Snort mailing list archives
RE: Stealth Interface on Win32 Platforms
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Tue, 4 Sep 2001 08:51:27 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Archer [mailto:archer () ironcomet com] Sent: Tuesday, September 04, 2001 12:48 AM Can someone tell me how to do a "stealth interface" for Win32 platforms? For example, how do you make sure the interface has no IP, do you assign it 0.0.0.0? If you set it to DHCP but don't allow it to get an address, it will default to a 169.x.x.x address.
If you are using the receive-only cable, you can assign yourself some unused IP address. I've noticed that if an interface has no protocol assigned, you can't select it with WinPCap.
As far as the sniffer cable. I read the Snort FAQ and this was mentioned. However, I don't quite understand it. could someone perhaps clear it up a little? LAN Sniffer 1 -----\ /-- 1 2 ---\ | \-- 2 3 ---+-*------ 3 4 - | - 4 5 - | - 5 6 ---*-------- 6 7 - - 7 8 - - 8
That should do it.
Basically, 1 and 2 on the sniffer side are connected, 3 and 6 straight through to the LAN. 1 and 2 on the LAN side connect to 3 and 6 respectively. This fakes a link on both ends but only allows traffic from the LAN to the sniffer. It also causes the 'incoming' traffic to be sent back to the LAN, so this cable only works well on a hub. You can use it on a switch but you will get ...err... interesting results. Since the switch receives the packets back in on the port it sent them out, the MAC table gets confused and after a short while devices start to drop off the switch. Works like a charm on a hub though.
Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: Free Dmitry Sklyarov ! iQA/AwUBO5TcX5ytSsEygtEFEQJ0zgCdHzEz/0VmH5lcFvlrwJkJUd19h8kAoIMv oetcMIcKwnIOZl7JSFv+wlru =tZZ6 -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth Interface on Win32 Platforms Archer (Sep 03)
- Re: Stealth Interface on Win32 Platforms Erek Adams (Sep 04)
- Re: Stealth Interface on Win32 Platforms Dragos Ruiu (Sep 05)
- <Possible follow-ups>
- RE: Stealth Interface on Win32 Platforms Frank Knobbe (Sep 04)
- Snort Guide PDF Alex Pinheiro Machado Rodrigues (Sep 04)
- RE: Stealth Interface on Win32 Platforms Tom Sevy (Sep 04)
- RE: Stealth Interface on Win32 Platforms Frank Knobbe (Sep 04)
- RE: Stealth Interface on Win32 Platforms Lucas Wharton (Sep 04)
- RE: Stealth Interface on Win32 Platforms Burleson, Lee (IA) (Sep 04)
- Re: Stealth Interface on Win32 Platforms Erek Adams (Sep 04)