Snort mailing list archives
Re:[ hello]
From: Matt Scarborough <vexversa () usa net>
Date: 9 Jul 2001 16:31:40 EDT
On Mon, 09 Jul 2001 15:16:42 +0530, Raviraj Patil wrote:
Hello, I got it solved the problem : When I quit snort it complains as follows:pcap_loop: read error: PacketReceivePacket failed pcap_stats: PacketGetStats error May i know the reson for the same.By using (install)the winpcap-2.02. But i were unable to get it solved is : When i want to use MSQL & FLEXRESP features enabled , that time snort code
giving
a unable to read the memory location (some mem address) i.e run time error
for
Win NT & Win2000. As u said the statment i did not get it : Some things to consider, Both LibNetNT and Snort-W32 FlexResp were a) written for NT b) prior to the introduction of WinPCap 2.1. Further, the preferred method of packet injection in Windows 2000 is IP_HDRINCL, not WRITE_IP. Please eloberate it..
Raviraj, You mentioned using VC++ 6.0 to complile Snort. So I mentioned a reminder about the differences between IP stacks in WinNT and Win2K. OK, more. FlexResp enables packet injection such as sending a RST to both source and dest IP addrrs, thus "closing" an offending connection. This is/will/could be done differently in Windows 2000. <<~Webmail Wonder poster Activate!!! Shape of a Gibson post... Form of FUD...~>> Windows 2000 supports the use of *** RAW SOCKETS *** making Snort a deadly tool in the hands of skilled FlexResp hackers! <<~Webmail Wonder poster de-activate~>> That was an aside, and a needle at Mr. Gibson who announced building Spoofarino (tm) based on WinPcap 2.1 when he wrote, "I know *ALL* about those add-on kernel-level packet drivers Spoofarino will DEPEND upon the best of them -- the one at netgroup- serv.polito..." So.... in WinNT, packet injection used LibNetNT. Snort 1.7 FlexResp assumes WinNT. While certainly people are running Snort in IDS mode on Windows 2000, Snort FlexResp on Windows 2000 is a different animal. Windows 2000 contains an updated Winsock ver 2.2, and supports raw sockets natively through the IP_HDRINCL API. WinNT needed help to do this. LibNetNT provided this help in LibnetNT.dll with WRITE_IP. You also wish to compile and build MySQL support into the same binary SNORT.EXE running the whole deal on Windows 2000. I am certainly cheering for you. Really I am. But you are faced with an arduous task resulting in a Snort ver. 1.7 flogged and beaten to work on Windows 2000. All the while the latest Snort 1.8 is around the corner (NO, not the Windows version YET, but yes Snort 1.8 nonetheless.) HTH, Matt Scarborough 2001-07-09
Matt Scarborough wrote:On Fri, 06 Jul 2001 14:21:30 +0530, Raviraj Patil wrote:I down loaded the snort-1.7-w32-felxresp-static(ie. binery).snort-1.7-w32-MySql-static(ie. binery) from the site www.datanerds.net/~mike.These two r working properly on WinNT .Without any proble .But from the same (www.datanerds.net/~mike) site i down loaded snort-1.7-w32-felxresp-source.snort-1.7-w32-MySql-sourec. but it is not working when i build it with VC ++ 6.0.It is giving a problem of ..When I quit snort it complains as follows: pcap_loop: read error: PacketReceivePacket failed pcap_stats: PacketGetStats error May i know the reson for the same.If you are running Windows 2000 and using the WinPCap ver. 2.1 driver,
remove
that driver in Control Panel |Add /Remove Programs and try WinPCap driver version 2.02 (for Windows 2000.) Some things to consider, Both LibNetNT and Snort-W32 FlexResp were a) written for NT b) prior to the introduction of WinPCap 2.1. Further, the preferred method of packet injection in Windows 2000 is IP_HDRINCL, not WRITE_IP. I find it unreasonable to expect Snort Win32-FlexResp, designed for
another
Operating System, Winsock version, and device driver, to run without error
on
Windows 2000. That is not a deficiency in Snort. It seems a deficiency in user expectation.I think which i down loaded from the site www.datanerds.net/~mike for binary are not same as sourcess on the same site. May i get the sources of these snort-1.7-w32-felxresp-static(ie. binery).snort-1.7-w32-MySql-static(ie. binery) binaries.Try the links for "development" or "source." The last I checked all were
in
the same Snort-Win32 package, configurable at build with some check boxes
or
NMake switches.
____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [ hello] Raviraj Patil (Jul 06)
- <Possible follow-ups>
- Re:[ hello] Matt Scarborough (Jul 06)
- Re:[ hello] Matt Scarborough (Jul 09)