[Snort-users] Running Win2K in Stealth Mode

Chris Arsenault carsenault at ...4459...
Wed Feb 6 13:47:03 EST 2002


The four things I have done:

Setup Win2k in Stealth

Unbind all NIC cards (1 on DMZ & 1 External layer of firewall)

Added 2 receive only cables, available on Snort FAQ

Added 2 Ethernet taps, a bit overkill....but why not be paranoid!

Have a third NIC card to access ACID & Demarc management interface

Log everything to MySQL

Log everything to alert.ids

Upload alert.ids to aris hourly http://aris.securityfocus.com

Create beautiful reports for management via aris :)

This complete setup was approved by our board and is currently in
production.  The only changes I will make in the future is to move the
sensors from Win2k to freebsd or linux running on Server class machines
and logging to MSSQL.  Also, setup https access to Demarc from the DMZ
so that I can have the monitor running at home 24 hours a day.  

Chris Arsenault
Network Administrator
First Educators Credit Union
Microsoft Certified Systems Engineer
Microsoft Certified Trainer


-----Original Message-----
From: Tom Sevy [mailto:tsevy at ...1701...] 
Sent: Wednesday, February 06, 2002 3:18 PM
To: Chris Arsenault; 'SkatFiend at ...661...';
'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Running Win2K in Stealth Mode

Has anyone tried un-binding the TCP/IP protocol to the NIC?  I have done
this when using MS Network Monitor to sniff a segment.

-----Original Message-----
From: Chris Arsenault [mailto:carsenault at ...4459...] 
Sent: Wednesday, February 06, 2002 4:04 PM
To: SkatFiend at ...661...; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Running Win2K in Stealth Mode


Disable APIPA and setup the adapter to use DHCP.  Instead of getting a
private address, the IP will reset to 0.0.0.0 and stay there.
 
Chris Arsenault
Network Administrator
First Educators Credit Union
Microsoft Certified Systems Engineer
Microsoft Certified Trainer
 
-----Original Message-----
From: SkatFiend at ...661... [mailto:SkatFiend at ...661...] 
Sent: Wednesday, February 06, 2002 11:52 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Running Win2K in Stealth Mode
 
Hello All,

I know this has been addressed b4 on the list, however I am having
problems
implimenting this configuration.

According to an e-mail on 01/15/02, I have disabled APIPA with a
registry
key hack, I have unbound under Advanced Network settings IP from
Microsoft.

It was suggested to use a 0.0.0.0 IP address for the adapter, the GUI
interface will not allow you to do this, it either requires a valid IP
address or must be set to DHCP.

Can anyone tell me how they configured this?????


Thanks in advance for your help.

Cliff Arms




More information about the Snort-users mailing list