Snort mailing list archives
RE: W2K snort launch & halt
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Wed, 11 Dec 2002 16:06:37 -0500
You've not specified a specific interface on the command line for Snort to listen on, and it appears that Snort is finding your NDIS WAN adapter (i.e., dial-out/in). Run Snort with only the "-W" command line parameter (Win32 only), and it will display a list of interfaces on your W2K computer. Note the interface numbers (e.g., 1, 2, ...), and relaunch Snort specifying the desired interface to listen on (e.g., "-i 1"). This should get around your problems. - Christopher -----Original Message----- From: "Serge Jorgensen" <lists () usinfosec com> To: <snort-users () lists sourceforge net> Date: Wed, 11 Dec 2002 14:02:30 -0500 Subject: [Snort-users] W2K snort launch & halt This is a multi-part message in MIME format. ------=_NextPart_000_0006_01C2A11D.F4175AD0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I just ran into a problem with a Snort install on a clean W2K box - everything seems to install fine (using WinPcap 2.3 and Snort 1.9), but on even a basic snort -d -e -v I get an initial "Initializing.", then a "Warning: OpenPcap() device \Device\Packet_NdisWanIp network lookup:" which says it completes successfully, initializing snort, and the version information. then nothing. I can Ctrl-C out of it, which gives the Snort analyzed 0 out of 0 packets, and ends with a Pcap_loop: read error: PacketReceivePacket failedpcapstats: PacketGetStats error Haven't seen this before - would appreciate any thoughts. Thanks. Serge ------=_NextPart_000_0006_01C2A11D.F4175AD0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)"> <style> <!-- /* Font Definitions */ @font-face {font-family:PMingLiU; panose-1:2 2 3 0 0 0 0 0 0 0;} @font-face {font-family:"\@PMingLiU"; panose-1:2 2 3 0 0 0 0 0 0 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p {margin-right:0in; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman";} span.emailstyle17 {font-family:Arial; color:windowtext;} span.EmailStyle19 {font-family:Arial; color:navy;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I just ran into a problem with a Snort install on a = clean W2K box – everything seems to install fine (using WinPcap 2.3 and = Snort 1.9), but on even a basic snort –d –e -v I get an initial “Initializing…”, then a “Warning: OpenPcap() = device \Device\Packet_NdisWanIp network lookup:” which says it completes successfully, initializing snort, and the version information… = then nothing. I can Ctrl-C out of it, which gives the Snort analyzed 0 out of = 0 packets, and ends with a </span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Pcap_loop: read error: PacketReceivePacket = failedpcapstats: PacketGetStats error</span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Haven’t seen this before – would = appreciate any thoughts. Thanks.</span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Serge</span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> </span></font></p> </div> </body> </html> ------=_NextPart_000_0006_01C2A11D.F4175AD0-- --__--__-- Message: 8 From: "Hicks, John" <JHicks () JUSTICE GC CA> To: 'Andy Monroe' <aim () linux-info net>, snort-users () lists sourceforge net Subject: RE: [Snort-users] Understanding how to setup snort... Date: Wed, 11 Dec 2002 14:03:55 -0500 Try this is a rule: log tcp $AIM_SERVERS any <-> $HOME_NET any (MSG: "AIM Packet";) Since the AIM servers are a variable in the newer snort it makes it very easy to tracce *all* traffic to/from the known servers. HTH, John -----Original Message----- From: Andy Monroe [mailto:aim () linux-info net] Sent: Thursday, December 05, 2002 3:42 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Understanding how to setup snort... I read the snort manual, but it simply is not clicking with me. The only thing I want to use snort for is to search AIM traffic for specific keywords (as in illicit activity). I have found this rule from the mailing list: log tcp any any -> any any (msg: "AIM packet"; content:"|2A 02|"; depth:2; flags:AP+; classtype:not-suspicious;priority:0;) How do I go about logging all the AIM trafic? First off, it looks like the above rule will NOT log the content. Doesn't the rule also need to have "session: printable;"? Second, I don't understand the role that the snort.conf plays in things. The only thing I want to do is run snort in packet logger mode to search the AIM packes, nothing else. Can someone either point me to some info that can guide me in this quest? Or simply enlighten me? Andy ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
Current thread:
- W2K snort launch & halt Serge Jorgensen (Dec 11)
- <Possible follow-ups>
- RE: W2K snort launch & halt Scott Olihovik (Dec 11)
- RE: W2K snort launch & halt Hicks, John (Dec 11)
- RE: W2K snort launch & halt Serge Jorgensen (Dec 11)
- RE: W2K snort launch & halt L. Christopher Luther (Dec 11)
- W2K snort launch & halt Serge D. Jorgensen (Dec 17)
- RE: W2K snort launch & halt Michael Steele (Dec 17)