Snort mailing list archives
RE: Win98 Internet Connection Sharing
From: Andy Duncan <andyduncan () motives co uk>
Date: Wed, 6 Jun 2001 01:37:51 +0100
Hi Lee.
My WinPcap version is 2.01.000 (I believe this is the
latest). I am passing snort the interface number that
corresponds to the ICSHARE interface. Thanks for the
-W tip, I hadn't spotted that. Much easier that digging
through the registry :).
Given that, my thought process is below:
Output of snort -W:
-*> Snort ! <*-
By Martin Roesch (roesch () clark net, www.snort.org)
WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike)
Interface Device Description
------------------------------------------
1 PPPMAC (PPP Adapter.)
2 PPPMAC (PPP Adapter.)
3 pptp ()
4 PCINT ()
5 SpeedTouch ()
6 SpeedTouch ()
7 ICSHARE ()
8 SpeedTouch ()
9 SpeedTouch ()
Output of ipconfig /all:
Windows 98 IP Configuration
Host Name . . . . . . . . . : macguffin.lotsofbeer.demon.co.uk
DNS Servers . . . . . . . . : 192.168.0.8
Node Type . . . . . . . . . : Hybrid
NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : Yes
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : Yes
0 Ethernet adapter :
Description . . . . . . . . : PPP Adapter.
Physical Address. . . . . . : 44-45-53-54-00-01
DHCP Enabled. . . . . . . . : Yes
IP Address. . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . :
DHCP Server . . . . . . . . : 255.255.255.255
Primary WINS Server . . . . :
Secondary WINS Server . . . :
Lease Obtained. . . . . . . :
Lease Expires . . . . . . . :
1 Ethernet adapter :
Description . . . . . . . . : Realtek RTL8029(AS) Ethernet Adapt
Physical Address. . . . . . : 00-60-52-04-25-2D
DHCP Enabled. . . . . . . . : No
IP Address. . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . :
Primary WINS Server . . . . : 192.168.0.8
Secondary WINS Server . . . :
Lease Obtained. . . . . . . :
Lease Expires . . . . . . . :
2 Ethernet adapter :
Description . . . . . . . . : ICSHARE Adapter.
Physical Address. . . . . . : 44-45-53-54-00-00
DHCP Enabled. . . . . . . . : Yes
IP Address. . . . . . . . . : 213.123.152.159
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 213.123.152.159
DHCP Server . . . . . . . . : 255.255.255.255
Primary WINS Server . . . . :
Secondary WINS Server . . . :
Lease Obtained. . . . . . . : 01 01 80 00:00:00
Lease Expires . . . . . . . : 01 01 80 00:00:00
So I went for ICSHARE (interface 7) as my interface.
Thus:
snort -c snort.conf -l log -i7
leading to:
--== Initializing Snort ==--
Initializing Network Interface ICSHARE
ERROR: OpenPcap() device ICSHARE open:
Error opening adapter
Now, am I choosing the wrong adapter to snort, or is there a
problem with sniffing ICS
-----Original Message----- From: Burleson, Lee (IA) [mailto:Lee.Burleson () ia ngb army mil] Sent: 05 June 2001 19:01 To: Andy Duncan; Snort-Users Maillist (E-mail) Subject: RE: [Snort-users] Win98 Internet Connection Sharing Andy - I believe that you need to specify an interface _number_, not a name. Try "snort -W" for a list of them. Additionally, you need to install the latest WinPcap . I don't remember the URL, but an archive search would easily reveal it. - Lee-----Original Message----- From: Andy Duncan [mailto:andyduncan () motives co uk] Sent: Tuesday, June 05, 2001 9:13 AM To: Snort-Users Maillist (E-mail) Subject: [Snort-users] Win98 Internet Connection Sharing Hi, I have been using snort successfully on Linux for a while now, and this weekend I attempted to add some protection to my windows 98 'firewall' running Internet Connection Sharing (I know, I know, but my USB ADSL modem doesn't work under Linux). I'm not 100% sure of the details here as win98 networking isn't my thing, but the interface that seems to get the external ip is called ICSSHARE. However, starting snort using this interface results in a message along the lines of: Using interface ICSSHARE. Cannot open interface. Snort stops at this point and the machine often freezes. snort command line: snort -c snort.conf -l log\ -i 7 (Apologies for the vagueness, I'm at work atm and doing this from memory) Attaching to any other interface results in either snort exiting or no alerts being logged. Is snorting an ICS interface possible, or am I in a world of hurt? TIA, Andy PS. I've got a FreeBSD ISO on the way which will hopefully make all this academic :) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Win98 Internet Connection Sharing Andy Duncan (Jun 05)
- <Possible follow-ups>
- RE: Win98 Internet Connection Sharing Burleson, Lee (IA) (Jun 05)
- RE: Win98 Internet Connection Sharing Andy Duncan (Jun 05)
- RE: Win98 Internet Connection Sharing Burleson, Lee (IA) (Jun 06)