Re: stealth ports and IDS

[Robert McMahon <rwm () mcmahoncpa com>]

If I understand the question, below is how to:

Lets assume eth2 is interface you want to have listening without IP address for
sniffer purposes:

edit /etc/sysconfig/network-scripts/ifcfg-eth2 file and remove all entries and
add the following:
DEVICE=eth2
ONBOOT=yes
PROMISC=yes
ARP=no

These settings will activate the interface, put it in promiscuous mode without an
IP address and will turn ARP off.  Turning ARP off is important because the
interface will still respond to an ARP request even without an IP address.

/Bob McMahon



"Paul D. Robertson" wrote:

> On 3 Oct 2002, James X wrote:
>
> > One stumbling box has been the idea of a stealth port.  I usually
> > operate my IDS boxes with the interfaces in stealth mode ie no IP
> > address or stack. I do not know of a way of acheiving this using linux
> > or netBSD etc.. and without it I would feel rather vulnerable. To help
>
> Maybe it's just me, but how about just not putting an IP address on the
> interface?
>
> I doubt you can get away with not puting IP in the kernel, but I really
> don't know enough about how libpcap does its thing to say for sure...
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal opinions
> proberts () patriot net      which may have no basis whatsoever in fact."
> probertson () trusecure com Director of Risk Assessment TruSecure Corporation
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards