I'm not sure if originally got through to the list, so I'm resending.  :-)
 
Sorry for not replying to these earlier, been a bit swamped lately...
 
I guess what we're doing needs a little clarification.  First, cutting the
tx pair (the orange wires) will not work with many modern hubs/NICs because
they send keep-alive pulses down the wire periodically.  If the keep-alives
fail, many newer hubs will disconnect the port, and you're out of luck.  If
you have older equipment, this shouldn't be a problem, but for many of us it
still is.  With newer equipment, there is a workaround though.  I'll explain
our setup here.  In the snort machine, the external (sniffing) interface is
a 3com 509 combo card.  Attached to the AUI interface, is a modified AUI-UTP
media converter.  We pulled out pins 3 and 10 (the tx pins) from the AUI end
of the converter and then ran a regular UTP cable to the hub.  This
satisfies the hub, because it is still able to send it's keep alives to the
media converter, and satisfies us because the NIC is not able to transmit
any data.
 
You can check out
<http://packetstorm.securify.com/sniffers/sniffing-faq.htm>
http://packetstorm.securify.com/sniffers/sniffing-faq.htm\ section 3.6 for a
good explanation of what I just tried to describe.
 
I hope this helps!
 
--Justin-----Original Message-----
From: Barry Darnton [mailto:BarryDchw.edu.au]
Sent: Monday, June 18, 2001 1:32 AM
To: 'Chapman, Justin T'
Subject: RE: [Snort-users] Centralized DB Server??

I'm curious, how do you get any data without the link up. I though this was
a great idea but I cant get any data without the link, but I cant get a link
with all 4 wires connected.??

Barry

-----Original Message-----
From: Chapman, Justin T [ mailto:JtChapmamail.bhi-erc.com
<mailto:JtChapmamail.bhi-erc.com> ]
Sent: Friday, 15 June 2001 1:25
To: Marc Thompson; 'Andreas Lindenblatt'; 'Kris Quinby'
Cc: snort-userslists.sourceforge.net
Subject: RE: [Snort-users] Centralized DB Server??

My department has recently been brainstorming this same issue & we came up
with what I think is an interesting solution.  Our topology is pretty
simple, we have a perimeter network and a "trusted" DMZ.  We, too didn't
like the idea of having MySQL traffic passing through the perimeter network.

So, our idea was to have a dual-homed machine with one leg outside and one
leg inside... with one catch.  The cable on the external interface (the one
that snort is listening on) has the transmit pairs cut.  It's physically
impossible for that interface to transmit any data.  It can listen all day
long, it just won't respond to *anything*.  This makes the computer
completely invisible to the outside world and all attempts to map it, ping
it or otherwise communicate with it fail.  We're still able to log to our
MySQL database on the inside via the DMZ connection, too. 

--Justin

> -----Original Message-----
> From: Marc Thompson [ mailto:Marc.Thompsonbops.com
<mailto:Marc.Thompsonbops.com> ]
> Sent: Tuesday, June 12, 2001 5:58 PM
> To: 'Andreas Lindenblatt'; 'Kris Quinby'
> Cc: snort-userslists.sourceforge.net
> Subject: RE: [Snort-users] Centralized DB Server??
>
>
> Andreas,
>
> >But I would feel uhm... uncomforatable with an open MySQL-Port to a
> >machine sitting inside our network and collecting lots of 'foreign',
> >unchecked and unencrypted sensor data.
>
> What about an IDS box that has two network interfaces:  One non-IP
> Ethernet adapter on the DMZ and one IP-assigned Ethernet Adapter
> on the local net. 
>
> I forgot to mention that I am assuming that I am *not* transferring
> alerts across the Internet.  The sites have redundant VPN
> connectivity,
> to the sites are also connected via leased-lines on a private net.
>
> Does this mitigate the risk or am I misunderstanding your point?
>
> Thanks,
> Marc
>
> *******************************************
> Marc Thompson
> IT Site Manager
> BOPS, Inc.
> 7800 Shoal Creek Blvd. Suite 200N
> Austin, TX 78757
>
>
> -----Original Message-----
> From: Andreas Lindenblatt [ mailto:azraelsolution.de
<mailto:azraelsolution.de> ]
> Sent: Tuesday, June 12, 2001 6:20 PM
> To: Marc Thompson; 'Kris Quinby'
> Cc: snort-userslists.sourceforge.net
> Subject: Re: [Snort-users] Centralized DB Server??
>
>
> Hi Marc,
>
> > geographical locations.  I've been brainstorming this a
> bit, and it seems
> > that I should be able to easily ignore alerts that are
> being generated by
> > traffic to the MySQL TCP port.  Does this sound like the answer?
> It surely is an answer to your initial question :).
>
> But I would feel uhm... uncomforatable with an open MySQL-Port to a
> machine sitting inside our network and collecting lots of 'foreign',
> unchecked and unencrypted sensor data.
>
> Even if it means we don't get 'real-time' data, we fell back
> to packing
> and scrambling logs at the snort-boxes and fetching them with scp.
>
> Hmmm... what happened to SnortNet? It looked good with snort 1.6 :)
>
> --
> ----
> BYE Andreas
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
<http://lists.sourceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>
>

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
<http://lists.sourceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]