RE: Win32 Snort Question

From: Joe-Clifton (JClifton@OfficeDepot.com)
Date: 12/11/01


From: Joe-Clifton <JClifton@OfficeDepot.com>
To: "'Johnson, David'" <DJohnson@IronMountain.com>, 'Stuart Underhill' <stuartunderhill@hotmail.com>, security-basics@securityfocus.com, focus-ids@securityfocus.com
Date: Tue, 11 Dec 2001 09:27:24 -0500

David,

Just as a general statement "you can't run an interface in Windows without
an IP address" is incorrect. I have done this numerous times, especially
with ISS Real Secure, but it wasn't the application that allowed it. You
can simply "unbind" a protocol stack from the interfaces them selves, the
interface is still operational, it just has no IP address nor IP stack
assigned to it.

Joe H. Clifton, II
Security Team Lead
Office Depot
2200 Old Germantown Rd
Delray Beach, FL 33445
e-mail: jclifton@officedepot.com
Office: 561-438-7906
Fax: 561-438-7633
2-way pgr: 877-542-0129

 -----Original Message-----
From: Johnson, David [mailto:DJohnson@IronMountain.com]
Sent: Monday, December 10, 2001 12:46 PM
To: 'Stuart Underhill'; security-basics@securityfocus.com;
focus-ids@securityfocus.com
Subject: RE: Win32 Snort Question

You can't run an interface in Windows without an IP address. What I did on
mine was to block all access to the machine at the firewall except for a few
addresses that I regularly use.

I would avoid putting firewall software on the machine as it might block
some traffic from Snort.

A lot of people will put two interfaces into the machine and have the
listening interface connected via a "listen only" cable. Then run the other
interface to your internal (trusted) network.

Otherwise, just make sure you hit the boxes with all the security patches
relating to IIS and you should be fine. I have not had any attempts on my
machine since I blocked incoming traffic at the firewall.

-----Original Message-----
From: Stuart Underhill [mailto:stuartunderhill@hotmail.com]
Sent: Friday, December 07, 2001 1:27 AM
To: security-basics@securityfocus.com; focus-ids@securityfocus.com
Subject: Win32 Snort Question

I am currently building a pair of Win32 Snort (with ACID) machines to
monitor traffic either side of our firewall.

My plan is to make the boxes as standalone as possible which will mean
running IIS on the boxes to allow the ACID analysis tool to run.

Other than standard hardening of W2k, can I run Tiny Personal Firewall or
ZoneAlarm on the boxes without affecting Snort's capabilities? Or my other
thought was to simply cut the TX pairs in the Cat 5 cable so the machine can

effectivly only listen but not respond to traffic.

Also when I tried to harden the box removing Client for Microsoft Networks
aswell as File and Print Sharing stopped IIS from functioning properly - is
there a way to do this and still allow http://localhost/acid to run?

My thought to a way arround this would be to have 2 NICs in the machine -
remove all Client for MS Networks from the sniffing card, and have Client
for Microsoft Networks running on the 2nd card, to enable IIS to function
properly, but not physically connect it to anything - would this be more
secure?

Is there someway that I can run W2k without an IP for the sniffing card - if

I try to set a blank IP windows just moans and won't accept the
configuration.

Thanks for your help

Stuart

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp



Relevant Pages

  • Re: Apple security FAIL
    ... Is FirstClass a web-based application, a Flash or Java plugin, or is it a Windows executable that I'd have to run in Wine? ... 40092 packets transmitted, 0 packets received, 100% packet loss ... and shares across a network ok. ... Filer itself *is* your file open and save interface, and it's a much more convenient and powerful interface that you already have open when ...
    (uk.comp.sys.mac)
  • RE: Win32 Snort Question
    ... You can't run an interface in Windows without an IP address. ... I would avoid putting firewall software on the machine as it might block ... just make sure you hit the boxes with all the security patches ... running IIS on the boxes to allow the ACID analysis tool to run. ...
    (Security-Basics)
  • Re: Nautilus in FC2 opens too many windows when browsing
    ... > I hardly ever use Nautilus, I prefer CLI, so I haven't followed it's ... > Windows would think that opening a million windows would be a good thing. ... > Instead they went back to a primitive Windoze style interface. ... contents view pane in "explore" mode in addition to the "open" mode which is ...
    (alt.os.linux.redhat)
  • Re: Wholesome choice?
    ... I can send and receive anything that will fit in my Panix quota. ... The idea that a GUI interface is somehow more intuitive than a CLI ... And that anyone with anything but the latest version of Windows ...
    (rec.arts.sf.fandom)
  • Re: ubuntu and kubuntu
    ... where the graphical user interface was some Motif thing. ... Mac, OS/2, and then Gnome and KDE. ... extent - Windows before XP). ... What's under the app window is ...
    (Ubuntu)