Snort mailing list archives
snort on Win32 - code & build issues uncovered
From: Rich Adamson <radamson () routers com>
Date: Wed, 12 Mar 2003 19:35:25 -0600
I just spent the better part of today trying to identify inconsistencies with snort v1.9 and v2.0 use on a Win2kPro box with two NIC adapters. It would appear the same issues apply to the *nix environment as well. v1.9 Issues uncovered: 1. The flex-resp version of snort always "assumes" that responses are to be sent out the first installed NIC (as presented by Pcap). With WinPcap v2.1, the listed order of NIC's is different then with v3.0.a4. The order is reversed, therefore snort appears to function fine with one version and fails with another if there are two NICs installed. It doesn't make any difference if only one of the NICs has anything connected, etc. They're both still recognized as being present by Pcap. 2. The "-s 192.168.1.1" command line switch generates Syslog messages and sends them to the proper IP, however the option appears to always use the "last" NIC adapter regardless of whether its connected to anything or not. (Highly probable that it may rely on the routing tables to pick an appropriate adapter depending upon the actual destination IP.) v2.0 Issues uncovered (yesterdays snapshot): 1. gpf's on any alert. (seems to be the same issues that were there prior to build 53, or, the snapshots from snort.org are not actually incorporating the corrected build 52 -> build 53 source.) v2.0 Build 53 (from CodeCraftConsultants): 1. Both the -s Syslog and flex-resp functions appear to be broken. This build does not gpf, but it does log alerts to disk files. Probably safe to assume the Pcap issues present in v1.9 (above) remain in v2 as well. Bottom Line: The only fully working Win32 source and executables is v1.9, and then only usable if: a. using WinPcap v2.3 (with two adpaters), or, b. using later WinPcap with a single installed adapter. Has anyone using Win32 seen anything different? Rich ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort placement on Win32 d_greenjr (Mar 08)
- Re: snort placement on Win32 Chris Reid (Mar 08)
- snort on Win32 - code & build issues uncovered Rich Adamson (Mar 12)
- Message not available
- Re: snort placement on Win32 d_greenjr (Mar 08)
- Re: snort placement on Win32 Chris Reid (Mar 08)
- RE: snort placement on Win32 Michael Steele (Mar 08)