elemint@cox.net wrote:
> Does anyone know a good place to buy or intructions on making a recieve only cable?
From the Snort FAQ:
http://www.snort.org/docs/faq.html
Q: How do I setup snort on a 'stealth' interface?
A: Bring up the interface without an IP address on it. See FAQ 3.2...
http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/
A: Use an ethernet tap, or build your own 'receive-only' ethernet cable.
http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm (DEAD)
A: Anyway, here is the cable I use:
LAN Sniffer
1 -----\ /-- 1
2 ---\ | \-- 2
3 ---+-*------ 3
4 - | - 4
5 - | - 5
6 ---*-------- 6
7 - - 7
8 - - 8
Basically, 1 and 2 on the sniffer side are connected, 3 and 6
straight through to the LAN. 1 and 2 on the LAN side connect to 3 and
6 respectively. This fakes a link on both ends but only allows
traffic from the LAN to the sniffer. It also causes the 'incoming'
traffic to be sent back to the LAN, so this cable only works well on
a hub. You can use it on a switch but you will get ...err...
interesting results. Since the switch receives the packets back in on
the port it sent them out, the MAC table gets confused and after a
short while devices start to drop off the switch. Works like a charm
on a hub though.
-----------------
Seems like a pain to me though. I have considered a similar issue and for my
arrangement it would have been most convenient for me to just put two interface
in the DMZ machine and on my workstation and have a private subnet between the
two machines ... pulling the line or shutting off the interface on my
workstation when I no longer wanted a connection ... or just not worrying about it.
Austin
(text/plain)