[Snort-users] Setting up a Windowz Interface to monitor with no IP Address

Ian Macdonald secsnort at ...5528...
Wed Jul 3 07:01:10 EDT 2002


I think this should be recorded in the FAQ. I spent some time searching
archives looking for the best way to do this.

If needed we can put in the standard disclaimer. Or you can just put in as
and additional or advanced configuration.

Just my 2 pence
----- Original Message -----
From: "Michael Steele" <michaels at ...155...>
To: "'Detmar Liesen'" <counter.spy at ...348...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, June 28, 2002 2:56 PM
Subject: RE: [Snort-users] Setting up a Windowz Interface to monitor with no
IP Address


> Detmar,
>
> You said "Changing registry settings isn't that bad if you know what
> you're doing", and that is my concern. I don't think that hacking the
> registry or editing it should be condoned in the FAQ for Snort. The
> information is out there. There are other ways of doing this without
> hacking or editing the registry, although this is the cheaper, and
> quicker way to do it.
>
> We do use the Registry to manipulate my interface on our Windows sensor.
>
> -Michael
> --
>  Michael Steele | System Engineer / Support Technician
>  mailto:michaels at ...155...
>  Silicon Defense: IDS solutions - http://www.silicondefense.com
>  Snort: Open Source Network IDS - http://www.snort.org
>
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Detmar
> Liesen
> Sent: Friday, June 28, 2002 8:21 AM
> To: michaels at ...155...; scotw at ...125...
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Setting up a Windowz Interface to monitor
> with no IP Address
>
> I don't understand Micheal's concerns.
> Changing registry settings isn't that bad if you know what you're doing.
> I myself used a registry hack that was posted on this list some months
> ago. I disable APIPA (Automated Private IP Addressing) in the registry:
>
> -> regedit -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
> Services\Tcpip\Parameters\Interfaces\adapter_name
> create an entry: IPAutoconfigurationEnabled: REG_DWORD
> -> value: 0
>
> The interface will default to 0.0.0.0
>
> I used this for RealSecure, because unbinding the whole IP stack from
> the
> NIC wasn't possible using a Compaq Netelligent dual NIC.
> If you unbind one interface, the other one, which I still needed for
> reporting,
> is unbound as well. So I needed some other trick for setting up a
> stealth
> interface
> (Only for testing - on our production net we are using read-only taps
> anyway).
>
> It works just fine and I got no problems at all.
> However I prefer Linux for NIDS - it's faster and nicer, can be hardened
> properly and it's licence is free.
> But I don't want to start a holy war again ;)
>
> BTW: I have also sent an FAQ contribution to Dragos some weeks ago
> (sniffing in switched LAN) and never got a reply.
> He seems to be _very_ busy or he does not read his mail any more.
>
> Cheers,
> Detmar
>
> previous messages:
> -------------------------------------------------------------------
> Scot,
>
> Hopefully they won't place it in the FAQ's. Editing the Registry is a
> major responsibility and the fewer people doing it the better. I'm sure
> you and everyone else that is Windows savy, knows what one wrong slip
> can do to your OS. This is not mainstream and will only contribute to a
> very few people, and could be devastating to many others.
>
>  -Michael
>
>  Michael Steele | System Engineer / Support Technician
>  mailto:michaels at ...155...
>  Silicon Defense: IDS solutions - http://www.silicondefense.com
>  Snort: Open Source Network IDS - http://www.snort.org
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Scot Scot
> Sent: June 27, 2002 3:32 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Setting up a Windowz Interface to monitor with no
> IP Address
>
> I'd like to add to the Snort FAQ, I sent this update to: Dragos Ruiu at
> dr at ...381..., but no response has been sent back. Perhaps he'z a little
> busy
> /wait.
>
> http://www.snort.org/docs/faq.html
>
> Under Section 3: Configuring Snort
> ----------------------------------
> 3.2 Q:  How do I run snort on an interface with no IP address?
>
> I would like to add some info for the Windowz users out there. Below is
> a
> detailed explanation of how to bring a Windowz interface up with no IP
> Address. If you try to type "Null" values in the GUI, Windowz will error
> and
> prevent you from doing so. Following is the proper Registry modification
>
> (Should work for NT-W2K-XP). I have tested and verified functionality on
>
> W2K.
>
> Please let me know if corrections are needed, I'll take care of it.
>
> Thankz.
>
> Scot Wiedenfeld
> ____________________________________________________
>
> Setting the Snort Monitoring Interface to operate in Windowz 2000
> without an
> IP Address.
>
> 1. open Regedt32
> 2. Navigate out to:
> -----HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete
> rs\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
> 3. Select the network card you wish to setup as the monitoring interface
>
> (this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value).
>
> If you do not know what the device's Hex value is, run snort
> >from the
> command line and type the following:
>
> (Example if snort is in the C:\snort\ directory)
>
> C:\snort\snort -W
>
> This will provide you a list of enabled network adapters and the
> corresponding Hex Value in the registry.
>
> 4. Set the IPAddress:REG_MULTI_SZ: to nothing (Double click on the
> string,
> delete data in the Multi-String Editor, then click OK)
> 5. Set the SubnetMask:REG_MULTI_SZ: to nothing (Double click on the
> string,
> delete data in the Multi-String Editor, then click OK)
> 4. Set the DefaultGateway:REG_MULTI_SZ: to nothing (Double click on the
> string, delete data in the Multi-String Editor, then click OK)
> 6. Close the Registry Editor, your changes will be saved automatically.
> 7. Return to the command prompt and type the following to verify there
> is no
> IP bound to the interface:
>
> C:\ipconfig
>
> 8. You should not recieve an IP address listing from the interface you
> modified.
> 9. Fire Snort up on the interface you modified to verify you are able to
>
> sniff off the wire.
>
> (Example if snort is in the C:\snort\ directory and you modified
> ethernet
> adapter #1)
>
> C:\snort\snort -dev -i1
>
> 10. Wa-laa
> 11. Go get a Code Red or beverage of choice for doing such a good job.
>
> _________________________________________________________________
> Join the world's largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Bringing you mounds of caffeinated joy.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> --
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Caffeinated soap. No kidding.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Caffeinated soap. No kidding.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list