Using Snort Stealthily

jukal writes "Linux Journal has an article on using Snort as stealth sniffer, a stealth NDIS probe and stealth loger -- on a network interface with no IP address. 'Snort is a versatile and powerful tool for sniffing, intrusion detection and packet logging. Configuring it to run stealthily in sniffing mode or NIDS mode is easy; incorporating it into a stealth-logging solution is only slightly less so'"

Re:Snort UI

[HappyPhunBall]

The "133t hax0r" type you mentioned is much more likely to be trying to avoid snort than deploying it.

You can find some snort enhancements at this site. Have fun.

www.prelude-ids.org

Also worth investigate Prelude
"Prelude is a new innovative hybrid Intrusion Detection system designed to be very modular, distributed, rock solid and fast. "

A better article, and other links ....

[ericman31]

There's a better article about SNORT and ACID on LinuxWorld. Also, if you want to investigate SNORT, check out the following links:

• CERT's HOWTO on ACID and SNORT
• SNORT's manual on installing SNORT, MySQL, ACID on RedHat
• A variety of deployment guides provided by SNORT
• A collection of various IDS documents and white papers, including a good piece by Marcus Ranum on benchmarking

Re:Interesting challenge

[stinky+wizzleteats]

Simple, you connect your firewall to a hub on each interface.

Which would be a great idea, except that hubs are half-duplex.

Re:Warning

[GeorgeH]

A 10baseT patch cable with the TX wires clipped will get you a whole lotta nothing because the TX wires are used for heartbeat signals. You need to corrupt the outgoing frames instead, which is a PITA.

The easier method is to use a 10 Mbit AUI adapter with the TX pins cut. You can probably even find a 10baseT -> AUI adapter at a computer junk shop for a buck or three.

For more about creating a receive-only ethernet adapter check out http://www.robertgraham.com/pubs/sniffing-faq.html #receive-only or read up on Antisniff (weird, I can't find anything about it on @stake's site).