[Snort-users] Setting up a Windowz Interface to monitor with no IP Address

McCammon, Keith Keith.McCammon at ...3497...
Fri Jun 28 08:43:08 EDT 2002


Don't unbind TCP/IP, just remove the cute little Windows check mark, so that the TCP/IP component is not active on that interface.  I realize the registry is fun and safe, if you have a clue, but why even go through the extra steps, when it takes two seconds to disabled the component?

-----Original Message-----
From: Detmar Liesen [mailto:counter.spy at ...348...]
Sent: Friday, June 28, 2002 11:21 AM
To: michaels at ...155...; scotw at ...125...
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Setting up a Windowz Interface to monitor
with no IP Address


I don't understand Micheal's concerns.
Changing registry settings isn't that bad if you know what you're doing.
I myself used a registry hack that was posted on this list some months
ago. I disable APIPA (Automated Private IP Addressing) in the registry:

-> regedit -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\adapter_name
create an entry: IPAutoconfigurationEnabled: REG_DWORD
-> value: 0

The interface will default to 0.0.0.0

I used this for RealSecure, because unbinding the whole IP stack from the
NIC wasn't possible using a Compaq Netelligent dual NIC.
If you unbind one interface, the other one, which I still needed for
reporting,
is unbound as well. So I needed some other trick for setting up a stealth
interface
(Only for testing - on our production net we are using read-only taps
anyway).

It works just fine and I got no problems at all.
However I prefer Linux for NIDS - it's faster and nicer, can be hardened
properly and it's licence is free.
But I don't want to start a holy war again ;)

BTW: I have also sent an FAQ contribution to Dragos some weeks ago 
(sniffing in switched LAN) and never got a reply.
He seems to be _very_ busy or he does not read his mail any more.

Cheers,
Detmar





More information about the Snort-users mailing list