RE: Win32 Port of Snort

["Michael Steele" <michaels () silicondefense com>]

Michael,

I am currently looking at the code and getting ready to incorporate it
into the 1.87bxxx version of Snort. Hopefully I'll have a release
version ready very soon. If can leave me an email if you are interested
in trying it out before I release it.

As far as the INSTSRV file from Microsoft; it has been working
flawlessly here. I know some users are having problems and that may be
related to other factors that our machine has not been made visible too.
Our Windows box is ONLY a sensor and we run nothing else. It has also
been extensively hardened, which may be another reason why it has
virtually no problems in our test environment. I am looking forward to
getting a built-in way to run Snort as a service.

In response to item 2; this is the way we do it here for promiscuous
mode.

Do a Snort -W and get the number and ID of the interface that you want
to run with no IP.

Start the registry editor (Regedit) 

Move to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\In
terfaces 

Select the required interface using the ID that you got using the -W
switch
 
Note: there are to keys for each interface, be sure to place the
IPAutoconfigurationEnabled into the proper registry setting. It will
have an actual IP address in one of the settings.

> From the Edit menu select New - DWORD value 

Enter the name IPAutoconfigurationEnabled and press Enter 

Double click the new value and set to 0. Click OK

Set EnableDHCP to 0 click ok

Close the registry editor

May need to reboot? If you do an IPCONFIG it should show an IP Address
of 0.0.0.0

If you do a Snort -v -ix (x is the number of the interface that you set
for promiscuous mode) you should see all kinds of traffic on that
interface.

Let us know how it works. Also try to uncheck the TCP/IP setting for
that card and see if that works. I'm not at my machine to check it out.
That would be easier but if I remember right, I had a problem doing it
that way.

Michael Steele | Support Technician     
mailto:michaels () silicondefense com
Silicon Defense: IDS solutions - http://www.silicondefense.com
Snort: Open Source Network IDS - http://www.snort.org



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of McCammon,
Keith
Sent: May 20, 2002 1:26 PM
To: Michael J Worden; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Win32 Port of Snort

Not sure about 1, but as far as 2 is concerned, just deactivate
(un-check) TCP/IP on your monitoring interface within the network
connection properties. 

-----Original Message-----
From: Michael J Worden [mailto:mjworden () raytheon com]
Sent: Monday, May 20, 2002 4:04 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Win32 Port of Snort





I'm in the process of comparing the functionality of Snort for Win32 (on
Windows 2000) with the versions I've been running on Linux for some
time.
I'm finding Snort on Win32 almost useable with a few exceptions (of
course,
I'm just getting started...):

My two big questions are:

1)  Is the ability to run as a service lost in the current version?  In
the
faq, this has been added as of snort-1.6.3-patch2.  But the '-I' switch
is
now allocated to a different function.  (Yes, I know about the
'srvany.exe'
option.  I've not had great experiences with srvany, and would like to
avoid it).

2)  Is there an option to forego the IP address on a Windows 2000
interface?  I'd like to avoid having my promiscuous mode adapter being
addressable.


Thanks in advance...


--
Michael Worden



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list




_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users