Snort mailing list archives

RE: W2K snort launch & halt

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Wed, 11 Dec 2002 16:06:37 -0500
You've not specified a specific interface on the command line for Snort to
listen on, and it appears that Snort is finding your NDIS WAN adapter (i.e.,
dial-out/in).  

Run Snort with only the "-W" command line parameter (Win32 only), and it
will display a list of interfaces on your W2K computer.  Note the interface
numbers (e.g., 1, 2, ...), and relaunch Snort specifying the desired
interface to listen on (e.g., "-i 1").  This should get around your
problems.  

- Christopher


-----Original Message-----
From: "Serge Jorgensen" <lists () usinfosec com>
To: <snort-users () lists sourceforge net>
Date: Wed, 11 Dec 2002 14:02:30 -0500
Subject: [Snort-users] W2K snort launch & halt

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C2A11D.F4175AD0
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit

I just ran into a problem with a Snort install on a clean W2K box -
everything seems to install fine (using WinPcap 2.3 and Snort 1.9), but on
even a basic snort -d -e -v I get an initial "Initializing.", then a
"Warning: OpenPcap() device \Device\Packet_NdisWanIp network lookup:" which
says it completes successfully, initializing snort, and the version
information. then nothing. I can Ctrl-C out of it, which gives the Snort
analyzed 0 out of 0 packets, and ends with a 

Pcap_loop: read error: PacketReceivePacket failedpcapstats: PacketGetStats
error

 

Haven't seen this before - would appreciate any thoughts. Thanks.

 

Serge

 


------=_NextPart_000_0006_01C2A11D.F4175AD0
Content-Type: text/html;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:PMingLiU;
        panose-1:2 2 3 0 0 0 0 0 0 0;}
@font-face
        {font-family:"\@PMingLiU";
        panose-1:2 2 3 0 0 0 0 0 0 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
p
        {margin-right:0in;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman";}
span.emailstyle17
        {font-family:Arial;
        color:windowtext;}
span.EmailStyle19
        {font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I just ran into a problem with a Snort install on a =
clean
W2K box &#8211; everything seems to install fine (using WinPcap 2.3 and =
Snort
1.9), but on even a basic snort &#8211;d &#8211;e -v I get an initial
&#8220;Initializing&#8230;&#8221;, then a &#8220;Warning: OpenPcap() =
device
\Device\Packet_NdisWanIp network lookup:&#8221; which says it completes
successfully, initializing snort, and the version information&#8230; =
then
nothing. I can Ctrl-C out of it, which gives the Snort analyzed 0 out of =
0
packets, and ends with a </span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Pcap_loop: read error: PacketReceivePacket =
failedpcapstats:
PacketGetStats error</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Haven&#8217;t seen this before &#8211; would =
appreciate any
thoughts. Thanks.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Serge</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;</span></font></p>

</div>

</body>

</html>

------=_NextPart_000_0006_01C2A11D.F4175AD0--



--__--__--

Message: 8
From: "Hicks, John" <JHicks () JUSTICE GC CA>
To: 'Andy Monroe' <aim () linux-info net>, snort-users () lists sourceforge net
Subject: RE: [Snort-users] Understanding how to setup snort...
Date: Wed, 11 Dec 2002 14:03:55 -0500

Try this is a rule:

log tcp $AIM_SERVERS any <-> $HOME_NET any (MSG: "AIM Packet";)

Since the AIM servers are a variable in the newer snort it makes it very
easy to tracce *all* traffic to/from the known servers.

HTH,
John

-----Original Message-----
From: Andy Monroe [mailto:aim () linux-info net]
Sent: Thursday, December 05, 2002 3:42 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Understanding how to setup snort...


I read the snort manual, but it simply is not clicking with me.  The
only thing I want to use snort for is to search AIM traffic for specific
keywords (as in illicit activity).  I have found this rule from the
mailing list:

 log tcp any any -> any any (msg: "AIM packet";
    content:"|2A 02|"; depth:2; flags:AP+;
    classtype:not-suspicious;priority:0;)

How do I go about logging all the AIM trafic?  First off, it looks like
the above rule will NOT log the content.  Doesn't the rule also need to
have "session: printable;"? 

Second, I don't understand the role that the snort.conf plays in things.
The only thing I want to do is run snort in packet logger mode to search
the AIM packes, nothing else.  Can someone either point me to some info
that can guide me in this quest?  Or simply enlighten me?

Andy


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest
Current thread:

W2K snort launch & halt Serge Jorgensen (Dec 11)
- <Possible follow-ups>
- RE: W2K snort launch & halt Scott Olihovik (Dec 11)
- RE: W2K snort launch & halt Hicks, John (Dec 11)
  - RE: W2K snort launch & halt Serge Jorgensen (Dec 11)
- RE: W2K snort launch & halt L. Christopher Luther (Dec 11)
- W2K snort launch & halt Serge D. Jorgensen (Dec 17)
  - RE: W2K snort launch & halt Michael Steele (Dec 17)