Snort mailing list archives

Re: Setting up a Windowz Interface to monitor with no IP Address

From: CJATeck () aol com
Date: Fri, 28 Jun 2002 11:52:30 EDT

I found in early testing that WinPCap did NOT always work correctly (I 
understand WinPCap is supposed to work at layer 2 directly with the NIC 
interface driver and as such a full IP stack should not be needed) when the 
MS TCP/IP stack was disabled, this may not be others experience as I have 
noted several different proceedures that appear to work addressed on these 
mailing lists. I can only tell you what works for me. If you have find a 
better way to make a wheel, more power to ya.
The END result is what is important, a secure sensor that can not be detected 
or intruded upon.

Cliff (smile)

In a message dated 6/28/2002 11:40:34 AM Eastern Daylight Time, 
Keith.McCammon () eadvancemed com writes:

Am I missing something!?!  Why steps two through four?  There's no reason to 
have TCP/IP enabled at all on that interface.  Winpcap is doing the work, 
not the (shady) Windows IP stack.

-----Original Message-----

From: CJATeck () aol com [mailto:CJATeck () aol com]
Sent: Friday, June 28, 2002 11:25 AM
To: McCammon, Keith; tslighter () itc nrcs usda gov; 
michaels () silicondefense com; scotw () hotmail com
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Setting up a Windowz Interface to monitor with 
no IP Address

I do NOT use the registry hack although I am aware of it, for my "External 
Interface" I do the following.

1) I use a copper tap (Finisar) as the physical device to intercept 
traffic between my boundary router and the outside firewall interface, as 
this is a "recieve only" device, it provides protection at the OSI phyical 
layer.
2) On a WIN32 box I disable ALL but the TCP/IP stack. (NO file& print, NO 
MS client, ect)
3) I leave the interface set for "DHCP", no hard IP info (NO unicast 
address, NO subnet, NO DNS, ect)
4) I disable the DHCP service.

RESULT- provides a promiscuous interface that is protected from detection 
and intrusion at both layer 1 and layer 3 of the OSI model.

Hope this clarify things.

Cliff

In a message dated 6/28/2002 11:07:52 AM Eastern Daylight Time, 
Keith.McCammon () eadvancemed com writes:

How about just disabling TCP/IP on that interface by un-checking the

component?  Why muck around with the registry?

-----Original Message-----

From: CJATeck () aol com [mailto:CJATeck () aol com]
Sent: Friday, June 28, 2002 10:51 AM
To: tslighter () itc nrcs usda gov; michaels () silicondefense com; 
scotw () hotmail com
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Setting up a Windowz Interface to monitor 
with no IP Address

Current thread:

Re: Setting up a Windowz Interface to monitor with no IP Address CJATeck (Jun 28)
- <Possible follow-ups>
- RE: Setting up a Windowz Interface to monitor with no IP Address McCammon, Keith (Jun 28)
- Re: Setting up a Windowz Interface to monitor with no IP Address CJATeck (Jun 28)
- RE: Setting up a Windowz Interface to monitor with no IP Address McCammon, Keith (Jun 28)
- Re: Setting up a Windowz Interface to monitor with no IP Address CJATeck (Jun 28)