A Couple of Questions

["Lars Borland" <lborland () TriadAssoc com>]

Hello everyone,
 
I've been using Snort v1.9.0 on a Win2K (SP3) box for about a month and
a half now and have recently moved Snort onto a slightly faster machine
with more RAM.  When I did this Win2K re-detected a bunch of things
including a new/different NIC.  Initially Snort wouldn't work but I
reinstalled WinPCap and I'm back in business again.  Since then,
however, ACID shows 4 Sensors.  I only have one NIC and have deleted
whatever "hidden" adapters were listed in device manager.  All my Alerts
appear to be coming from Sensor #1.  How do I get rid of the 3 other
bogus sensors?  I've looked pretty extensively online and through what
documentation I could find but in most cases "sensors" is used
interchangeably with an entire Snort machine, not just the NICs or
instances of Snort you might have running.  Anyway, if anyone knew how
to straighten this out I'd appreciate the info.  The 3 additional
sensors don't appear to be hurting anything but I'd rather not have
Snort listening attentively to 3 un-needed/unwanted dead-end
connections.
 
2nd Question, does anyone know of any rules that listen for the
death-throes of dying NICs.  The initial reason I began looking into
Snort was to see if I could cost-effectively shed light on some of the
hidden stuff that occurs within the pipes of networks.  In the past I've
witnessed some nasty things happen due to a failing NIC spewing nonsense
onto the network and I was wondering if it was possible to be alerted to
such an event.  I realize this isn't as much of an issue in a switched
environment but I'd still like to know when something like this occurs.
Is this something that's already covered in the current rulesets?  If so
I probably just need to set up "sensors" on a couple of other switches.
 
Any help with this would be greatly appreciated.  Thanks.
 
Talk to you later, Lars.