Snort mailing list archives
RE: Win32 Port of Snort
From: "Michael Steele" <michaels () silicondefense com>
Date: Mon, 20 May 2002 18:39:28 -0700
Michael, I am currently looking at the code and getting ready to incorporate it into the 1.87bxxx version of Snort. Hopefully I'll have a release version ready very soon. If can leave me an email if you are interested in trying it out before I release it. As far as the INSTSRV file from Microsoft; it has been working flawlessly here. I know some users are having problems and that may be related to other factors that our machine has not been made visible too. Our Windows box is ONLY a sensor and we run nothing else. It has also been extensively hardened, which may be another reason why it has virtually no problems in our test environment. I am looking forward to getting a built-in way to run Snort as a service. In response to item 2; this is the way we do it here for promiscuous mode. Do a Snort -W and get the number and ID of the interface that you want to run with no IP. Start the registry editor (Regedit) Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\In terfaces Select the required interface using the ID that you got using the -W switch Note: there are to keys for each interface, be sure to place the IPAutoconfigurationEnabled into the proper registry setting. It will have an actual IP address in one of the settings.
From the Edit menu select New - DWORD value
Enter the name IPAutoconfigurationEnabled and press Enter Double click the new value and set to 0. Click OK Set EnableDHCP to 0 click ok Close the registry editor May need to reboot? If you do an IPCONFIG it should show an IP Address of 0.0.0.0 If you do a Snort -v -ix (x is the number of the interface that you set for promiscuous mode) you should see all kinds of traffic on that interface. Let us know how it works. Also try to uncheck the TCP/IP setting for that card and see if that works. I'm not at my machine to check it out. That would be easier but if I remember right, I had a problem doing it that way. Michael Steele | Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of McCammon, Keith Sent: May 20, 2002 1:26 PM To: Michael J Worden; snort-users () lists sourceforge net Subject: RE: [Snort-users] Win32 Port of Snort Not sure about 1, but as far as 2 is concerned, just deactivate (un-check) TCP/IP on your monitoring interface within the network connection properties. -----Original Message----- From: Michael J Worden [mailto:mjworden () raytheon com] Sent: Monday, May 20, 2002 4:04 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Win32 Port of Snort I'm in the process of comparing the functionality of Snort for Win32 (on Windows 2000) with the versions I've been running on Linux for some time. I'm finding Snort on Win32 almost useable with a few exceptions (of course, I'm just getting started...): My two big questions are: 1) Is the ability to run as a service lost in the current version? In the faq, this has been added as of snort-1.6.3-patch2. But the '-I' switch is now allocated to a different function. (Yes, I know about the 'srvany.exe' option. I've not had great experiences with srvany, and would like to avoid it). 2) Is there an option to forego the IP address on a Windows 2000 interface? I'd like to avoid having my promiscuous mode adapter being addressable. Thanks in advance... -- Michael Worden _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Win32 Port of Snort Michael J Worden (May 20)
- <Possible follow-ups>
- RE: Win32 Port of Snort McCammon, Keith (May 20)
- Re: Win32 Port of Snort Chris Reid (May 20)
- RE: Win32 Port of Snort Michael Steele (May 20)