Search Site

Search Rules

Account

email
password

not registered?

can't login?

user preferences

3.1 How do I setup snort on a `stealth' interface?

In *BSD and Linux:

ifconfig eth1 up

Solaris:

ifconfig eth1 plumb
ifconfig eth1 up

For NT/W2K/XP users, try the following:

NOTE: You are at your own risk if you follow these instructions. Editing your registry is DANGEROUS and should be done with extreme caution. Follow these steps at your OWN risk.

1. Get your device's hex value. ('snort -W' works for this)
2. open Regedt32
3. Navigate to: HKEY_LOCAL_MACHINE$\backslash$SYSTEM$\backslash$CurrentControlSet$\backslash$Services$\backslash$Tcpip$\backslash$Parameters$\backslash$
   Interfaces$\backslash${XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
4. Select the network card you wish to setup as the monitoring interface (this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value).
5. Set IPAddress:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK)
6. Set SubnetMask:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK)
7. Set DefaultGateway:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK)
8. Close the Registry Editor, your changes will be saved automatically.
9. In a command prompt, run 'ipconfig' to verify the interface does not have an IP bound to it.

If you do not recieve an IP address listing from the interface you modified, you are good to go. To run snort with the specified interface, use the -i flag such as 'snort -v -d -p -i1'

site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.