[Snort-users] Running Win2K in Stealth Mode
carsenault at ...4459...
Tue Jan 15 07:33:05 EST 2002
This is how I setup Win2k to run in stealth mode running one sensor on
the external side of the firewall and one sensor in the DMZ. I also
connected a third network card to allow management via demark and acid
from all of our IT desktops.
Follow the instructions on setting up a receive only cable available on
the current Snort FAQ. The cable works like a charm...
0.0.0.0 Interface on Windows 2000 -->
Disable Automatic Private IP Addressing (APIPA)
Add the following REG_DWORD value
IPAutoconfigurationEnabled and set the value to 0
Unbind the Sensor Adapter(s)
Double click on network connections
Highlight the sensor adapter
Choose advanced and then advanced settings
On the bindings tab, remove the checkmarks in order to unbind the
You are set at this point...our security requirements took us a step
further. On top of the receive only cable, I also added and Ethernet
tap. I added one tap on the external level of the firewall and one in
TRAFFIC --> TAP --> RECEIVE ONLY CABLE --> SENSOR RUNNING 0.0.0.0
with no bindings on the NIC.
The taps are available from http://www.shomiti.com
<http://www.shomiti.com/> none the less, their docs didn't seem to work
to well. I tried running the tap with a straight through cable as
described and it wouldn't go. Once I put the receive only cable on, it
worked like a charm.
The tap was simply a security requirement where I work.....the receive
only cable actually does to same thing. I am not complaining about the
overkill when it comes to security though!
First Educators Credit Union
Microsoft Certified Systems Engineer
Microsoft Certified Trainer
From: Bill Shaffer [mailto:billshaffer at ...4566...]
Sent: Tuesday, January 15, 2002 8:53 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Running Win2K in Stealth Mode
1. How would one setup Windows 2K to run with no IP address? Is it
just enough to uncheck TCP/IP under the nic properties?
2. Is there a command line you should place in the snort.conf to
make snort run in stealth mode?
Any info would be greatly appreciated!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users