Keep your IDS sensors safe from attack, while still giving yourself access to their data.

Your IDS sensors are the early warning system that can both alert you to an attack and provide needed evidence for investigating a break-in after one has occurred. You should take extra care to protect them and the data that they collect. One way to do this is to run your IDS sensors in stealth mode.

To do this, simply don’t configure an IP address for the interface that your IDS software will be collecting data from. Putting the interface up, but without specifying an IP address, can do this.

For example:

# tcpdump -i eth1
tcpdump: bind: Network is down
# ifconfig eth1 up promisc
# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:DE:AD:BE:EF:00  
          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:11 Base address:0x1c80 

# /usr/sbin/tcpdump -i eth1
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1

After you’ve put the interface up, just start your IDS [Hack #82] . Your IDS will run as normal, but since there is no way to directly access the machine, it is very difficult to attack it.

However, just like potential attackers, you will be unable to access the machine remotely. Therefore, if you want to manage the sensor remotely, you’ll need to put in a second ...