Re: IPFW Snort
On Thu, 5 Dec 2002, Brian McCann wrote: Simple question for you all...but it evades me. I'm trying to setup a box that will monitor a network, but be totally invisible to that network, but it needs an IP since it will be using some programs like BigBrother and whatnot. So...my question is...if I use IPFW to block, for example, all ports and effectively totally blocking TCP/IP, will Snort still be able to capture TCP/IP packets? Has anyone tried/done Yes, it will work. sniffer work at ethernet level and ipf/ipfw work at IP level, so the sniffer sees the packets before the firewall . But that won't make the box invisible. If it has an IP, you can tell it's there. If you want it to be invisible, don't assign an IP to the box and disable ARP for the NIC. You can even cut the transmit wires on the patchcord if you are really paranoid :) Fer this? Thanks Happy Holidays, --Brian To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: IPFW Snort
That would work for my home setup great, but I don't/can't run NAT on the box that this must be done on...it's in a Security Lab for RIT, where students in a class will be hacking into machines other students set up...and all this machine will be doing is watching everything that goes on. Thanks! --Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of nate Sent: Friday, December 06, 2002 1:35 AM To: [EMAIL PROTECTED] Subject: Re: IPFW Snort Brian McCann said: Simple question for you all...but it evades me. I'm trying to setup a box that will monitor a network, but be totally invisible to that network, but it needs an IP since it will be using some programs like BigBrother and whatnot. So...my question is...if I use IPFW to block, for example, all ports and effectively totally blocking TCP/IP, will Snort still be able to capture TCP/IP packets? Has anyone tried/done this? I reccomend just using 3 NIC interfaces. run 2 of em in bridged mode, e.g. my home network is protected by a freebsd box running 4 NICs, 1 management(inside internal firewall), NICs 2 and 3 are bridging, NIC 2 is the firewall, NIC 3 is snort, NIC 4 is not being used. this way since all traffic goes accross 2 interfaces I can run snort on the internal one so it has no chance of detecting what is dropped on the external one. then behind that machine I have another machine doing the NAT. works great. nate To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
IPFW Snort
Simple question for you all...but it evades me. I'm trying to setup a box that will monitor a network, but be totally invisible to that network, but it needs an IP since it will be using some programs like BigBrother and whatnot. So...my question is...if I use IPFW to block, for example, all ports and effectively totally blocking TCP/IP, will Snort still be able to capture TCP/IP packets? Has anyone tried/done this? Thanks Happy Holidays, --Brian To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW Snort
Brian McCann said: Simple question for you all...but it evades me. I'm trying to setup a box that will monitor a network, but be totally invisible to that network, but it needs an IP since it will be using some programs like BigBrother and whatnot. So...my question is...if I use IPFW to block, for example, all ports and effectively totally blocking TCP/IP, will Snort still be able to capture TCP/IP packets? Has anyone tried/done this? I reccomend just using 3 NIC interfaces. run 2 of em in bridged mode, e.g. my home network is protected by a freebsd box running 4 NICs, 1 management(inside internal firewall), NICs 2 and 3 are bridging, NIC 2 is the firewall, NIC 3 is snort, NIC 4 is not being used. this way since all traffic goes accross 2 interfaces I can run snort on the internal one so it has no chance of detecting what is dropped on the external one. then behind that machine I have another machine doing the NAT. works great. nate To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message