Snort mailing list archives

RE: Making sense of "snort -W" output

From: "Knight, Ric" <RKnight () TUC ca>
Date: Mon, 18 Nov 2002 09:58:46 -0500

Interface 1 and interface 9 are the real Ethernet cards. You can use either
of these for SNORT. 
 
The NDIS WAN interfaces are virtual for use with various dial up networking
under windows. 
See http://www.avm.de/en/products/software/pc_software/NDIS_WAN/
<http://www.avm.de/en/products/software/pc_software/NDIS_WAN/>  for more
info.
 
-Ric 

-----Original Message-----
From: Moshe Aelion [mailto:ma0934 () hotmail com]
Sent: November 17, 2002 3:25 PM
To: Snort mailing list
Subject: [Snort-users] Making sense of "snort -W" output


Hi everybody
 
I would welcome some help: we have a NAT/ICMP ADSL gateway computer. It has
two network interface cards, one for the internal LAN, and one for the
ethernet link to the ADSL modem. There are three networks defined at TCP/IP
level: the internal LAN (192.168.x.x), where the actual computers are
positioned; another internal LAN (10.0.0.x), on which the ADSL modem has an
address - 10.0.0.x; and the Internet link (which obtains an external IP
address dynamically upon connection, from the ISP using DHCP - that's the
address seen by "the outside world").
 
Since there are two interface cards, I thought "snort -W" will output two
entries. Instead, there are nine! Why is that?
Can you suggest which ones are significant for the -i option? What's the
meaning of "NdisWanNbfIn/Out?
 
Thanks in advance
 
Moshe
 
Here is the "snort -W" output:
 
 
Interface Device  Description
-------------------------------------------
1  \Device\Packet_{54B6A635-7753-44DD-9977-B4137EBA5A52} (3Com EtherLink
PCI)
2 \Device\Packet_NdisWanIp (NdisWan Adapter)
3 \Device\Packet_NdisWanNbfOut{B5BA17D7-51EE-4B78-9E77-7B4CD2290205}
(NdisWan Adapter)
4 \Device\Packet_NdisWanNbfIn{75E313C0-196A-48AD-B9E7-B72E44EAA0EB} (NdisWan
Adapter)
5 \Device\Packet_NdisWanNbfIn{3BD08A8F-C44A-4364-B9A5-38E60E86FC1C} (NdisWan
Adapter)
6 \Device\Packet_NdisWanNbfIn{A6B7853E-8766-419C-89C7-C6A5AAEA0956} (NdisWan
Adapter)
7 \Device\Packet_NdisWanNbfOut{718B4E5C-2065-43E1-BBA9-26979539C0DB}
(NdisWan Adapter)
8 \Device\Packet_NdisWanNbfOut{DCBA58B7-B33C-4ED3-B81F-D64A73A203D9}
(NdisWan Adapter)
9 \Device\Packet_{17D59C5C-F6AD-4936-9A52-1C622D441FC4} (3Com EtherLink PCI)

Current thread:

Making sense of "snort -W" output Moshe Aelion (Nov 17)
- <Possible follow-ups>
- RE: Making sense of "snort -W" output Knight, Ric (Nov 18)