Snort mailing list archives

RE: Running Win2K in Stealth Mode

From: "Chris Arsenault" <carsenault () firstedcu org>
Date: Tue, 15 Jan 2002 09:36:21 -0600

This is how I setup Win2k to run in stealth mode running one sensor on
the external side of the firewall and one sensor in the DMZ.  I also
connected a third network card to allow management via demark and acid
from all of our IT desktops.
 
Follow the instructions on setting up a receive only cable available on
the current Snort FAQ.  The cable works like a charm...
 
0.0.0.0 Interface on Windows 2000 -->
 
Disable Automatic Private IP Addressing (APIPA)
 
Under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Add the following REG_DWORD value 
 
IPAutoconfigurationEnabled and set the value to 0
 
Unbind the Sensor Adapter(s)
 
Double click on network connections
 
Highlight the sensor adapter
 
Choose advanced and then advanced settings
 
On the bindings tab, remove the checkmarks in order to unbind the
adapter(s)
 
You are set at this point...our security requirements took us a step
further.  On top of the receive only cable, I also added and Ethernet
tap.  I added one tap on the external level of the firewall and one in
the DMZ.
 
TRAFFIC -->  TAP  -->  RECEIVE ONLY CABLE  -->  SENSOR RUNNING 0.0.0.0
with no bindings on the NIC.
 
The taps are available from http://www.shomiti.com
<http://www.shomiti.com/>  none the less, their docs didn't seem to work
to well.  I tried running the tap with a straight through cable as
described and it wouldn't go.  Once I put the receive only cable on, it
worked like a charm.
 
The tap was simply a security requirement where I work.....the receive
only cable actually does to same thing.  I am not complaining about the
overkill when it comes to security though!
 
 
Chris Arsenault
Network Administrator
First Educators Credit Union
Microsoft Certified Systems Engineer
Microsoft Certified Trainer
 
-----Original Message-----
From: Bill Shaffer [mailto:billshaffer () smsd org] 
Sent: Tuesday, January 15, 2002 8:53 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Running Win2K in Stealth Mode
 
1.       How would one setup Windows 2K to run with no IP address? Is it
just enough to uncheck TCP/IP under the nic properties?
2.       Is there a command line you should place in the snort.conf to
make snort run in stealth mode?
 
Any info would be greatly appreciated!
 
Thanks, Bill

Current thread:

Running Win2K in Stealth Mode Bill Shaffer (Jan 15)
- <Possible follow-ups>
- RE: Running Win2K in Stealth Mode Chris Arsenault (Jan 15)
- Running Win2K in Stealth Mode Michael Steele (Jan 15)
- RE: Running Win2K in Stealth Mode Burleson, Lee (IA) (Jan 18)
- Running Win2K in Stealth Mode SkatFiend (Feb 06)
- RE: Running Win2K in Stealth Mode Tom Sevy (Feb 06)
- RE: Running Win2K in Stealth Mode Chris Arsenault (Feb 06)
- RE: Running Win2K in Stealth Mode Chris Arsenault (Feb 06)
- Re: Running Win2K in Stealth Mode Chris Chaffee (Feb 10)