Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Snort Stealthily

Posted by Hemos on from the snicker-snicker dept.

jukal writes "Linux Journal has an article on using Snort as stealth sniffer, a stealth NDIS probe and stealth loger -- on a network interface with no IP address. 'Snort is a versatile and powerful tool for sniffing, intrusion detection and packet logging. Configuring it to run stealthily in sniffing mode or NIDS mode is easy; incorporating it into a stealth-logging solution is only slightly less so'"

3 of 148 comments (clear)

  1. A better article, and other links .... by ericman31 · · Score: 5, Informative

    There's a better article about SNORT and ACID on LinuxWorld. Also, if you want to investigate SNORT, check out the following links:


    --
    In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
  2. Re:Interesting challenge by stinky+wizzleteats · · Score: 4, Informative

    Simple, you connect your firewall to a hub on each interface.

    Which would be a great idea, except that hubs are half-duplex.

  3. Re:Warning by GeorgeH · · Score: 4, Informative

    A 10baseT patch cable with the TX wires clipped will get you a whole lotta nothing because the TX wires are used for heartbeat signals. You need to corrupt the outgoing frames instead, which is a PITA.

    The easier method is to use a 10 Mbit AUI adapter with the TX pins cut. You can probably even find a 10baseT -> AUI adapter at a computer junk shop for a buck or three.

    For more about creating a receive-only ethernet adapter check out http://www.robertgraham.com/pubs/sniffing-faq.html #receive-only or read up on Antisniff (weird, I can't find anything about it on @stake's site).

    --
    Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?