Sending Alerts to SNMP
2.9 Running Snort in Stealth Mode
Sometimes you may want to run Snort in stealth mode. In stealth mode, other hosts are not able to detect the presence of the Snort machine. In other words, the Snort machine is not visible to intruders or other people. There are multiple ways to run Snort in stealth mode. One of these methods is to run Snort on a network interface where no IP address is assigned. Running Snort on a network interface without an IP address is feasible in the following two cases: 1. A stand-alone Snort sensor with only one network adapter. 2. A Snort sensor with two network adapters: one to access the sensor from an isolated network and the other one connected to the public network and running 72 Chapter 2 • Installing Snort and Getting Started in stealth mode. This arrangement is shown in Figure 2-3 where network inter- face eth1 is connected to a private isolated network and eth0 is connected to a public network. When you want to access the sensor itself, you go through network interface eth1 which has an IP address configured to it. The management workstation shown in the figure may be used to connect to the sensor either to collect data or to log informa- tion to a centralized database. If many sensors are present in an organization, all of these are connected to this isolated network so that they can log information to the cen- tral database running on the management workstation or to some other database server connected to this isolated network. No IP address is configured on network interface eth0 which has connectivity to the Internet. Interface eth0 remains in stealth mode but can still listen to the network traffic from this side of the network. Before starting Snort on eth0, you have to bring it up. On Linux systems, you can do it by using the following command: ifconfig eth0 up The command makes the interface usable without allocating an IP address. After that, you can start Snort on this interface by using “ -i eth0” command line option as follows: snort -c optsnortetcsnort.conf -i eth0 -D Figure 2-3 Running Snort in stealth mode on a system with two network adapters.Parts
» Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Logs False Alarms Some Definitions
» Where IDS Should be Placed in Network Topology
» Honey Pots What is Intrusion Detection?
» Security Zones and Levels of Trust
» IDS Policy Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Packet Decoder Preprocessors Components of Snort
» The Detection Engine Components of Snort
» Dealing with Switches Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» TCP Stream Follow Up Supported Platforms
» Snort on Stealth Interface Snort with no IP Address Interface
» References Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Test Installation Snort Installation Scenarios
» Single Sensor Production IDS
» Multiple Snort Sensors with Centralized Database
» Download Install Installing Snort from the RPM Package
» Unpacking Installing Snort from Source Code
» Running the configure script. Running the
» Running the make install command.
» Create or copy the Snort configuration file in
» Create a directory After Installation Processes
» Generating Test Alerts Testing Snort
» Generating Test Alerts with Automatic Snort Startup
» Errors While Starting Snort Running Snort on a Non-Default Interface
» Automatic Startup and Shutdown
» Running Snort on Multiple Network Interfaces
» Logging Snort Data in Text Format
» Logging Snort in Binary Format
» Network Intrusion Detection Mode
» UNIX Socket Mode Snort Alert Modes
» Running Snort in Stealth Mode
» TCPIP Network Layers Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» CIDR Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» User Defined Actions Rule Actions
» Well-Known Port Numbers Port Number
» The ack Keyword The classtype Keyword
» The content Keyword Rule Options
» The offset Keyword Rule Options
» The depth Keyword The content-list Keyword
» The dsize Keyword Rule Options
» The flags Keyword Rule Options
» The fragbits Keyword Rule Options
» The itype Keyword Rule Options
» The icode Keyword Rule Options
» The id Keyword The ipopts Keyword
» The logto Keyword Rule Options
» The reference Keyword Rule Options
» The resp Keyword Rule Options
» The rev Keyword The rpc Keyword
» The session Keyword Rule Options
» The sid Keyword Rule Options
» The tag Keyword Rule Options
» The tos Keyword Rule Options
» The ttl Keyword Rule Options
» The uricontent Keyword Rule Options
» Using a List of Networks in Variables Using Interface Names in Variables
» The config Directives The Snort Configuration File
» Preprocessor Configuration Output Module Configuration
» Include Files The Snort Configuration File
» Order of Rules Based upon Action
» The Simple Method Automatically Updating Snort Rules
» The Sophisticated and Complex Method
» Writing Good Rules Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» The frag2 Module Preprocessors
» The stream4 Module Preprocessors
» The spade Module Preprocessors
» The alert_syslog Output Module
» The alert_smb Module The log_tcpdump Output Module
» Examples The XML Output Module
» Logging to Databases Output Modules
» CSV Output Module Output Modules
» Unified Logging Output Module SNMP Traps Output Module
» Using BPF Fileters Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Creating Extra Tables Step 5: Creating Tables in the Snort Database
» Secure Logging to Remote Databases Securely Using Stunnel
» Archiving the Database Snort Database Maintenance
» Using Sledge Hammer: Drop the Database
» What is ACID? Installation and Configuration
» Listing Protocol Data Alert Details Searching
» Generating Graphs Archiving Snort Data
» SnortSnarf Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Barnyard References Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» SnortSam Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» IDS Policy Manager Prentice.Hall – Intrusion.Detection.Systems.with.Snort
Show more