You can find it on Freshmeat.com
or if you use Debian just to a "apt-get install arping".)

Enjoy!

Dave V.

> -----Original Message-----
> From: Florin Andrei [mailto:florin@sgi.com]
> Sent: Thursday, September 27, 2001 4:25 PM
> To: focus-ids@securityfocus.com
> Subject: Re: Snort sensor placement
>
>
> On Thu, 2001-09-27 at 09:39, Rui Lapa wrote:
> > Ever heard of receive only cables?
> >
> > http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/
>
> But, isn't this functionally identical to running the sensor on an
> interface without an IP address?
> If you activate the interface, but don't assign an IP
> address, Snort is
> still able to run, but no IP connection could be made. It's the same
> thing as with RO-cables, but simpler.
>
> --
> Florin Andrei
>
> "This is a Klingon." "Where did it came from?" "Oklahoma."
> (from Star Trek Enterprise series premiere)