Snort mailing list archives

RE: Setting up a Windowz Interface to monitor with no IP Address

From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Fri, 28 Jun 2002 11:42:06 -0400

Don't unbind TCP/IP, just remove the cute little Windows check mark, so that the TCP/IP component is not active on that 
interface.  I realize the registry is fun and safe, if you have a clue, but why even go through the extra steps, when 
it takes two seconds to disabled the component?

-----Original Message-----
From: Detmar Liesen [mailto:counter.spy () gmx de]
Sent: Friday, June 28, 2002 11:21 AM
To: michaels () silicondefense com; scotw () hotmail com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Setting up a Windowz Interface to monitor
with no IP Address

I don't understand Micheal's concerns.
Changing registry settings isn't that bad if you know what you're doing.
I myself used a registry hack that was posted on this list some months
ago. I disable APIPA (Automated Private IP Addressing) in the registry:

-> regedit -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\adapter_name
create an entry: IPAutoconfigurationEnabled: REG_DWORD
-> value: 0

The interface will default to 0.0.0.0

I used this for RealSecure, because unbinding the whole IP stack from the
NIC wasn't possible using a Compaq Netelligent dual NIC.
If you unbind one interface, the other one, which I still needed for
reporting,
is unbound as well. So I needed some other trick for setting up a stealth
interface
(Only for testing - on our production net we are using read-only taps
anyway).

It works just fine and I got no problems at all.
However I prefer Linux for NIDS - it's faster and nicer, can be hardened
properly and it's licence is free.
But I don't want to start a holy war again ;)

BTW: I have also sent an FAQ contribution to Dragos some weeks ago 
(sniffing in switched LAN) and never got a reply.
He seems to be _very_ busy or he does not read his mail any more.

Cheers,
Detmar

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Caffeinated soap. No kidding.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Setting up a Windowz Interface to monitor with no IP Address Scot Scot (Jun 27)
- RE: Setting up a Windowz Interface to monitor with no IP Address Michael Steele (Jun 27)
- <Possible follow-ups>
- RE: Setting up a Windowz Interface to monitor with no IP Address Detmar Liesen (Jun 28)
  - RE: Setting up a Windowz Interface to monitor with no IP Address Michael Steele (Jun 28)
- RE: Setting up a Windowz Interface to monitor with no IP Address McCammon, Keith (Jun 28)
- Re: Setting up a Windowz Interface to monitor with no IP Address Scot Scot (Jun 28)