[Snort-users] RE: Win2K Pro Sniffing

Scot Scot scotw at ...125...
Sun Oct 17 08:09:04 EDT 2004

> Mike French Wrote:
> Let me apologize ahead of time if this has been posted before.
> This is what I have:
> Windows 2000 Professional
> Running SNORT, ACID, etc.
> 1 x NIC (Management) Configured for a Management Console to our Firewall
> (Logging)
> 1 x NIC (SnifferNET) Connected outside the firewall sniffing on a (Real)
> What I need to do is Stealth my SnifferNET so prying eyes will have a hard
> time finding it. I actually found a site with registry Hacks that give the
> NIC a address and allow sniffing. Anybody know where or how to do
> this? I don't remember the site and Browser History is of no help. I have
> spent most of the day trying to find it to no avail...
> I really didn't want to use the Windows box but, my Firewall management
> software won't run on Linux and I am out of boxes to spare....
> Mike French
> MIS OnlineServices
> 754 Port America Place
> Suite 150
> Grapevine, TX 76051
> (888) 327-5647
> (817) 488-1600
> FAX (817) 488-1103
> MikeF at ...12560...
> www.misonlineservices.com


Right-click on "My Network Places", select Properties
Right-click on your Network Connection, e.g. "Local Area Connection", select
In the Local Area Connection Properties sheet, under the General Tab,
Uncheck ALL Components, Click OK.

Remember, snort uses the Netgroup Packet Filter service (WinPcap) to capture
packets, Microsoft networking components are not


To start and stop the Netgroup Packet Filter service manually enter the
following command:

C:\>net start npf

C:\>net stop npf

I've setup a handfull of Win2K boxes that had other services running on them
that required Microsofts TCP/IP Component to be
enabled for proper function of the system. If this is the case there is a
registry workaround that works well:


3.1 How do I setup snort on a 'stealth' interface?

NOTE: You are at your own risk if you follow these instructions. Editing
registry is DANGEROUS and should be done with extreme caution. Follow these
steps at your OWN risk.

1.  Get your device's hex value. ('snort -W' works for this)
2.  open Regedt32
3.  Navigate out to: HKEY_LOCAL_MACHINE\( \backslash \)SYSTEM\( \backslash
    CurrentControlSet\( \backslash \)Services\( \backslash \)Tcpip\(
    \)Parameters\( \backslash \)Interfaces\( \backslash \)
4.  Select the network card you wish to setup as the monitoring interface
5.  Set IPAddress:REG_MULTI_SZ: to null (Double click on the string, delete
    data in the Multi-String Editor, then click OK)
6.  Set SubnetMask:REG_MULTI_SZ: to null (Double click on the string, delete
    data in the Multi-String Editor, then click OK)
7.  Set DefaultGateway:REG_MULTI_SZ: to null (Double click on the string,
    delete data in the Multi-String Editor, then click OK)
8.  Close the Registry Editor, your changes will be saved automatically.
9.  In a command prompt, run 'ipconfig' to verify the interface does not
    an IP bound to it.

Scot Wiedenfeld
Just my 2.0134 cents worth (tax included)

More information about the Snort-users mailing list