[Snort-users] Stealth Interface on Win32 Platforms
tsevy at ...1701...
Tue Sep 4 08:14:03 EDT 2001
Or you can (in Win NT or W2K) simply uncheck the binding of TCP/IP to the
NIC card you are using to snort.
From: Frank Knobbe [mailto:FKnobbe at ...649...]
Sent: Tuesday, September 04, 2001 9:51 AM
To: 'Archer'; Snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Stealth Interface on Win32 Platforms
*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x3282D105
*** Signed: 9/4/2001 9:51:27 AM
*** Verified: 9/4/2001 11:12:19 AM
*** BEGIN PGP VERIFIED MESSAGE ***
> -----Original Message-----
> From: Archer [mailto:archer at ...2694...]
> Sent: Tuesday, September 04, 2001 12:48 AM
> Can someone tell me how to do a "stealth interface" for Win32
> For example, how do you make sure the interface has no IP, do
> you assign it 0.0.0.0? If you set it to DHCP but don't allow it to
> get an address, it will default to a 169.x.x.x address.
If you are using the receive-only cable, you can assign yourself some
unused IP address. I've noticed that if an interface has no protocol
assigned, you can't select it with WinPCap.
> As far as the sniffer cable. I read the Snort FAQ and this
> was mentioned. However, I don't quite understand it. could someone
> perhaps clear it up a little?
> LAN Sniffer
> 1 -----\ /-- 1
> 2 ---\ | \-- 2
> 3 ---+-*------ 3
> 4 - | - 4
> 5 - | - 5
> 6 ---*-------- 6
> 7 - - 7
> 8 - - 8
That should do it.
> Basically, 1 and 2 on the sniffer side are connected, 3 and 6
> straight through to the LAN. 1 and 2 on the LAN side
> connect to 3 and
> 6 respectively. This fakes a link on both ends but only allows
> traffic from the LAN to the sniffer. It also causes the
> traffic to be sent back to the LAN, so this cable only
> works well on
> a hub. You can use it on a switch but you will get ...err...
> interesting results. Since the switch receives the
> packets back in on
> the port it sent them out, the MAC table gets confused and
> after a
> short while devices start to drop off the switch. Works
> like a charm
> on a hub though.
*** END PGP VERIFIED MESSAGE ***
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users