[Snort-users] RE: Snort WIN2K setup for stealth mode

Chris Arsenault carsenault at ...4459...
Thu Feb 7 07:34:06 EST 2002


Michael,
  
I'm very interested in trying this for a Windows machine. Is it possible
for you to go into detail on the procedure you used?

The four things I have done:

Setup Win2k in Stealth




1. Unbind all NIC cards (1 on DMZ & 1 External layer of firewall)

Network card 1 on the firewall:

Network card 2 for management:

************************************************************************
*

***Also, Add the following registry keys in order to disable APIPA.
This is the only way to turn Win2k to a 0.0.0.0 address.  Setup the
sensor adapter(s)  Also set the sensor adapters to DHCP so when they
reset they get only a 0.0.0.0 address instead of 169.x.x.x

http://www.microsoft.com/TechNet/prodtechnol/winxppro/proddocs/sag_TCPIP
_pro_DisableAutoConfiguration.asp

************************************************************************
***



2. Added 2 receive only cables, available on Snort FAQ

Is this necessary if there is no IP?

***********************************************************************

Receive only cables cut off the transmit possibilities from the card.
This is more of a political issue when deploying on a corporate network.
Although this maybe overkill, it works with management.  It also shuts
off any ability for the Windows machine to start chatting on the wire. 

I actually used to 9 pin to RJ45 adapters like this

LAN ->RJ45 FEMALE -> 9PIN MALE -> 9 PIN FEMALE -> RJ45 FEMALE ->SNIFFER

I made all the connections inside the adapter

On the Lan Side Connect Holes 1 & 2 together

Connect wire 1 & 3 together with a pin and place in hole 3

Connect wire 2 & 6 together with a pin and place in hole 6

Connect wire 4, 5, 7 & 8 straight through (4 into 4, 5 into 5, etc)

On the Sniffer side, connect pins straight through (1 - 1, 2 - 2, 3 - 3)

This is the exact representation of the receive only cable available at
http://www.snort.org  Snort FAQ .  The only difference is instead of
connecting wires 1 and 2 on the sniffer side, I just looped them at the
lan side.

************************************************************************
****

3.Added 2 Ethernet taps, a bit overkill....but why not be paranoid!

What is this and what do they accomplish?

This accomplishes the same thing as the receive-only cable.  We already
had these purchased and they were not working.  I put the receive-only
cable on them and they work great.  Once again, overkill...basically
looks pretty on paper and in the server room.  (We have a stealth IDS
structure with interfaces on 0.0.0.0, receive only cables and Ethernet
taps to thwart unwanted transmit traffic..bla, bla, bla)

***  Any vendor, security professional or security organization would
recommend having both software (stealth interface) and hardware
(taps/cables) in place.  It will save your ass during an audit  ***

http://www.finisar.com   UTP TAP 10/100

**************************************************************

4. Have a third NIC card to access ACID & Demarc management interface

This would be card #2

****************************************************************

The non-sensor management NIC would allow you to access the ACID or
Demarc management consoles.  You can also setup Windows 2000 w/ Terminal
Services in order to connect to it from any internal PC in order to do
upgrades, etc.  I would only use Terminal Services on an internal
network!!!

You could also setup the management NIC on a DMZ or public address WITH
HTTPS!!  There are some security concerns with IIS here!!!  If you are
running IIS on the sensor box...LOCK IT DOWN....IF IT DOESN'T
WORK....LOCK IT DOWN SOME MORE ;)

**********************************************************************


5. Log everything to MySQL  --  Soon to be trying to log everything to
MSSQL 2K.  See how that goes...

Got this part


6. Log everything to alert.ids

Got this part


7. Upload alert.ids to aris hourly http://aris.securityfocus.com

Is there any security risk here? Do you Acid at all?

************************************************************************
**

*** I am using ACID and Demarc.  I used Aris from Security Focus to
create incredible reports.  Aris allows you to strip addresses from your
alert.ids file.  I strip out all hosts, firewall, etc....anything within
our DMZ.  This limits the data that goes up to aris to only public IP's.
All our IP's are listed as 0.0.0.0.  This gives us incredible reports,
discussions and sig references. 

***  Also check out http://www.snort.org/snort-db  -  This is the up and
coming ultimate reference for Snort or at least that is the goal!!
Share the wealth and contribute some sigs!!! :)

************************************************************************
*** 

Any questions, feel free to email me or respond via Snort Users List.

Chris Arsenault
Network Administrator
First Educators Credit Union
Microsoft Certified Systems Engineer
Microsoft Certified Trainer


Thank you vey much.

-Mike







More information about the Snort-users mailing list