Snort mailing list archives
Re: RE: Win2K Pro Sniffing
From: "Scot Scot" <scotw () hotmail com>
Date: Sun, 17 Oct 2004 10:07:32 -0500
Mike French Wrote: Let me apologize ahead of time if this has been posted before. This is what I have: Windows 2000 Professional Running SNORT, ACID, etc. 1 x NIC (Management) Configured for a Management Console to our Firewall (Logging) 1 x NIC (SnifferNET) Connected outside the firewall sniffing on a (Real)
HUB
What I need to do is Stealth my SnifferNET so prying eyes will have a hard time finding it. I actually found a site with registry Hacks that give the NIC a 0.0.0.0 address and allow sniffing. Anybody know where or how to do this? I don't remember the site and Browser History is of no help. I have spent most of the day trying to find it to no avail... I really didn't want to use the Windows box but, my Firewall management software won't run on Linux and I am out of boxes to spare.... Mike French MIS OnlineServices 754 Port America Place Suite 150 Grapevine, TX 76051 (888) 327-5647 (817) 488-1600 FAX (817) 488-1103 MikeF () misonlineservices com www.misonlineservices.com
<snip> Mike, Right-click on "My Network Places", select Properties Right-click on your Network Connection, e.g. "Local Area Connection", select Properties In the Local Area Connection Properties sheet, under the General Tab, Uncheck ALL Components, Click OK. Remember, snort uses the Netgroup Packet Filter service (WinPcap) to capture packets, Microsoft networking components are not required. http://winpcap.polito.it/misc/faq.htm To start and stop the Netgroup Packet Filter service manually enter the following command: C:\>net start npf C:\>net stop npf I've setup a handfull of Win2K boxes that had other services running on them that required Microsofts TCP/IP Component to be enabled for proper function of the system. If this is the case there is a registry workaround that works well: http://www.snort.org/docs/FAQ.txt 3.1 How do I setup snort on a 'stealth' interface? NT/W2K/XP: NOTE: You are at your own risk if you follow these instructions. Editing your registry is DANGEROUS and should be done with extreme caution. Follow these steps at your OWN risk. 1. Get your device's hex value. ('snort -W' works for this) 2. open Regedt32 3. Navigate out to: HKEY_LOCAL_MACHINE\( \backslash \)SYSTEM\( \backslash \) CurrentControlSet\( \backslash \)Services\( \backslash \)Tcpip\( \backslash \)Parameters\( \backslash \)Interfaces\( \backslash \) {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} 4. Select the network card you wish to setup as the monitoring interface (this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value). 5. Set IPAddress:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK) 6. Set SubnetMask:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK) 7. Set DefaultGateway:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK) 8. Close the Registry Editor, your changes will be saved automatically. 9. In a command prompt, run 'ipconfig' to verify the interface does not have an IP bound to it. Scot Wiedenfeld Just my 2.0134 cents worth (tax included) ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Win2K Pro Sniffing Mike French (Oct 14)
- <Possible follow-ups>
- RE: Win2K Pro Sniffing Jim Richards (Oct 15)
- RE: RE: Win2K Pro Sniffing Robert Reid (Oct 15)
- RE: RE: Win2K Pro Sniffing Michael Steele (Oct 15)
- Re: RE: Win2K Pro Sniffing Scot Scot (Oct 17)