Re: Token ring support of snort

[Fyodor <fygrave () tigerteam net>]

I had the similar report while ago that running snort on real tocket ring iface brings lots of junk while tcpdump saved 
file interpreted just fine. The thing is that I never had any access to tockenring device while coding tockenring 
support piece, therefore I used tcpdump files to figure out the protocol/test the code. The person who was assiting me 
at that time, told, that it worked on real device as well, but maybe something got changed. if someone could provide me 
with access to a box with token ring interface on it, I may try to fix tokerning support.

On Thu, Nov 01, 2001 at 11:02:29AM -0500, Martin Roesch wrote:
> That's very possible, the Token Ring users of Snort are a pretty small
> set of people, and I think you're the first person that's tried it on
> Windows.  If you could capture some packets with Ethereal and mail them
> to me (the binary packet captures), I'll see if I can update the
> decoder.
>
>      -Marty
>
> bulent_sahin () tb net tr wrote:
> > Yes, the interface name is correct. I tried, but same thing happened.
> > Program captures some frames, but categorizes them as OTHER. I suppose
> > that snort does not undestand  token-ring, llc2 and snap headers?
> > Thanks
> > Bulent
> >
> >  Martin Roesch
> >  <roesch () sourcefire com>               To:
> >  Sent by:                       bulent_sahin () tb net tr
> >  roesch () mail sourcefire com            cc:
> >                                 snort-users () lists sourceforge net
> >  01.11.2001 17:04                      Subject:        Re:
> >                                [Snort-users] Token ring support of
> >                                snort
> >
> > Is that the right interface name for the T/R interface?  To get a list
> > of the interfaces that are available run 'snort -W', then set the
> > sniffing interface with 'snort -i <intf>'
> >
> >     -Marty
> >
> > bulent_sahin () tb net tr wrote:
> > > Hi,
> > >
> > > Does anybody know about token ring support of snort?A few days ago I
> > > installed snort on my computer, but when I try "snort -v" it assumes
> > > that all packets are ethernet packets.  Winpcap and ethereal works
> > > fine. I  pasted "snort -v" output below.
> > >
> > > C:\Downloads\Snort-1.8.1-win32-static\Snort-1.8.1-win32\snort -v
> > > Log directory =
> > >
> > >         --== Initializing Snort ==--
> > >
> > > Initializing Network Interface \
> > > Decoding Ethernet on interface \Device\Packet_MDGNDIS41
> > >
> > >         --== Initialization Complete ==--
> > >
> > > -*> Snort! <*-
> > > Version 1.8-WIN32 (Build 74)
> > > By Martin Roesch (roesch () sourcefire com, www.snort.org)
> > > 1.7-WIN32 Port By Michael Davis (mike () datanerds net, ww
> > > 1.8-WIN32 Port By Chris Reid (chris.reid@codecraftconsu
> > >           (based on code from 1.7 port)
> > >
> > > =======================================================
> > > Snort analyzed 1312 out of 1312 packets, dropping 0(0.0
> > >
> > > Breakdown by protocol:                Action Stats:
> > >     TCP: 0          (0.000%)          ALERTS: 0
> > >     UDP: 0          (0.000%)          LOGGED: 0
> > >    ICMP: 0          (0.000%)          PASSED: 0
> > >     ARP: 0          (0.000%)
> > >    IPv6: 0          (0.000%)
> > >     IPX: 0          (0.000%)
> > >   OTHER: 1311       (99.924%)
> > > DISCARD: 0          (0.000%)
> > > =======================================================
> > > Fragmentation Stats:
> > > Fragmented IP Packets: 0          (0.000%)
> > >     Fragment Trackers: 0
> > >    Rebuilt IP Packets: 0
> > >    Frag elements used: 0
> > > Discarded(incomplete): 0
> > >    Discarded(timeout): 0
> > >   Frag2 memory faults: 0
> > > =======================================================
> > > TCP Stream Reassembly Stats:
> > >         TCP Packets Used: 0          (0.000%)
> > >          Stream Trackers: 0
> > >           Stream flushes: 0
> > >            Segments used: 0
> > >    Stream4 Memory Faults: 0
> > > =======================================================
> > > pcap_loop: read error: PacketReceivePacket failedpcap_s
> > > r
> > > Snort received signal 3, exiting
> > >
> > > Thanks,
> > > Bulent
> >
> > --
> > Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> > roesch () sourcefire com - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org
>
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch () sourcefire com - http://www.sourcefire.com  
> Snort: Open Source Network IDS - http://www.snort.org
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users