Trouble getting started

["Peter Youll" <petery () ambri com au>]

Dear snort users

I am new to snort, and so far am not having much success - can't even
get windump to work on the required device. I am trying to use a Win2K
server system, which is dedicated to network functionality tasks (RAS,
dns, firewall management etc) with 2 NICs installed - a 100mbps for
normal network traffic and a 10Mbps for snort. The later will be
connected to a port on the network core switch which mirrors traffic on
the port connected to the firewall. For testing purposes it is connected
to a fairly busy hub.

To enumerate the NICs in the server, I run snort -W with results as
follows...
________________________________
D:\snort>snort -W

-*> Snort! <*-
Version 1.8.7-WIN32 (Build 121)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
1.8-WIN32 Compiled By Michael Steele (michaels () silicondefense com,
www.silicondefense.com)
          (based on code from 1.7 port)

Interface       Device          Description
-------------------------------------------
1  \Device\Packet_{51BC396F-9CC4-4D79-BB71-0C8F51D6D8D5} (Unknown)
2 \Device\Packet_{882F1156-FCDE-429C-B47B-11991AFDD62C} (Unknown)
3 \Device\Packet_NdisWanIp (Unknown)

D:\snort>
_____________________________________

Question 1 - why are the devices (Unknown)? When I run snort on my Win2K
Pro workstation it responds with the NIC type, as follows...
________________________________________________

Interface       Device          Description
-------------------------------------------
1  \Device\Packet_{43C8B349-34E5-4EBE-AEC7-2D9DE3B46F21} (Novell 2000
Adapter.)
2 \Device\Packet_NdisWanIp (NdisWan Adapter)
________________________________________________

Running windump selecting device 1 works, but from the GUID appears to
be listening on device 2
________________________________________________
D:\SnortInstallers>windump -i 1
windump: listening
on\Device\Packet_{882F1156-FCDE-429C-B47B-11991AFDD62C}
.
Lots of stuff removed.
.
972 packets received by filter
0 packets dropped by kernel
________________________________________________

Running windump selecting device 2 doesn't hear any traffic, probably
because there is none to be heard on the ndis device
________________________________________________

D:\SnortInstallers>

D:\SnortInstallers>windump -i 2
windump: listening on\Device\Packet_NdisWanIp
windump: WARNING: The operation completed successfully.


0 packets received by filter
0 packets dropped by kernel

D:\SnortInstallers>
_____________________________________________________
Running windump on device 3 brings up a GUID not previously seen, and no
traffic is heard
_____________________________________________________

D:\SnortInstallers>windump -i 3
windump: listening
on\Device\Packet_NdisWanNbfIn{971C9CDB-07A3-42A4-9E82-4192A3E3D33F
windump: WARNING: The operation completed successfully.


0 packets received by filter
0 packets dropped by kernel

D:\SnortInstallers>
______________________________________________________

Any clues on what is going wrong would be much appreciated.

Thanks in advance.

PeterY

 ____________________________________________
                       Eschew obfuscation!
  

Peter Youll 
Director IT & Communication
Ambri Limited 
Level 3, 126 Greville Street 
Chatswood NSW 2067 
Australia 
Telephone: +61 2 94223092
Fax: +61 2 94223199
Mobile: +61 4 12803058
Email: petery () ambri com




Disclaimer:

Any unauthorised form of reproduction of this message is strictly
prohibited. Ambri Limited does not guarantee the security of any
information electronically transmitted and is not liable for the
proper and complete transmission of the information contained in this
communication, nor for any delay in its receipt.

PLEASE NOTE - The time in Sydney is
UTC + 10 hours April to October and UTC + 11 hours November to March