Yes, you're completely wrong :) Basically the gig is that snort doesn't use the tcp/ip stack at all. You tap into the packet driver and see it at a raw level and leverage the fact that snort (or windump, ethereal, etc) can read the adapter and deal with it that way.
Think of it this way, the pcap shim you install listens to the digital signals on the (promiscuous mode) card, and snort listens to pcap. It's nice that way since you don't have to worry about protocols, so all the signals come through and you can see IP, IPX, etc. la la la... hth, chris > -----Original Message----- > From: Johnson, David [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 11, 2001 12:12 PM > To: 'Joe-Clifton'; 'Stuart Underhill'; > [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Win32 Snort Question > > > Wouldn't unbinding the protocol stack essentially render the interface > useless though? In this case, you shouldn't be able to "see" > any packets > flow across the interface. Or am I completely wrong here? > > -----Original Message----- > From: Joe-Clifton [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 11, 2001 6:27 AM > To: Johnson, David; 'Stuart Underhill'; > [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Win32 Snort Question > > > David, > > Just as a general statement "you can't run an interface in > Windows without > an IP address" is incorrect. I have done this numerous > times, especially > with ISS Real Secure, but it wasn't the application that > allowed it. You > can simply "unbind" a protocol stack from the interfaces them > selves, the > interface is still operational, it just has no IP address nor IP stack > assigned to it. > > > Joe H. Clifton, II > Security Team Lead > Office Depot > 2200 Old Germantown Rd > Delray Beach, FL 33445 > e-mail: [EMAIL PROTECTED] > Office: 561-438-7906 > Fax: 561-438-7633 > 2-way pgr: 877-542-0129 > > -----Original Message----- > From: Johnson, David [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 10, 2001 12:46 PM > To: 'Stuart Underhill'; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: Win32 Snort Question > > You can't run an interface in Windows without an IP address. > What I did on > mine was to block all access to the machine at the firewall > except for a few > addresses that I regularly use. > > I would avoid putting firewall software on the machine as it > might block > some traffic from Snort. > > A lot of people will put two interfaces into the machine and have the > listening interface connected via a "listen only" cable. > Then run the other > interface to your internal (trusted) network. > > Otherwise, just make sure you hit the boxes with all the > security patches > relating to IIS and you should be fine. I have not had any > attempts on my > machine since I blocked incoming traffic at the firewall. > > -----Original Message----- > From: Stuart Underhill [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 07, 2001 1:27 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Win32 Snort Question > > > I am currently building a pair of Win32 Snort (with ACID) machines to > monitor traffic either side of our firewall. > > My plan is to make the boxes as standalone as possible which > will mean > running IIS on the boxes to allow the ACID analysis tool to run. > > Other than standard hardening of W2k, can I run Tiny Personal > Firewall or > ZoneAlarm on the boxes without affecting Snort's > capabilities? Or my other > thought was to simply cut the TX pairs in the Cat 5 cable so > the machine can > > effectivly only listen but not respond to traffic. > > > Also when I tried to harden the box removing Client for > Microsoft Networks > aswell as File and Print Sharing stopped IIS from functioning > properly - is > there a way to do this and still allow http://localhost/acid to run? > > My thought to a way arround this would be to have 2 NICs in > the machine - > remove all Client for MS Networks from the sniffing card, and > have Client > for Microsoft Networks running on the 2nd card, to enable IIS > to function > properly, but not physically connect it to anything - would > this be more > secure? > > Is there someway that I can run W2k without an IP for the > sniffing card - if > > I try to set a blank IP windows just moans and won't accept the > configuration. > > > Thanks for your help > > > Stuart > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
