[Snort-users] Stealth Interface on Win32 Platforms

Tom Sevy tsevy at ...1701...
Tue Sep 4 08:14:03 EDT 2001


Or you can (in Win NT or W2K) simply uncheck the binding of TCP/IP to the
NIC card you are using to snort.

-----Original Message-----
From: Frank Knobbe [mailto:FKnobbe at ...649...] 
Sent: Tuesday, September 04, 2001 9:51 AM
To: 'Archer'; Snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Stealth Interface on Win32 Platforms



*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x3282D105
*** Signed: 9/4/2001 9:51:27 AM
*** Verified: 9/4/2001 11:12:19 AM
*** BEGIN PGP VERIFIED MESSAGE ***

> -----Original Message-----
> From: Archer [mailto:archer at ...2694...]
> Sent: Tuesday, September 04, 2001 12:48 AM
> 
> Can someone tell me how to do a "stealth interface" for Win32 
> platforms?
> 
> For example, how do you make sure the interface has no IP, do 
> you assign it 0.0.0.0? If you set it to DHCP but don't allow it to
> get an address, it will default to a 169.x.x.x address.

If you are using the receive-only cable, you can assign yourself some
unused IP address. I've noticed that if an interface has no protocol
assigned, you can't select it with WinPCap.

> As far as the sniffer cable. I read the Snort FAQ and this 
> was mentioned.  However, I don't quite understand it. could someone
> perhaps clear it up a little?
> 
> LAN Sniffer
>     1 -----\   /-- 1
>     2 ---\ |   \-- 2
>     3 ---+-*------ 3
>     4 -  |       - 4
>     5 -  |       - 5
>     6 ---*-------- 6
>     7 -          - 7
>     8 -          - 8

That should do it.

> 
>     Basically, 1 and 2 on the sniffer side are connected, 3 and 6
>     straight through to the LAN. 1 and 2 on the LAN side 
> connect to 3 and
>     6 respectively. This fakes a link on both ends but only allows
>     traffic from the LAN to the sniffer. It also causes the
> 'incoming' 
>     traffic to be sent back to the LAN, so this cable only 
> works well on
>     a hub. You can use it on a switch but you will get ...err...
>     interesting results. Since the switch receives the 
> packets back in on
>     the port it sent them out, the MAC table gets confused and
> after a 
>     short while devices start to drop off the switch. Works 
> like a charm
>     on a hub though.


Regards,
Frank


*** END PGP VERIFIED MESSAGE ***

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list