Snort mailing list archives
RE: Question about alerts and Windows environment
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Thu, 9 Jan 2003 15:02:26 -0500
Cannot do. I've two sensors (1.8.6 and 1.8.7) under Win32. The 1.8.6 sensor is on a dual-PIII server, which requires an older version of WinPCap -- the newer WinPCap drivers (those newer than 2.1 apparently) disable themselves when they detect an SMP environment. My 1.8.7 sensor could be upgrade to 1.9.0 (I've already tested it), but because both sensors log to a MySQL database, I'd have to implement a new Snort schema under MySQL as there were changes between the 1.8.7 database schema and the 1.9.0 database schema. Nice idea though. :) Christopher -----Original Message----- From: Gonzalez, Albert [mailto:albert.gonzalez () eds com] Sent: Thursday, January 09, 2003 2:37 PM To: 'L. Christopher Luther' Subject: RE: [Snort-users] Question about alerts and Windows environment Sensitivity: Confidential Why not upgrade your snort sensor to 1.9.0 ? It is stable enough to perform the upgrade. And the rule additions + the new keywords has some nice control issues. You might want to go ahead and update your sensor. I'm currently running snort 1.9.0 on OpenBSD 3.2. It's working like a charm.. using barnyard to parse my Unified logs... so give it a try Cheers! Alberto Gonzalez Intrusion Detection Systems - GSOC Security and Privacy Professional Services -----Original Message----- From: L. Christopher Luther [mailto:CLuther () Xybernaut com] Sent: Thursday, January 09, 2003 2:20 PM To: 'Mark Scott' Cc: Snort-Users (E-mail) Subject: RE: [Snort-users] Question about alerts and Windows environment Sensitivity: Confidential I looked at the 1.8.6 source code, and it appears that '-I' parameter does properly format the interface name for output in syslog, "alert fast", and "alert full". But of course, I've not actually tried to use this parameter. I did notice that when both of my sensors start up, the text "Initializing Network Interface \" is displayed, which comes from the source: LogMessage("\nInitializing Network Interface %s\n", pv.interfaces[num]); in OpenPCap() function (snort.c). But further on in my Snort startup output, the text "Decoding Ethernet on interface \Device\Packet_{C4F961EB-4DD5-47F8-98E2-5FDE544E8621}" is displayed, which comes from the source: LogMessage("Decoding Ethernet on interface %s\n", PRINT_INTERFACE(pv.interfaces[num])); In the SetPktProcessor() function (snort.c). It may be that the "Initializing ..." message needs the PRINT_INTERFACE macro placed on it. When I get a chance I'll play w/ the source code to see what happens. - Christopher -----Original Message----- From: Mark Scott [mailto:mscott () mtgroup com] Sent: Thursday, January 09, 2003 1:23 PM To: 'L. Christopher Luther' Subject: RE: [Snort-users] Question about alerts and Windows environment Sensitivity: Confidential Thanks... Can you get the -I (uppercase i) to display the interface name. I have it turned on but it logs nothing but a '/' in this field. Mark [snip ...]
Current thread:
- Question about alerts and Windows environment Mark Scott (Jan 06)
- <Possible follow-ups>
- RE: Question about alerts and Windows environment L. Christopher Luther (Jan 07)
- RE: Question about alerts and Windows environment L. Christopher Luther (Jan 08)
- RE: Question about alerts and Windows environment Don Weber (Jan 09)
- RE: Question about alerts and Windows environment L. Christopher Luther (Jan 09)
- RE: Question about alerts and Windows environment L. Christopher Luther (Jan 09)
- RE: Question about alerts and Windows environment L. Christopher Luther (Jan 09)
- RE: Question about alerts and Windows environment L. Christopher Luther (Jan 09)
- RE: Question about alerts and Windows environment L. Christopher Luther (Jan 10)