Snort mailing list archives
RE: Stealth Interface on Win32 Platforms
From: Tom Sevy <tsevy () epx com>
Date: Tue, 4 Sep 2001 11:13:12 -0400
Or you can (in Win NT or W2K) simply uncheck the binding of TCP/IP to the NIC card you are using to snort. -----Original Message----- From: Frank Knobbe [mailto:FKnobbe () KnobbeITS com] Sent: Tuesday, September 04, 2001 9:51 AM To: 'Archer'; Snort-users () lists sourceforge net Subject: RE: [Snort-users] Stealth Interface on Win32 Platforms *** PGP Signature Status: unknown *** Signer: Unknown, Key ID = 0x3282D105 *** Signed: 9/4/2001 9:51:27 AM *** Verified: 9/4/2001 11:12:19 AM *** BEGIN PGP VERIFIED MESSAGE ***
-----Original Message----- From: Archer [mailto:archer () ironcomet com] Sent: Tuesday, September 04, 2001 12:48 AM Can someone tell me how to do a "stealth interface" for Win32 platforms? For example, how do you make sure the interface has no IP, do you assign it 0.0.0.0? If you set it to DHCP but don't allow it to get an address, it will default to a 169.x.x.x address.
If you are using the receive-only cable, you can assign yourself some unused IP address. I've noticed that if an interface has no protocol assigned, you can't select it with WinPCap.
As far as the sniffer cable. I read the Snort FAQ and this
was mentioned. However, I don't quite understand it. could someone
perhaps clear it up a little?
LAN Sniffer
1 -----\ /-- 1
2 ---\ | \-- 2
3 ---+-*------ 3
4 - | - 4
5 - | - 5
6 ---*-------- 6
7 - - 7
8 - - 8
That should do it.
Basically, 1 and 2 on the sniffer side are connected, 3 and 6
straight through to the LAN. 1 and 2 on the LAN side
connect to 3 and
6 respectively. This fakes a link on both ends but only allows
traffic from the LAN to the sniffer. It also causes the
'incoming'
traffic to be sent back to the LAN, so this cable only
works well on
a hub. You can use it on a switch but you will get ...err...
interesting results. Since the switch receives the
packets back in on
the port it sent them out, the MAC table gets confused and
after a
short while devices start to drop off the switch. Works
like a charm
on a hub though.
Regards, Frank *** END PGP VERIFIED MESSAGE *** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth Interface on Win32 Platforms Archer (Sep 03)
- Re: Stealth Interface on Win32 Platforms Erek Adams (Sep 04)
- Re: Stealth Interface on Win32 Platforms Dragos Ruiu (Sep 05)
- <Possible follow-ups>
- RE: Stealth Interface on Win32 Platforms Frank Knobbe (Sep 04)
- Snort Guide PDF Alex Pinheiro Machado Rodrigues (Sep 04)
- RE: Stealth Interface on Win32 Platforms Tom Sevy (Sep 04)
- RE: Stealth Interface on Win32 Platforms Frank Knobbe (Sep 04)
- RE: Stealth Interface on Win32 Platforms Lucas Wharton (Sep 04)
- RE: Stealth Interface on Win32 Platforms Burleson, Lee (IA) (Sep 04)
- Re: Stealth Interface on Win32 Platforms Erek Adams (Sep 04)