Re: Snort sensor placement

From: JSeddon@semtech.com
Date: 09/28/01 

Subject: Re: Snort sensor placement
To: Florin Andrei <florin@sgi.com>
Message-ID: <OFE519AAA3.06C53C5B-ON88256AD4.007CDA5A@semtech.com>
From: JSeddon@semtech.com
Date: Thu, 27 Sep 2001 15:51:07 -0700

There's a subtle but sometimes important difference between having a
receive-only cable, and running snort on an interface with no IP address.

That difference is that the receive-only cable exists in the real world and
an ip-less interface exists in the virtual world. In most cases you are
right. You can safely assume that an interface with no IP will not be
subject to ip connections, innocent or not. However, if you REALLY REALLY
REALLY want to make sure, you make an receive only cable. A receive only
cable will guard you against misconfiguration, a mistake in the stack code,
an unknown bug in the software driver for the nic that passes traffic with
no ip address...anything you can think of. It is foolproof.

Lots of mistakes are made in configuring computers. Lots of bugs/vulns
exist that haven't been publicly released. None of that will matter with a
receive only cable.

Another example, in most cases you can do Start-Shutdown-Shutdown to turn
of windows boxes, that's a function of the virtual world. However, if you
REALLY REALLY REALLY want to make sure the motherboard isn't getting power,
you pull the plug.

James

                                                                                                 
                    Florin Andrei
                    <florin@sgi.c To: focus-ids@securityfocus.com
                    om> cc:
                                         Subject: Re: Snort sensor placement
                    09/27/01
                    03:24 PM
                                                                                                 
                                                                                                 

On Thu, 2001-09-27 at 09:39, Rui Lapa wrote:
> Ever heard of receive only cables?
>
> http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/

But, isn't this functionally identical to running the sensor on an
interface without an IP address?
If you activate the interface, but don't assign an IP address, Snort is
still able to run, but no IP connection could be made. It's the same
thing as with RO-cables, but simpler. 

--
Florin Andrei

"This is a Klingon." "Where did it came from?" "Oklahoma."
(from Star Trek Enterprise series premiere)

Relevant Pages

  • Specs for CES "microbot" ?
    ... It looks fairly decent, but it came w/o any kind of docs, wiring diagrams, etc. ... Since it appears to already have a built-in control board for the stepper motors, I'd hate to start hacking it apart, but I'm kind of flying in the dark, here. ... There are two interface cables: a ~44pin ribbon cable running to a ISA-ish, and a two-wire cable ending in a mono-style headphone plug -- the big home-stereo kind. ... So, before I start throwing volts at this thing and reverse-engineering the interface the hard way, has anyone ever seen/used one of these before? ...
    (comp.robotics.misc)
  • Update: bge 10mbps trouble
    ... answeres that suggested setting the interface to 10-hdx with ndd which doesn't ... The problem seems to be with routing, since there's no problems inside the ... connected to two different switches with different cables. ... interface), there's no problems accessing for instance the internet. ...
    (SunManagers)
  • SUMMARY: panic (cpu 0) kernel memory fault - seems to point to NIC (not yet resolved)
    ... one of the interfaces (a tulip interface, server is ES40, OS is T64 ... I'm going to have to try playing with cables, ... showing any hardware errors on the NIC, making me doubt that will help. ... not be surprised if the bug is in an error handling code path. ...
    (Tru64-UNIX-Managers)
  • Re: ATA-133 and ATA-100
    ... > 52x32.52/16x and the transfer speeds seem noticeably ... > cables, but I'm sitting here at work kind of hoping to ... You do not have a mismatched interface. ... There are only two speeds of IDE cable: a 40-wire cable for U/33 and ...
    (microsoft.public.windowsxp.hardware)
  • ATA-133 and ATA-100
    ... I have an Intel motherboard with the 865 chipset. ... some reason, Intel doesn't support the ATA-133 interface, ... cables. ... 52x32.52/16x and the transfer speeds seem noticeably ...
    (microsoft.public.windowsxp.hardware)