July 31st, 2003, 09:45 PM
Phew..... So.... As I was saying......
The laptop will do fine and so that you can use it when you want you should be able to simply disable the interface when you aren't using it and enable it for the short periods that you are to minimize the risk of it's detection. Snort should still work through the disabling of the card because WinPcap doesn't seem to care about what windows says about the card.... It still listens.
In the snort.conf file comment out, (with a #), all the include lines for the rules and add the rule I put in my post above. Move the snort.conf file to c:\pursecure\sensor\bin for simplicity.
The go to a DOS prompt and change to C:\pursecure\sensor\bin and type:-
This lists the interfaces. Determine which interface is the active external LAN connection. Running snort -v can help if you have a bunch. The one that shows the traffic is the one to use and then type
snort -iX -T (where X is the interface number you determined was the active above).
If snort doesn't abend..... (quit with an error), then you are good to go. Restart the machine, go to your regular box and try to get to the web. You should see an alert on the laptop saying Traffic detected...... If all is well with that you can sit back and relax and see what little fishies we can catch..... It might take a few days..... so be patient and keep us updated...... We are especially looking for either, odd outbound connections to uncommon ports or outbound smtp, (port 25), connections that you did not initiate. We are also _very_ interested if we see any inbound connections where your box is the destination 'cos the SYN packets we are trying to capture should only be going outbound if you are properly firewalled.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
July 31st, 2003, 10:38 PM
Tiger, thanks a lot, I'll see if I can get it to work when I get up tomorrow - have to go out and consume some beer right now
Really appreciate your help on this...