[Snort-users] Stealth Interface on Win32 Platforms

Frank Knobbe FKnobbe at ...649...
Tue Sep 4 06:52:04 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Archer [mailto:archer at ...2694...]
> Sent: Tuesday, September 04, 2001 12:48 AM
> 
> Can someone tell me how to do a "stealth interface" for Win32 
> platforms?
> 
> For example, how do you make sure the interface has no IP, do 
> you assign it 0.0.0.0? If you set it to DHCP but don't allow it to
> get an address, it will default to a 169.x.x.x address.

If you are using the receive-only cable, you can assign yourself some
unused IP address. I've noticed that if an interface has no protocol
assigned, you can't select it with WinPCap.

> As far as the sniffer cable. I read the Snort FAQ and this 
> was mentioned.  However, I don't quite understand it. could someone
> perhaps clear it up a little?
> 
> LAN Sniffer
>     1 -----\   /-- 1
>     2 ---\ |   \-- 2
>     3 ---+-*------ 3
>     4 -  |       - 4
>     5 -  |       - 5
>     6 ---*-------- 6
>     7 -          - 7
>     8 -          - 8

That should do it.

> 
>     Basically, 1 and 2 on the sniffer side are connected, 3 and 6
>     straight through to the LAN. 1 and 2 on the LAN side 
> connect to 3 and
>     6 respectively. This fakes a link on both ends but only allows
>     traffic from the LAN to the sniffer. It also causes the
> 'incoming' 
>     traffic to be sent back to the LAN, so this cable only 
> works well on
>     a hub. You can use it on a switch but you will get ...err...
>     interesting results. Since the switch receives the 
> packets back in on
>     the port it sent them out, the MAC table gets confused and
> after a 
>     short while devices start to drop off the switch. Works 
> like a charm
>     on a hub though.


Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: Free Dmitry Sklyarov !

iQA/AwUBO5TcX5ytSsEygtEFEQJ0zgCdHzEz/0VmH5lcFvlrwJkJUd19h8kAoIMv
oetcMIcKwnIOZl7JSFv+wlru
=tZZ6
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list