LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-28-2005, 12:46 AM   #1
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Rep: Reputation: 32
transparent routing (IDS)


I want to run snort on a dual lan card system (eth0, eth1), to monitor all the traffic. Can anyone tell me what routing would I have to add as I am new to routing on linux.
here is my scenario

Code:
network1<----->eth1<------->eth0<------>network1
192.168.0.1                                              192.168.0.2
I will be thankful if someone will also provide me the full commands that will be applied in this case.
 
Old 06-28-2005, 01:20 AM   #2
Noth
Member
 
Registered: Jun 2005
Distribution: Debian
Posts: 356

Rep: Reputation: 30
Generall you put an IDS on a network in a passive fashion not as a transparent bridge. If you have a decent switch you should be able to set one port up as a monitor port and have it see all of the traffic that passes through the switch without the need to make the IDS box a router.
 
Old 06-28-2005, 02:26 AM   #3
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Original Poster
Rep: Reputation: 32
how can we make one port up as a passive and I also have to run a firewall so that after analysis form ids I can block those ips which are intruding into the network
 
Old 06-28-2005, 09:54 AM   #4
Noth
Member
 
Registered: Jun 2005
Distribution: Debian
Posts: 356

Rep: Reputation: 30
If you want to do active blocking you're not setting an IDS, you're setting up and IPS. And I haven't set one of those up because it's too easy to get a false positive and have it block legitimate traffic.
 
Old 06-28-2005, 01:09 PM   #5
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Original Poster
Rep: Reputation: 32
thanks Noth i got that but what about passive mode of switch port. How to enable this in switch.
 
Old 06-28-2005, 01:12 PM   #6
Noth
Member
 
Registered: Jun 2005
Distribution: Debian
Posts: 356

Rep: Reputation: 30
It differs from vendor to vendor and it has to be a managed switched.

Here's an article on how it works on a Cisco Catalyst: http://www.cisco.com/warp/public/473/41.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Transparent (or semi-transparent) mounts systemparadox Linux - General 8 04-01-2005 07:51 AM
Transparent PNGs show up as transparent in Firefox - opaque in IE? vharishankar General 10 01-11-2005 06:54 AM
Transparent IDS kemplej Linux - Networking 6 09-15-2004 01:47 PM
SQUID as Httpd-accelerator, 2webservers, transparent routing problem. Pls help! sailor Linux - Networking 6 10-16-2003 10:08 AM
Ids? zuessh Linux - Security 9 04-26-2003 05:48 AM


All times are GMT -5. The time now is 07:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration