From a post to the ShmooGroup by PaulHolman regarding setting up an IDS or sniffer box so that it can physically only recieve traffic and not send it. -- AdamShand
Just thought I'd send out a quick note to let you guys know what I found out about this. To recap, my goal was to come up with a way to physically enforce the security of my loghost by snipping the transmit wires on each ethernet cable. This was an idea discussed at Fort Nocs years ago. It turns out that the definitive work on this topic is for packet sniffers that don't want to be seen by IDS tools. Probably the most succinct description is in the Snort FAQ here:
This method fools a hub into seeing a link by looping back the transmit wires. It will cause problems for a switch, so I've elected not to pursue it for now.
Here's the relevant excerpt from the Snort FAQ:
Q: How do I setup snort on a 'stealth' interface?
A: Bring up the interface without an IP address on it. See 3.2 ...
A: Use an ethernet tap, or build your own receive-only ethernet cable.
A: Anyway, here is the cable I use:
LAN Sniffer 1 -----\ /-- 1 2 ---\ | \-- 2 3 ---+-*------ 3 4 - | - 4 5 - | - 5 6 ---*-------- 6 7 - - 7 8 - - 8Basically, 1 and 2 on the sniffer side are connected, 3 and 6 straight through to the LAN. 1 and 2 on the LAN side connect to 3 and 6 respectively. This fakes a link on both ends but only allows traffic from the LAN to the sniffer. It also causes the 'incoming' traffic to be sent back to the LAN, so this cable only works well on a hub. You can use it on a switch but you will get ...err... interesting results. Since the switch receives the packets back in on the port it sent them out, the MAC table gets confused and after a short while devices start to drop off the switch. Works like a charm on a hub though.
More from BrucePotter ...
On a Cisco switch you can set up a SPAN port... This is cisco's name for a port that gets all the traffic from a port, set of ports, or a VLAN. With RSPAN you can monitor a VLAN that lives on multiple trunked switches... Neat stuff.
Anyhow, when you set a port to SPAN, the switch doesn't pay any attention to the packets coming at it from the IDS engine. This effectively puts the IDS engine in "stealth" mode. The port doesn't participate in spanning tree, packets aren't forwarded, etc.. So if you're using Cisco, you've already got stealth capability.