Snort mailing list archives
RE: Snort WIN2K setup for stealth mode
From: "Chris Arsenault" <carsenault () firstedcu org>
Date: Thu, 7 Feb 2002 09:38:12 -0600
Michael, I'm very interested in trying this for a Windows machine. Is it possible for you to go into detail on the procedure you used? The four things I have done: Setup Win2k in Stealth 1. Unbind all NIC cards (1 on DMZ & 1 External layer of firewall) Network card 1 on the firewall: Network card 2 for management: ************************************************************************ * ***Also, Add the following registry keys in order to disable APIPA. This is the only way to turn Win2k to a 0.0.0.0 address. Setup the sensor adapter(s) Also set the sensor adapters to DHCP so when they reset they get only a 0.0.0.0 address instead of 169.x.x.x http://www.microsoft.com/TechNet/prodtechnol/winxppro/proddocs/sag_TCPIP _pro_DisableAutoConfiguration.asp ************************************************************************ *** 2. Added 2 receive only cables, available on Snort FAQ Is this necessary if there is no IP? *********************************************************************** Receive only cables cut off the transmit possibilities from the card. This is more of a political issue when deploying on a corporate network. Although this maybe overkill, it works with management. It also shuts off any ability for the Windows machine to start chatting on the wire. I actually used to 9 pin to RJ45 adapters like this LAN ->RJ45 FEMALE -> 9PIN MALE -> 9 PIN FEMALE -> RJ45 FEMALE ->SNIFFER I made all the connections inside the adapter On the Lan Side Connect Holes 1 & 2 together Connect wire 1 & 3 together with a pin and place in hole 3 Connect wire 2 & 6 together with a pin and place in hole 6 Connect wire 4, 5, 7 & 8 straight through (4 into 4, 5 into 5, etc) On the Sniffer side, connect pins straight through (1 - 1, 2 - 2, 3 - 3) This is the exact representation of the receive only cable available at http://www.snort.org Snort FAQ . The only difference is instead of connecting wires 1 and 2 on the sniffer side, I just looped them at the lan side. ************************************************************************ **** 3.Added 2 Ethernet taps, a bit overkill....but why not be paranoid! What is this and what do they accomplish? This accomplishes the same thing as the receive-only cable. We already had these purchased and they were not working. I put the receive-only cable on them and they work great. Once again, overkill...basically looks pretty on paper and in the server room. (We have a stealth IDS structure with interfaces on 0.0.0.0, receive only cables and Ethernet taps to thwart unwanted transmit traffic..bla, bla, bla) *** Any vendor, security professional or security organization would recommend having both software (stealth interface) and hardware (taps/cables) in place. It will save your ass during an audit *** http://www.finisar.com UTP TAP 10/100 ************************************************************** 4. Have a third NIC card to access ACID & Demarc management interface This would be card #2 **************************************************************** The non-sensor management NIC would allow you to access the ACID or Demarc management consoles. You can also setup Windows 2000 w/ Terminal Services in order to connect to it from any internal PC in order to do upgrades, etc. I would only use Terminal Services on an internal network!!! You could also setup the management NIC on a DMZ or public address WITH HTTPS!! There are some security concerns with IIS here!!! If you are running IIS on the sensor box...LOCK IT DOWN....IF IT DOESN'T WORK....LOCK IT DOWN SOME MORE ;) ********************************************************************** 5. Log everything to MySQL -- Soon to be trying to log everything to MSSQL 2K. See how that goes... Got this part 6. Log everything to alert.ids Got this part 7. Upload alert.ids to aris hourly http://aris.securityfocus.com Is there any security risk here? Do you Acid at all? ************************************************************************ ** *** I am using ACID and Demarc. I used Aris from Security Focus to create incredible reports. Aris allows you to strip addresses from your alert.ids file. I strip out all hosts, firewall, etc....anything within our DMZ. This limits the data that goes up to aris to only public IP's. All our IP's are listed as 0.0.0.0. This gives us incredible reports, discussions and sig references. *** Also check out http://www.snort.org/snort-db - This is the up and coming ultimate reference for Snort or at least that is the goal!! Share the wealth and contribute some sigs!!! :) ************************************************************************ *** Any questions, feel free to email me or respond via Snort Users List. Chris Arsenault Network Administrator First Educators Credit Union Microsoft Certified Systems Engineer Microsoft Certified Trainer Thank you vey much. -Mike _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort WIN2K setup for stealth mode Chris Arsenault (Feb 07)