> See inline comments. -----Original Message----- From: Stuart Underhill [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 11, 2001 2:34 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Win32 Snort Question
Thanks for your help. <SNIP> IP-less info for Win2k/NT </SNIP> I have tried searching for information on how to make or where to buy "listen-only" RJ45 leads - but without success. Does anybody have any information on these leads?? > These listen only cables can be made by removing the copper pair of an RJ45 cable > responsible for sending data over the wire. This is pin 1 and 2 (orange and white/orange). Thanks Stuart Underhill >From: "Johnson, David" <[EMAIL PROTECTED]> >To: 'Stuart Underhill' <[EMAIL PROTECTED]>, >[EMAIL PROTECTED], [EMAIL PROTECTED] >Subject: RE: Win32 Snort Question >Date: Mon, 10 Dec 2001 12:46:05 -0500 > >You can't run an interface in Windows without an IP address. What I did on >mine was to block all access to the machine at the firewall except for a >few >addresses that I regularly use. > >I would avoid putting firewall software on the machine as it might block >some traffic from Snort. > >A lot of people will put two interfaces into the machine and have the >listening interface connected via a "listen only" cable. Then run the >other >interface to your internal (trusted) network. > >Otherwise, just make sure you hit the boxes with all the security patches >relating to IIS and you should be fine. I have not had any attempts on my >machine since I blocked incoming traffic at the firewall. > >-----Original Message----- >From: Stuart Underhill [mailto:[EMAIL PROTECTED]] >Sent: Friday, December 07, 2001 1:27 AM >To: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: Win32 Snort Question > > >I am currently building a pair of Win32 Snort (with ACID) machines to >monitor traffic either side of our firewall. > >My plan is to make the boxes as standalone as possible which will mean >running IIS on the boxes to allow the ACID analysis tool to run. > >Other than standard hardening of W2k, can I run Tiny Personal Firewall or >ZoneAlarm on the boxes without affecting Snort's capabilities? Or my other >thought was to simply cut the TX pairs in the Cat 5 cable so the machine >can > >effectivly only listen but not respond to traffic. > > >Also when I tried to harden the box removing Client for Microsoft Networks >aswell as File and Print Sharing stopped IIS from functioning properly - is >there a way to do this and still allow http://localhost/acid to run? > >My thought to a way arround this would be to have 2 NICs in the machine - >remove all Client for MS Networks from the sniffing card, and have Client >for Microsoft Networks running on the 2nd card, to enable IIS to function >properly, but not physically connect it to anything - would this be more >secure? > >Is there someway that I can run W2k without an IP for the sniffing card - >if > >I try to set a blank IP windows just moans and won't accept the >configuration. > > >Thanks for your help > > >Stuart > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
