[Snort-users] Setting up a Windowz Interface to monitor with no IP Address

CJATeck at ...661... CJATeck at ...661...
Fri Jun 28 07:52:02 EDT 2002


Also, need to disable the DHCP service so the NIC interface gets a default 
0.0.0.0 address.

Cliff 

In a message dated 6/28/2002 9:46:03 AM Eastern Daylight Time, 
tslighter at ...5174... writes: 
> I did find that for those who are uncomfortable with poking away at the
> registry blindfolded, there is an easier way to setup a "stealth" interface
> on a windows system.  Just simply configure the interface for DHCP and it
> will never obtain an IP address but will still be in the "UP" state.
> 
> -----Original Message-----
> From: Michael Steele [mailto:michaels at ...155...]
> Sent: Thursday, June 27, 2002 8:57 PM
> To: 'Scot Scot'
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Setting up a Windowz Interface to monitor
> with no IP Address
> 
> 
> Scot,
> 
> Hopefully they won't place it in the FAQ's. Editing the Registry is a
> major responsibility and the fewer people doing it the better. I'm sure
> you and everyone else that is Windows savy, knows what one wrong slip
> can do to your OS. This is not mainstream and will only contribute to a
> very few people, and could be devastating to many others.
> 
> -Michael
> 
> Michael Steele | System Engineer / Support Technician
> mailto:michaels at ...155...
> Silicon Defense: IDS solutions - http://www.silicondefense.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Scot Scot
> Sent: June 27, 2002 3:32 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Setting up a Windowz Interface to monitor with no
> IP Address
> 
> I'd like to add to the Snort FAQ, I sent this update to: Dragos Ruiu at 
> dr at ...381..., but no response has been sent back. Perhaps he'z a little
> busy 
> /wait.
> 
> http://www.snort.org/docs/faq.html
> 
> Under Section 3: Configuring Snort
> ----------------------------------
> 3.2 Q:  How do I run snort on an interface with no IP address?
> 
> I would like to add some info for the Windowz users out there. Below is
> a 
> detailed explanation of how to bring a Windowz interface up with no IP 
> Address. If you try to type "Null" values in the GUI, Windowz will error
> and 
> prevent you from doing so. Following is the proper Registry modification
> 
> (Should work for NT-W2K-XP). I have tested and verified functionality on
> 
> W2K.
> 
> Please let me know if corrections are needed, I'll take care of it.
> 
> Thankz.
> 
> Scot Wiedenfeld
> ____________________________________________________
> 
> Setting the Snort Monitoring Interface to operate in Windowz 2000
> without an 
> IP Address.
> 
> 1. open Regedt32
> 2. Navigate out to:
> -----HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete
> rs\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
> 3. Select the network card you wish to setup as the monitoring interface
> 
> (this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value).
> 
>   If you do not know what the device's Hex value is, run snort
> from the 
> command line and type the following:
> 
>   (Example if snort is in the C:\snort\ directory)
> 
>   C:\snort\snort -W
> 
> This will provide you a list of enabled network adapters and the 
> corresponding Hex Value in the registry.
> 
> 4. Set the IPAddress:REG_MULTI_SZ: to nothing (Double click on the
> string, 
> delete data in the Multi-String Editor, then click OK)
> 5. Set the SubnetMask:REG_MULTI_SZ: to nothing (Double click on the
> string, 
> delete data in the Multi-String Editor, then click OK)
> 4. Set the DefaultGateway:REG_MULTI_SZ: to nothing (Double click on the 
> string, delete data in the Multi-String Editor, then click OK)
> 6. Close the Registry Editor, your changes will be saved automatically.
> 7. Return to the command prompt and type the following to verify there
> is no 
> IP bound to the interface:
> 
>   C:\ipconfig
> 
> 8. You should not recieve an IP address listing from the interface you 
> modified.
> 9. Fire Snort up on the interface you modified to verify you are able to
> 
> sniff off the wire.
> 
>   (Example if snort is in the C:\snort\ directory and you modified
> ethernet 
> adapter #1)
> 
>   C:\snort\snort -dev -i1
> 
> 10. Wa-laa
> 11. Go get a Code Red or beverage of choice for doing such a good job.
> 
> _________________________________________________________________
> Join the world's largest e-mail service with MSN Hotmail. 
> http://www.hotmail.com
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Bringing you mounds of caffeinated joy.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Bringing you mounds of caffeinated joy.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Caffeinated soap. No kidding.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020628/792fa465/attachment.html>


More information about the Snort-users mailing list