RE: Win32 Snort Question

From: Stuart Underhill (stuartunderhill@hotmail.com)
Date: 12/11/01


From: "Stuart Underhill" <stuartunderhill@hotmail.com>
To: DJohnson@IronMountain.com, security-basics@securityfocus.com
Date: Tue, 11 Dec 2001 10:33:59 +0000

Thanks for your help.

However since my original posting, I have discovered that W2k (perhaps NT
aswell - yet to test) can be run without an IP address.

The IP appears in the registry in twice in separete areas, by setting the IP
to something easy to find (eg 1.2.3.4) and then searching the registry twice
for 1.2.3.4 - you can then either clear the contents of the key, or set to
0.0.0.0 (you can delete the subnet, etc from here aswell)

When running IPconfig the information displayed shows no IP address
allocated for that network card. Snort continues to run without issue.

If you try to use the network control panel Windows will complain that no IP
address is set, so the process will have to be repeated if another change is
made.

I have tried searching for information on how to make or where to buy
"listen-only" RJ45 leads - but without success. Does anybody have any
information on these leads??

Thanks

Stuart Underhill

>From: "Johnson, David" <DJohnson@IronMountain.com>
>To: 'Stuart Underhill' <stuartunderhill@hotmail.com>,
>security-basics@securityfocus.com, focus-ids@securityfocus.com
>Subject: RE: Win32 Snort Question
>Date: Mon, 10 Dec 2001 12:46:05 -0500
>
>You can't run an interface in Windows without an IP address. What I did on
>mine was to block all access to the machine at the firewall except for a
>few
>addresses that I regularly use.
>
>I would avoid putting firewall software on the machine as it might block
>some traffic from Snort.
>
>A lot of people will put two interfaces into the machine and have the
>listening interface connected via a "listen only" cable. Then run the
>other
>interface to your internal (trusted) network.
>
>Otherwise, just make sure you hit the boxes with all the security patches
>relating to IIS and you should be fine. I have not had any attempts on my
>machine since I blocked incoming traffic at the firewall.
>
>-----Original Message-----
>From: Stuart Underhill [mailto:stuartunderhill@hotmail.com]
>Sent: Friday, December 07, 2001 1:27 AM
>To: security-basics@securityfocus.com; focus-ids@securityfocus.com
>Subject: Win32 Snort Question
>
>
>I am currently building a pair of Win32 Snort (with ACID) machines to
>monitor traffic either side of our firewall.
>
>My plan is to make the boxes as standalone as possible which will mean
>running IIS on the boxes to allow the ACID analysis tool to run.
>
>Other than standard hardening of W2k, can I run Tiny Personal Firewall or
>ZoneAlarm on the boxes without affecting Snort's capabilities? Or my other
>thought was to simply cut the TX pairs in the Cat 5 cable so the machine
>can
>
>effectivly only listen but not respond to traffic.
>
>
>Also when I tried to harden the box removing Client for Microsoft Networks
>aswell as File and Print Sharing stopped IIS from functioning properly - is
>there a way to do this and still allow http://localhost/acid to run?
>
>My thought to a way arround this would be to have 2 NICs in the machine -
>remove all Client for MS Networks from the sniffing card, and have Client
>for Microsoft Networks running on the 2nd card, to enable IIS to function
>properly, but not physically connect it to anything - would this be more
>secure?
>
>Is there someway that I can run W2k without an IP for the sniffing card -
>if
>
>I try to set a blank IP windows just moans and won't accept the
>configuration.
>
>
>Thanks for your help
>
>
>Stuart
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp



Relevant Pages

  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)
  • Re: Turn off all sharing and network discovery
    ... which is basically Windows XP running as a virtual ... It does need its own AV and firewall. ... unnecessary network resource sharing and resource discovery. ...
    (microsoft.public.windowsxp.general)
  • Re: Turn off all sharing and network discovery
    ... which is basically Windows XP running as a virtual ... It does need its own AV and firewall. ... unnecessary network resource sharing and resource discovery. ...
    (microsoft.public.windowsxp.general)
  • Re: Why not use NETBEUI on Windows XP ??
    ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Why not use NETBEUI on Windows XP ??
    ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
    (microsoft.public.win2000.networking)