[Snort-users] Setting up a Windowz Interface to monitor with no IP Address

Detmar Liesen counter.spy at ...348...
Fri Jun 28 08:21:07 EDT 2002

I don't understand Micheal's concerns.
Changing registry settings isn't that bad if you know what you're doing.
I myself used a registry hack that was posted on this list some months
ago. I disable APIPA (Automated Private IP Addressing) in the registry:

-> regedit -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
create an entry: IPAutoconfigurationEnabled: REG_DWORD
-> value: 0

The interface will default to

I used this for RealSecure, because unbinding the whole IP stack from the
NIC wasn't possible using a Compaq Netelligent dual NIC.
If you unbind one interface, the other one, which I still needed for
is unbound as well. So I needed some other trick for setting up a stealth
(Only for testing - on our production net we are using read-only taps

It works just fine and I got no problems at all.
However I prefer Linux for NIDS - it's faster and nicer, can be hardened
properly and it's licence is free.
But I don't want to start a holy war again ;)

BTW: I have also sent an FAQ contribution to Dragos some weeks ago 
(sniffing in switched LAN) and never got a reply.
He seems to be _very_ busy or he does not read his mail any more.


previous messages:

Hopefully they won't place it in the FAQ's. Editing the Registry is a
major responsibility and the fewer people doing it the better. I'm sure
you and everyone else that is Windows savy, knows what one wrong slip
can do to your OS. This is not mainstream and will only contribute to a
very few people, and could be devastating to many others.


 Michael Steele | System Engineer / Support Technician
 mailto:michaels at ...155...
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Scot Scot
Sent: June 27, 2002 3:32 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Setting up a Windowz Interface to monitor with no
IP Address

I'd like to add to the Snort FAQ, I sent this update to: Dragos Ruiu at 
dr at ...381..., but no response has been sent back. Perhaps he'z a little


Under Section 3: Configuring Snort
3.2 Q:  How do I run snort on an interface with no IP address?

I would like to add some info for the Windowz users out there. Below is
detailed explanation of how to bring a Windowz interface up with no IP 
Address. If you try to type "Null" values in the GUI, Windowz will error
prevent you from doing so. Following is the proper Registry modification

(Should work for NT-W2K-XP). I have tested and verified functionality on


Please let me know if corrections are needed, I'll take care of it.


Scot Wiedenfeld

Setting the Snort Monitoring Interface to operate in Windowz 2000
without an 
IP Address.

1. open Regedt32
2. Navigate out to:
3. Select the network card you wish to setup as the monitoring interface

(this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value).

If you do not know what the device's Hex value is, run snort
>from the 
command line and type the following:

(Example if snort is in the C:\snort\ directory)

C:\snort\snort -W

This will provide you a list of enabled network adapters and the 
corresponding Hex Value in the registry.

4. Set the IPAddress:REG_MULTI_SZ: to nothing (Double click on the
delete data in the Multi-String Editor, then click OK)
5. Set the SubnetMask:REG_MULTI_SZ: to nothing (Double click on the
delete data in the Multi-String Editor, then click OK)
4. Set the DefaultGateway:REG_MULTI_SZ: to nothing (Double click on the 
string, delete data in the Multi-String Editor, then click OK)
6. Close the Registry Editor, your changes will be saved automatically.
7. Return to the command prompt and type the following to verify there
is no 
IP bound to the interface:


8. You should not recieve an IP address listing from the interface you 
9. Fire Snort up on the interface you modified to verify you are able to

sniff off the wire.

(Example if snort is in the C:\snort\ directory and you modified
adapter #1)

C:\snort\snort -dev -i1

10. Wa-laa
11. Go get a Code Red or beverage of choice for doing such a good job.

Join the world's largest e-mail service with MSN Hotmail. 

This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

GMX - Die Kommunikationsplattform im Internet.

More information about the Snort-users mailing list