[Snort-users] Setting up a Windowz Interface to monitor with no IP Address

Scot Scot scotw at ...125...
Thu Jun 27 15:33:03 EDT 2002


I'd like to add to the Snort FAQ, I sent this update to: Dragos Ruiu at 
dr at ...381..., but no response has been sent back. Perhaps he'z a little busy 
/wait.

http://www.snort.org/docs/faq.html

Under Section 3: Configuring Snort
----------------------------------
3.2 Q:  How do I run snort on an interface with no IP address?

I would like to add some info for the Windowz users out there. Below is a 
detailed explanation of how to bring a Windowz interface up with no IP 
Address. If you try to type "Null" values in the GUI, Windowz will error and 
prevent you from doing so. Following is the proper Registry modification 
(Should work for NT-W2K-XP). I have tested and verified functionality on 
W2K.

Please let me know if corrections are needed, I'll take care of it.

Thankz.

Scot Wiedenfeld
____________________________________________________

Setting the Snort Monitoring Interface to operate in Windowz 2000 without an 
IP Address.

1. open Regedt32
2. Navigate out to:
-----HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
3. Select the network card you wish to setup as the monitoring interface 
(this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value).

	If you do not know what the device's Hex value is, run snort from the 
command line and type the following:

	(Example if snort is in the C:\snort\ directory)

	C:\snort\snort -W

This will provide you a list of enabled network adapters and the 
corresponding Hex Value in the registry.

4. Set the IPAddress:REG_MULTI_SZ: to nothing (Double click on the string, 
delete data in the Multi-String Editor, then click OK)
5. Set the SubnetMask:REG_MULTI_SZ: to nothing (Double click on the string, 
delete data in the Multi-String Editor, then click OK)
4. Set the DefaultGateway:REG_MULTI_SZ: to nothing (Double click on the 
string, delete data in the Multi-String Editor, then click OK)
6. Close the Registry Editor, your changes will be saved automatically.
7. Return to the command prompt and type the following to verify there is no 
IP bound to the interface:

	C:\ipconfig

8. You should not recieve an IP address listing from the interface you 
modified.
9. Fire Snort up on the interface you modified to verify you are able to 
sniff off the wire.

	(Example if snort is in the C:\snort\ directory and you modified ethernet 
adapter #1)

	C:\snort\snort -dev -i1

10. Wa-laa
11. Go get a Code Red or beverage of choice for doing such a good job.

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com





More information about the Snort-users mailing list