From: Packet Man (packetman@altsec.info)
Date: Sun Feb 12 2006 - 14:11:30 EST
Petr.Kazil@eap.nl wrote:
>>If you are doing a host:
>>- interrupt the hosts uplink with a hub and plug your snort box in.
>>You could have this all setup on a laptop.
>
>
> I have tried this but run into problems:
>
> - Real hubs are (almost?) impossible to get nowadays. Even the cheapest
> "hub" is really a switch. If you know where I can find a hub-like network
> component, then I'll order it right away.
> - I was able to buy the last real hub from a PC-shop, but it was only
> 10Mbps and it refused to work with my 100Mb cards and switches.
If you can't do port mirroring on the switch itself, you
could build a passive network tap for under US$30.00,
or so. Or, the alternative is a commercial network tap
for around US$1,000.00.
I've been building and using them for several years
now, but only recently have started documenting their
finer points (NIC selection is critical). For more
info on building and using a passive network tap, see
my paper at: http://www.altsec.info/passive-network-tap.html
I'm working on an updated paper right now regarding the
error rates. I've been testing with combinations of NIC's
that produce ZERO errors on 100Mb connections. I expect to
update the paper with the suggestions within the next week.
BTW... a must read for such things is "The TAO of Network
Security Monitoring" by Richard Bejtlich. Check out his
site at: http://www.taosecurity.com/books.html
BTW... since the technique really belongs in the IDS
list, I cross-posted this message there.
Good luck.
-- Excellence in InfoSec and Linux http://www.altsec.info ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT