Article: Stealthful Sniffing, Intrusion Detection and Logging
Stealth is a subject I do like and this article opened the eyes for me in many ways. Stealth is a fashinating subject and its now soon time for me to go home from work and play with my new toy, stealth IDS :).
Source: Paranoid Penguin: Stealthful Sniffing, Intrusion Detection and Logging
Attackers can't rewrite your log files if they can't connect to the log server. Learn the ways of stealth.
In a column about syslog I mentioned ``stealth logging''--by running your central log server without an IP address, you can hide your central log server from intruders. But log servers aren't the only type of system that can benefit from a little stealth. Network sniffers and network intrusion detection systems (NIDSes) probes can also function perfectly well without IP addresses, making them less vulnerable to network attacks than the systems they protect.
This month I demonstrate three ways to use the versatile and powerful Snort--as a stealth sniffer, a stealth NIDS probe and a stealth logger--on a network interface with no IP address. If you're already familiar with Snort, I hope you'll see how easily it can be used stealthfully. If you're new to Snort, this article may be a useful crash course for you. All Snort commands and configurations in this article work equally well on interfaces with and without IP addresses.
Read the full article here.