Snort mailing list archives
Re: Setting up a Windowz Interface to monitor with no IP Address
From: "Scot Scot" <scotw () hotmail com>
Date: Fri, 28 Jun 2002 11:24:49 -0500
As noted, there are several methods for yanking packets off the wire in Windows without assigning a layer three address. As Cliff notes below, not all devices and services will function properly if the native TCP/IP suite provider stack is disabled. For both stability and reliability I would recommend leaving the native IP stack in place and removing associated values the stack may choose to "slap" on the wire.
My 2.12534 Cents Worth (Tax Included) Scot
From: CJATeck () aol com
I found in early testing that WinPCap did NOT always work correctly (I understand WinPCap is supposed to work at layer 2 directly with the NIC interface driver and as such a full IP stack should not be needed) when the MS TCP/IP stack was disabled, this may not be others experience as I have noted several different proceedures that appear to work addressed on these mailing lists. I can only tell you what works for me. If you have find a better way to make a wheel, more power to ya.The END result is what is important, a secure sensor that can not be detectedor intruded upon. Cliff (smile) In a message dated 6/28/2002 11:40:34 AM Eastern Daylight Time, Keith.McCammon () eadvancemed com writes:> Am I missing something!?! Why steps two through four? There's no reason to > have TCP/IP enabled at all on that interface. Winpcap is doing the work,> not the (shady) Windows IP stack. > > >> -----Original Message----- >> From: CJATeck () aol com [mailto:CJATeck () aol com] >> Sent: Friday, June 28, 2002 11:25 AM >> To: McCammon, Keith; tslighter () itc nrcs usda gov; >> michaels () silicondefense com; scotw () hotmail com >> Cc: snort-users () lists sourceforge net>> Subject: Re: [Snort-users] Setting up a Windowz Interface to monitor with>> no IP Address >> >>>> I do NOT use the registry hack although I am aware of it, for my "External>> Interface" I do the following. >> >> 1) I use a copper tap (Finisar) as the physical device to intercept>> traffic between my boundary router and the outside firewall interface, as >> this is a "recieve only" device, it provides protection at the OSI phyical>> layer.>> 2) On a WIN32 box I disable ALL but the TCP/IP stack. (NO file& print, NO>> MS client, ect) >> 3) I leave the interface set for "DHCP", no hard IP info (NO unicast >> address, NO subnet, NO DNS, ect) >> 4) I disable the DHCP service. >>>> RESULT- provides a promiscuous interface that is protected from detection>> and intrusion at both layer 1 and layer 3 of the OSI model. >> >> Hope this clarify things. >> >> Cliff >> >> In a message dated 6/28/2002 11:07:52 AM Eastern Daylight Time, >> Keith.McCammon () eadvancemed com writes:>> >>> How about just disabling TCP/IP on that interface by un-checking the>>> component? Why muck around with the registry? >>> >>> >>>> -----Original Message----- >>>> To: tslighter () itc nrcs usda gov; michaels () silicondefense com; >>>> scotw () hotmail com
monitor
>>>> with no IP Address >>>> >>>> >>> >> >
----------------------------------------------------------- "It's all about the Pentium" -Weird AL ----------------------------------------------------------- _________________________________________________________________MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Caffeinated soap. No kidding. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Setting up a Windowz Interface to monitor with no IP Address Scot Scot (Jun 27)
- RE: Setting up a Windowz Interface to monitor with no IP Address Michael Steele (Jun 27)
- <Possible follow-ups>
- RE: Setting up a Windowz Interface to monitor with no IP Address Detmar Liesen (Jun 28)
- RE: Setting up a Windowz Interface to monitor with no IP Address Michael Steele (Jun 28)
- RE: Setting up a Windowz Interface to monitor with no IP Address McCammon, Keith (Jun 28)
- Re: Setting up a Windowz Interface to monitor with no IP Address Scot Scot (Jun 28)