[Snort-users] Running Win2K in Stealth Mode

Chris Arsenault carsenault at ...4459...
Tue Jan 15 07:33:05 EST 2002


This is how I setup Win2k to run in stealth mode running one sensor on
the external side of the firewall and one sensor in the DMZ.  I also
connected a third network card to allow management via demark and acid
from all of our IT desktops.
 
Follow the instructions on setting up a receive only cable available on
the current Snort FAQ.  The cable works like a charm...
 
0.0.0.0 Interface on Windows 2000 -->
 
Disable Automatic Private IP Addressing (APIPA)
 
Under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Add the following REG_DWORD value 
 
IPAutoconfigurationEnabled and set the value to 0
 
Unbind the Sensor Adapter(s)
 
Double click on network connections
 
Highlight the sensor adapter
 
Choose advanced and then advanced settings
 
On the bindings tab, remove the checkmarks in order to unbind the
adapter(s)
 
You are set at this point...our security requirements took us a step
further.  On top of the receive only cable, I also added and Ethernet
tap.  I added one tap on the external level of the firewall and one in
the DMZ.
 
TRAFFIC -->  TAP  -->  RECEIVE ONLY CABLE  -->  SENSOR RUNNING 0.0.0.0
with no bindings on the NIC.
 
The taps are available from http://www.shomiti.com
<http://www.shomiti.com/>  none the less, their docs didn't seem to work
to well.  I tried running the tap with a straight through cable as
described and it wouldn't go.  Once I put the receive only cable on, it
worked like a charm.
 
The tap was simply a security requirement where I work.....the receive
only cable actually does to same thing.  I am not complaining about the
overkill when it comes to security though!
 
 
Chris Arsenault
Network Administrator
First Educators Credit Union
Microsoft Certified Systems Engineer
Microsoft Certified Trainer
 
-----Original Message-----
From: Bill Shaffer [mailto:billshaffer at ...4566...] 
Sent: Tuesday, January 15, 2002 8:53 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Running Win2K in Stealth Mode
 
1.       How would one setup Windows 2K to run with no IP address? Is it
just enough to uncheck TCP/IP under the nic properties?
2.       Is there a command line you should place in the snort.conf to
make snort run in stealth mode?
 
Any info would be greatly appreciated!
 
Thanks, Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020115/28e533ce/attachment.html>


More information about the Snort-users mailing list