Transparent IDS

kemplej · 09-13-2004, 02:33 PM

What would I put in my rc.firewall to make a transparent IDS box?

littleking · 09-14-2004, 11:15 AM

you would have to use snort or something along that line

jymbo · 09-14-2004, 03:13 PM

I'm assuming you mean transparent NIDS, and not IDS.

You need to first install snort. Then you need to determine what you want to monitor: your internal LAN, or traffic on the external side of your firewall. Since you say you want a transparent NIDS, I'm going to assume you want to place the snort box on the outside of your firewall.

If this is the case, you need to get yourself a true repeating hub (NOT a switched hub), or a switch with a spanner port. The whole idea is repeat the trafffic at your cable/dsl router's ext interface across the sniffing interface of your snort box. Once you got that set up properly, bring up the network interface of the snort box without an IP (so it's transparent) and then start-up snort.

This is just an overview, obviously. YOu can find more detailed info over at the snort site.

kemplej · 09-15-2004, 11:44 AM

I want to monitor whats getting past our current hardware firewall. I have set up snort in the past and it works decent. However we have to set up NAT and dhcpd. Since our router would sit outside of the snort box's firewall. And I have to change the gateway to the snort box to let lan traffic thru. To me thats a stupid step. I want to be able to put the box between the router and our local lan and pass ALL traffic thru without needing to add dhcpd or worry about opening ports on the box.

Justyn

jymbo · 09-15-2004, 12:10 PM

If you want to place a snort sensor behind your router, you simply need to put a repeater inline with the local interface of the router and connect your snort box to the repeater. Another option is if your LAN switch has a spanner port, you can simply connect your snort box there. Since you're sensor is behind your router/firewall, then you don't really need to run it in transparent mode.

kemplej · 09-15-2004, 01:42 PM

repeater inline? Would that be hardware or software?

thanks

Justyn

jymbo · 09-15-2004, 01:47 PM

Quote:

Originally posted by kemplej
repeater inline? Would that be hardware or software?

thanks

Justyn

Get a repeater hub...or a switch with a spanner port to replicate the data from the local interface of your router, then plug your snort box into the repeater.