You can remove all the protocol bindings on the card you use for sniffing. Also, you can run apache instead of IIS as an added measure of security as IIS has proven to be a bit of an injection vector for all manner of sicknesses...
Chris > -----Original Message----- > From: Stuart Underhill [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 07, 2001 3:27 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Win32 Snort Question > > > I am currently building a pair of Win32 Snort (with ACID) machines to > monitor traffic either side of our firewall. > > My plan is to make the boxes as standalone as possible which > will mean > running IIS on the boxes to allow the ACID analysis tool to run. > > Other than standard hardening of W2k, can I run Tiny Personal > Firewall or > ZoneAlarm on the boxes without affecting Snort's > capabilities? Or my other > thought was to simply cut the TX pairs in the Cat 5 cable so > the machine can > effectivly only listen but not respond to traffic. > > > Also when I tried to harden the box removing Client for > Microsoft Networks > aswell as File and Print Sharing stopped IIS from functioning > properly - is > there a way to do this and still allow http://localhost/acid to run? > > My thought to a way arround this would be to have 2 NICs in > the machine - > remove all Client for MS Networks from the sniffing card, and > have Client > for Microsoft Networks running on the 2nd card, to enable IIS > to function > properly, but not physically connect it to anything - would > this be more > secure? > > Is there someway that I can run W2k without an IP for the > sniffing card - if > I try to set a blank IP windows just moans and won't accept the > configuration. > > > Thanks for your help > > > Stuart > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
