[Snort-users] Setting up a Windowz Interface to monitor with no IP Address

CJATeck at ...661... CJATeck at ...661...
Fri Jun 28 08:54:05 EDT 2002


I found in early testing that WinPCap did NOT always work correctly (I 
understand WinPCap is supposed to work at layer 2 directly with the NIC 
interface driver and as such a full IP stack should not be needed) when the 
MS TCP/IP stack was disabled, this may not be others experience as I have 
noted several different proceedures that appear to work addressed on these 
mailing lists. I can only tell you what works for me. If you have find a 
better way to make a wheel, more power to ya.
The END result is what is important, a secure sensor that can not be detected 
or intruded upon.

Cliff (smile)

In a message dated 6/28/2002 11:40:34 AM Eastern Daylight Time, 
Keith.McCammon at ...3497... writes: 
> Am I missing something!?!  Why steps two through four?  There's no reason to 
> have TCP/IP enabled at all on that interface.  Winpcap is doing the work, 
> not the (shady) Windows IP stack.
>  
> >> -----Original Message-----
>> From: CJATeck at ...661... [mailto:CJATeck at ...661...]
>> Sent: Friday, June 28, 2002 11:25 AM
>> To: McCammon, Keith; tslighter at ...5174...; 
>> michaels at ...155...; scotw at ...125...
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Setting up a Windowz Interface to monitor with 
>> no IP Address
>> 
>> 
>> I do NOT use the registry hack although I am aware of it, for my "External 
>> Interface" I do the following.
>> 
>> 1) I use a copper tap (Finisar) as the physical device to intercept 
>> traffic between my boundary router and the outside firewall interface, as 
>> this is a "recieve only" device, it provides protection at the OSI phyical 
>> layer.
>> 2) On a WIN32 box I disable ALL but the TCP/IP stack. (NO file& print, NO 
>> MS client, ect)
>> 3) I leave the interface set for "DHCP", no hard IP info (NO unicast 
>> address, NO subnet, NO DNS, ect)
>> 4) I disable the DHCP service.
>> 
>> RESULT- provides a promiscuous interface that is protected from detection 
>> and intrusion at both layer 1 and layer 3 of the OSI model.
>> 
>> Hope this clarify things.
>> 
>> Cliff
>> 
>> In a message dated 6/28/2002 11:07:52 AM Eastern Daylight Time, 
>> Keith.McCammon at ...3497... writes: 
>> >>> How about just disabling TCP/IP on that interface by un-checking the 
>>> component?  Why muck around with the registry?
>>> 
>>> >>>> -----Original Message-----
>>>> From: CJATeck at ...661... [mailto:CJATeck at ...661...]
>>>> Sent: Friday, June 28, 2002 10:51 AM
>>>> To: tslighter at ...5174...; michaels at ...155...; 
>>>> scotw at ...125...
>>>> Cc: snort-users at lists.sourceforge.net
>>>> Subject: Re: [Snort-users] Setting up a Windowz Interface to monitor 
>>>> with no IP Address
>>>> 
>>>> 
>>> 
>> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020628/d91c7c2b/attachment.html>


More information about the Snort-users mailing list