Running Snort in Stealth Mode 71 debug level = 0 load printers = yes [homes] comment = Home Directories browseable = yes writable = yes available = yes public = yes only user = no [htmldir] comment = html stuff path = homehttpdhtml public = yes writable = yes printable = no write list = rehman [virtualhosting] comment = html stuff path = usrvirt_web public = yes writable = yes printable = no write list = rehman [printers] [netlogon] available = no More information about SMB alerts will be presented in later chapters. Note that you should compile Snort with --with-smbalerts option in the configure script if you want to use this option. Without this option in the configure script, SAMBA ser- vices can’t be used with Snort.

2.9 Running Snort in Stealth Mode

Sometimes you may want to run Snort in stealth mode. In stealth mode, other hosts are not able to detect the presence of the Snort machine. In other words, the Snort machine is not visible to intruders or other people. There are multiple ways to run Snort in stealth mode. One of these methods is to run Snort on a network interface where no IP address is assigned. Running Snort on a network interface without an IP address is feasible in the following two cases: 1. A stand-alone Snort sensor with only one network adapter. 2. A Snort sensor with two network adapters: one to access the sensor from an isolated network and the other one connected to the public network and running 72 Chapter 2 • Installing Snort and Getting Started in stealth mode. This arrangement is shown in Figure 2-3 where network inter- face eth1 is connected to a private isolated network and eth0 is connected to a public network. When you want to access the sensor itself, you go through network interface eth1 which has an IP address configured to it. The management workstation shown in the figure may be used to connect to the sensor either to collect data or to log informa- tion to a centralized database. If many sensors are present in an organization, all of these are connected to this isolated network so that they can log information to the cen- tral database running on the management workstation or to some other database server connected to this isolated network. No IP address is configured on network interface eth0 which has connectivity to the Internet. Interface eth0 remains in stealth mode but can still listen to the network traffic from this side of the network. Before starting Snort on eth0, you have to bring it up. On Linux systems, you can do it by using the following command: ifconfig eth0 up The command makes the interface usable without allocating an IP address. After that, you can start Snort on this interface by using “ -i eth0” command line option as follows: snort -c optsnortetcsnort.conf -i eth0 -D Figure 2-3 Running Snort in stealth mode on a system with two network adapters.