Snort mailing list archives
RE: Setting up a Windowz Interface to monitor with no IP Address
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Fri, 28 Jun 2002 07:38:32 -0600
I did find that for those who are uncomfortable with poking away at the registry blindfolded, there is an easier way to setup a "stealth" interface on a windows system. Just simply configure the interface for DHCP and it will never obtain an IP address but will still be in the "UP" state. -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Thursday, June 27, 2002 8:57 PM To: 'Scot Scot' Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Setting up a Windowz Interface to monitor with no IP Address Scot, Hopefully they won't place it in the FAQ's. Editing the Registry is a major responsibility and the fewer people doing it the better. I'm sure you and everyone else that is Windows savy, knows what one wrong slip can do to your OS. This is not mainstream and will only contribute to a very few people, and could be devastating to many others. -Michael Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Scot Scot Sent: June 27, 2002 3:32 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Setting up a Windowz Interface to monitor with no IP Address I'd like to add to the Snort FAQ, I sent this update to: Dragos Ruiu at dr () kyx net, but no response has been sent back. Perhaps he'z a little busy /wait. http://www.snort.org/docs/faq.html Under Section 3: Configuring Snort ---------------------------------- 3.2 Q: How do I run snort on an interface with no IP address? I would like to add some info for the Windowz users out there. Below is a detailed explanation of how to bring a Windowz interface up with no IP Address. If you try to type "Null" values in the GUI, Windowz will error and prevent you from doing so. Following is the proper Registry modification (Should work for NT-W2K-XP). I have tested and verified functionality on W2K. Please let me know if corrections are needed, I'll take care of it. Thankz. Scot Wiedenfeld ____________________________________________________ Setting the Snort Monitoring Interface to operate in Windowz 2000 without an IP Address. 1. open Regedt32 2. Navigate out to: -----HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete rs\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} 3. Select the network card you wish to setup as the monitoring interface (this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value). If you do not know what the device's Hex value is, run snort from the command line and type the following: (Example if snort is in the C:\snort\ directory) C:\snort\snort -W This will provide you a list of enabled network adapters and the corresponding Hex Value in the registry. 4. Set the IPAddress:REG_MULTI_SZ: to nothing (Double click on the string, delete data in the Multi-String Editor, then click OK) 5. Set the SubnetMask:REG_MULTI_SZ: to nothing (Double click on the string, delete data in the Multi-String Editor, then click OK) 4. Set the DefaultGateway:REG_MULTI_SZ: to nothing (Double click on the string, delete data in the Multi-String Editor, then click OK) 6. Close the Registry Editor, your changes will be saved automatically. 7. Return to the command prompt and type the following to verify there is no IP bound to the interface: C:\ipconfig 8. You should not recieve an IP address listing from the interface you modified. 9. Fire Snort up on the interface you modified to verify you are able to sniff off the wire. (Example if snort is in the C:\snort\ directory and you modified ethernet adapter #1) C:\snort\snort -dev -i1 10. Wa-laa 11. Go get a Code Red or beverage of choice for doing such a good job. _________________________________________________________________ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Bringing you mounds of caffeinated joy. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Bringing you mounds of caffeinated joy. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Caffeinated soap. No kidding. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Setting up a Windowz Interface to monitor with no IP Address Slighter, Tim (Jun 28)
- <Possible follow-ups>
- RE: Setting up a Windowz Interface to monitor with no IP Address Chavez Chris Contr 411 FLTS/TSF (Jun 28)