[Snort-users] Setting up a Windowz Interface to monitor with no IP Address

CJATeck at ...661... CJATeck at ...661...
Fri Jun 28 08:27:01 EDT 2002


I do NOT use the registry hack although I am aware of it, for my "External 
Interface" I do the following.

1) I use a copper tap (Finisar) as the physical device to intercept traffic 
between my boundary router and the outside firewall interface, as this is a 
"recieve only" device, it provides protection at the OSI phyical layer.
2) On a WIN32 box I disable ALL but the TCP/IP stack. (NO file& print, NO MS 
client, ect)
3) I leave the interface set for "DHCP", no hard IP info (NO unicast address, 
NO subnet, NO DNS, ect)
4) I disable the DHCP service.

RESULT- provides a promiscuous interface that is protected from detection and 
intrusion at both layer 1 and layer 3 of the OSI model.

Hope this clarify things.

Cliff

In a message dated 6/28/2002 11:07:52 AM Eastern Daylight Time, 
Keith.McCammon at ...3497... writes: 
> How about just disabling TCP/IP on that interface by un-checking the 
> component?  Why muck around with the registry?
>  
> >> -----Original Message-----
>> From: CJATeck at ...661... [mailto:CJATeck at ...661...]
>> Sent: Friday, June 28, 2002 10:51 AM
>> To: tslighter at ...5174...; michaels at ...155...; 
>> scotw at ...125...
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Setting up a Windowz Interface to monitor with 
>> no IP Address
>> 
>> 
>> Also, need to disable the DHCP service so the NIC interface gets a default 
>> 0.0.0.0 address.
>> 
>> Cliff 
>> 
>> In a message dated 6/28/2002 9:46:03 AM Eastern Daylight Time, 
>> tslighter at ...5174... writes: 
>> >>> I did find that for those who are uncomfortable with poking away at the
>>> registry blindfolded, there is an easier way to setup a "stealth" 
>>> interface
>>> on a windows system.  Just simply configure the interface for DHCP and it
>>> will never obtain an IP address but will still be in the "UP" state.
>>> 
>>> -----Original Message-----
>>> From: Michael Steele [mailto:michaels at ...155...]
>>> Sent: Thursday, June 27, 2002 8:57 PM
>>> To: 'Scot Scot'
>>> Cc: snort-users at lists.sourceforge.net
>>> Subject: RE: [Snort-users] Setting up a Windowz Interface to monitor
>>> with no IP Address
>>> 
>>> 
>>> Scot,
>>> 
>>> Hopefully they won't place it in the FAQ's. Editing the Registry is a
>>> major responsibility and the fewer people doing it the better. I'm sure
>>> you and everyone else that is Windows savy, knows what one wrong slip
>>> can do to your OS. This is not mainstream and will only contribute to a
>>> very few people, and could be devastating to many others.
>>> 
>>> -Michael
>>> 
>>> Michael Steele | System Engineer / Support Technician
>>> mailto:michaels at ...155...
>>> Silicon Defense: IDS solutions - http://www.silicondefense.com
>>> Snort: Open Source Network IDS - http://www.snort.org
>>> 
>>> 
>>> -----Original Message-----
>>> From: snort-users-admin at lists.sourceforge.net
>>> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Scot Scot
>>> Sent: June 27, 2002 3:32 PM
>>> To: snort-users at lists.sourceforge.net
>>> Subject: [Snort-users] Setting up a Windowz Interface to monitor with no
>>> IP Address
>>> 
>>> I'd like to add to the Snort FAQ, I sent this update to: Dragos Ruiu at 
>>> dr at ...381..., but no response has been sent back. Perhaps he'z a little
>>> busy 
>>> /wait.
>>> 
>>> http://www.snort.org/docs/faq.html
>>> 
>>> Under Section 3: Configuring Snort
>>> ----------------------------------
>>> 3.2 Q:  How do I run snort on an interface with no IP address?
>>> 
>>> I would like to add some info for the Windowz users out there. Below is
>>> a 
>>> detailed explanation of how to bring a Windowz interface up with no IP 
>>> Address. If you try to type "Null" values in the GUI, Windowz will error
>>> and 
>>> prevent you from doing so. Following is the proper Registry modification
>>> 
>>> (Should work for NT-W2K-XP). I have tested and verified functionality on
>>> 
>>> W2K.
>>> 
>>> Please let me know if corrections are needed, I'll take care of it.
>>> 
>>> Thankz.
>>> 
>>> Scot Wiedenfeld
>>> ____________________________________________________
>>> 
>>> Setting the Snort Monitoring Interface to operate in Windowz 2000
>>> without an 
>>> IP Address.
>>> 
>>> 1. open Regedt32
>>> 2. Navigate out to:
>>> -----HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete
>>> rs\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
>>> 3. Select the network card you wish to setup as the monitoring interface
>>> 
>>> (this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value).
>>> 
>>>  If you do not know what the device's Hex value is, run snort
>>> from the 
>>> command line and type the following:
>>> 
>>>  (Example if snort is in the C:\snort\ directory)
>>> 
>>>  C:\snort\snort -W
>>> 
>>> This will provide you a list of enabled network adapters and the 
>>> corresponding Hex Value in the registry.
>>> 
>>> 4. Set the IPAddress:REG_MULTI_SZ: to nothing (Double click on the
>>> string, 
>>> delete data in the Multi-String Editor, then click OK)
>>> 5. Set the SubnetMask:REG_MULTI_SZ: to nothing (Double click on the
>>> string, 
>>> delete data in the Multi-String Editor, then click OK)
>>> 4. Set the DefaultGateway:REG_MULTI_SZ: to nothing (Double click on the 
>>> string, delete data in the Multi-String Editor, then click OK)
>>> 6. Close the Registry Editor, your changes will be saved automatically.
>>> 7. Return to the command prompt and type the following to verify there
>>> is no 
>>> IP bound to the interface:
>>> 
>>>  C:\ipconfig
>>> 
>>> 8. You should not recieve an IP address listing from the interface you 
>>> modified.
>>> 9. Fire Snort up on the interface you modified to verify you are able to
>>> 
>>> sniff off the wire.
>>> 
>>>  (Example if snort is in the C:\snort\ directory and you modified
>>> ethernet 
>>> adapter #1)
>>> 
>>>  C:\snort\snort -dev -i1
>>> 
>>> 10. Wa-laa
>>> 11. Go get a Code Red or beverage of choice for doing such a good job.
>>> 
>>> _________________________________________________________________
>>> Join the world's largest e-mail service with MSN Hotmail. 
>>> http://www.hotmail.com
>>> 
>>> 
>>> 
>>> -------------------------------------------------------
>>> This sf.net email is sponsored by:ThinkGeek
>>> Bringing you mounds of caffeinated joy.
>>> http://thinkgeek.com/sf
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -------------------------------------------------------
>>> This sf.net email is sponsored by:ThinkGeek
>>> Bringing you mounds of caffeinated joy.
>>> http://thinkgeek.com/sf
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> 
>>> -------------------------------------------------------
>>> This sf.net email is sponsored by:ThinkGeek
>>> Caffeinated soap. No kidding.
>>> http://thinkgeek.com/sf
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020628/8dfd7c62/attachment.html>


More information about the Snort-users mailing list