Snort mailing list archives
RE: Setting up a Windowz Interface to monitor with no IP Address
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Fri, 28 Jun 2002 11:42:06 -0400
Don't unbind TCP/IP, just remove the cute little Windows check mark, so that the TCP/IP component is not active on that interface. I realize the registry is fun and safe, if you have a clue, but why even go through the extra steps, when it takes two seconds to disabled the component? -----Original Message----- From: Detmar Liesen [mailto:counter.spy () gmx de] Sent: Friday, June 28, 2002 11:21 AM To: michaels () silicondefense com; scotw () hotmail com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Setting up a Windowz Interface to monitor with no IP Address I don't understand Micheal's concerns. Changing registry settings isn't that bad if you know what you're doing. I myself used a registry hack that was posted on this list some months ago. I disable APIPA (Automated Private IP Addressing) in the registry: -> regedit -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters\Interfaces\adapter_name create an entry: IPAutoconfigurationEnabled: REG_DWORD -> value: 0 The interface will default to 0.0.0.0 I used this for RealSecure, because unbinding the whole IP stack from the NIC wasn't possible using a Compaq Netelligent dual NIC. If you unbind one interface, the other one, which I still needed for reporting, is unbound as well. So I needed some other trick for setting up a stealth interface (Only for testing - on our production net we are using read-only taps anyway). It works just fine and I got no problems at all. However I prefer Linux for NIDS - it's faster and nicer, can be hardened properly and it's licence is free. But I don't want to start a holy war again ;) BTW: I have also sent an FAQ contribution to Dragos some weeks ago (sniffing in switched LAN) and never got a reply. He seems to be _very_ busy or he does not read his mail any more. Cheers, Detmar ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Caffeinated soap. No kidding. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Setting up a Windowz Interface to monitor with no IP Address Scot Scot (Jun 27)
- RE: Setting up a Windowz Interface to monitor with no IP Address Michael Steele (Jun 27)
- <Possible follow-ups>
- RE: Setting up a Windowz Interface to monitor with no IP Address Detmar Liesen (Jun 28)
- RE: Setting up a Windowz Interface to monitor with no IP Address Michael Steele (Jun 28)
- RE: Setting up a Windowz Interface to monitor with no IP Address McCammon, Keith (Jun 28)
- Re: Setting up a Windowz Interface to monitor with no IP Address Scot Scot (Jun 28)