Snort mailing list archives
Re: using "react" on w32 snort ...
From: Jeff Nathan <jeff () snort org>
Date: Mon, 23 Jun 2003 19:30:00 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Actually... the code's all done :) I'm looking for a few people to test it under Windows and unix systems. Send email to me directly if you're interested in testing this. - -Jeff - --On Friday, June 20, 2003 06:46:43 -0600 Rich Adamson <radamson () routers com> wrote:
i was attempting to test the react keyword on W32 and it spit out "PacketSendPacket failed" and then bailed out the win xp error sig is listed below (if it helps any) ... AppName: snort.exe AppVer: 0.0.0.0 ModName: ntdll.dll ModVer: 5.1.2600.1217 Offset: 00033adb is it just not supported @ this time?It works just fine. You need to install libnet package so that you can create packets. React builds a packet and then sends it. That's what you'd need to make that work. http://www.securiteam.com/tools/5MP000A1YU.htmlNo, the above problem is related to a coding issue on the win32 version of snort. Proven several times over, and its been there since v1.8 at least. The flex resp output is sent "only" on the first winpcap interface found (snort -W) even if that particular interface is not active, etc. Your error message suggests that interface is either not configured or is inactive. One of the developers (Jeff) is rewritting the code to fix the problem. The only work around at this time is to reconfigure the windows box to use that first interface as your sensor (and therefor for flex resp output). Then it works fine. You'll also find that using different versions of winpcap will list the interfaces in a different order, thus requiring you to reconfigure the windows box again to restore the flex response function. The problem relates to the original coder assumed the flex resp packet would use the internal system routing table for the delivery of the resp packet, which was incorrect. ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- http://cerberus.sourcefire.com/~jeff (pgp key available) "Great spirits have always encountered violent opposition from mediocre minds." - - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE+97esEqr8+Gkj0/0RAhPJAJ42+D6uQivqCL0BlHqs5aeN3X4zegCgnYGh Rl0kMRAwvjmtOdS1wPgg6t4= =Hc8/ -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- using "react" on w32 snort ... Jon Baer (Jun 19)
- Re: using "react" on w32 snort ... Erek Adams (Jun 19)
- Re: using "react" on w32 snort ... Rich Adamson (Jun 20)
- Re: using "react" on w32 snort ... Jeff Nathan (Jun 23)
- Re: using "react" on w32 snort ... Rich Adamson (Jun 20)
- Re: using "react" on w32 snort ... Erek Adams (Jun 19)