Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort on Win32 - code & build issues uncovered

From: Rich Adamson <radamson () routers com>
Date: Wed, 12 Mar 2003 19:35:25 -0600

I just spent the better part of today trying to identify inconsistencies
with snort v1.9 and v2.0 use on a Win2kPro box with two NIC adapters. It
would appear the same issues apply to the *nix environment as well.

v1.9 Issues uncovered:
1. The flex-resp version of snort always "assumes" that responses are to
be sent out the first installed NIC (as presented by Pcap).

With WinPcap v2.1, the listed order of NIC's is different then with v3.0.a4.
The order is reversed, therefore snort appears to function fine with one
version and fails with another if there are two NICs installed. It doesn't
make any difference if only one of the NICs has anything connected, etc.
They're both still recognized as being present by Pcap.

2. The "-s 192.168.1.1" command line switch generates Syslog messages and
sends them to the proper IP, however the option appears to always use
the "last" NIC adapter regardless of whether its connected to anything
or not. (Highly probable that it may rely on the routing tables to pick
an appropriate adapter depending upon the actual destination IP.)

v2.0 Issues uncovered (yesterdays snapshot):
1. gpf's on any alert. (seems to be the same issues that were there prior
to build 53, or, the snapshots from snort.org are not actually incorporating
the corrected build 52 -> build 53 source.)

v2.0 Build 53 (from CodeCraftConsultants):
1. Both the -s Syslog and flex-resp functions appear to be broken. This
build does not gpf, but it does log alerts to disk files. Probably safe
to assume the Pcap issues present in v1.9 (above) remain in v2 as well.

Bottom Line:
The only fully working Win32 source and executables is v1.9, and then
only usable if:
 a. using WinPcap v2.3 (with two adpaters), or,
 b. using later WinPcap with a single installed adapter.

Has anyone using Win32 seen anything different?

Rich




-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: