[Snort-users] Setting up a Windowz Interface to monitor with no IP Address

McCammon, Keith Keith.McCammon at ...3497...
Fri Jun 28 08:41:04 EDT 2002


Am I missing something!?!  Why steps two through four?  There's no reason to have TCP/IP enabled at all on that interface.  Winpcap is doing the work, not the (shady) Windows IP stack.

-----Original Message-----
From: CJATeck at ...661... [mailto:CJATeck at ...661...]
Sent: Friday, June 28, 2002 11:25 AM
To: McCammon, Keith; tslighter at ...5174...; michaels at ...155...; scotw at ...670......
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Setting up a Windowz Interface to monitor with no IP Address


I do NOT use the registry hack although I am aware of it, for my "External Interface" I do the following.

1) I use a copper tap (Finisar) as the physical device to intercept traffic between my boundary router and the outside firewall interface, as this is a "recieve only" device, it provides protection at the OSI phyical layer.
2) On a WIN32 box I disable ALL but the TCP/IP stack. (NO file& print, NO MS client, ect)
3) I leave the interface set for "DHCP", no hard IP info (NO unicast address, NO subnet, NO DNS, ect)
4) I disable the DHCP service.

RESULT- provides a promiscuous interface that is protected from detection and intrusion at both layer 1 and layer 3 of the OSI model.

Hope this clarify things.

Cliff

In a message dated 6/28/2002 11:07:52 AM Eastern Daylight Time, Keith.McCammon at ...3497... writes: 


How about just disabling TCP/IP on that interface by un-checking the component?  Why muck around with the registry?



-----Original Message-----
From: CJATeck at ...661... [mailto:CJATeck at ...661...]
Sent: Friday, June 28, 2002 10:51 AM
To: tslighter at ...5174...; michaels at ...155...; scotw at ...125...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Setting up a Windowz Interface to monitor with no IP Address



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020628/82d35b7c/attachment.html>


More information about the Snort-users mailing list