RE: Question about alerts and Windows environment

["L. Christopher Luther" <CLuther () Xybernaut com>]

Cannot do.  I've two sensors (1.8.6 and 1.8.7) under Win32.  The 1.8.6
sensor is on a dual-PIII server, which requires an older version of WinPCap
-- the newer WinPCap drivers (those newer than 2.1 apparently) disable
themselves when they detect an SMP environment.  

My 1.8.7 sensor could be upgrade to 1.9.0 (I've already tested it), but
because both sensors log to a MySQL database, I'd have to implement a new
Snort schema under MySQL as there were changes between the 1.8.7 database
schema and the 1.9.0 database schema.  

Nice idea though. :) 

Christopher 

-----Original Message-----
From: Gonzalez, Albert [mailto:albert.gonzalez () eds com]
Sent: Thursday, January 09, 2003 2:37 PM
To: 'L. Christopher Luther'
Subject: RE: [Snort-users] Question about alerts and Windows environment
Sensitivity: Confidential


Why not upgrade your snort sensor to 1.9.0 ? It is stable enough to perform
the upgrade. And the rule additions + the new keywords has some nice control
issues. You might want to go ahead and update your sensor. I'm currently
running snort 1.9.0 on OpenBSD 3.2. It's working like a charm.. using
barnyard to parse my Unified logs... so give it a try

Cheers!

Alberto Gonzalez 
Intrusion Detection Systems - GSOC 
Security and Privacy Professional Services 



-----Original Message-----
From: L. Christopher Luther [mailto:CLuther () Xybernaut com]
Sent: Thursday, January 09, 2003 2:20 PM
To: 'Mark Scott'
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Question about alerts and Windows environment
Sensitivity: Confidential


I looked at the 1.8.6 source code, and it appears that '-I' parameter does
properly format the interface name for output in syslog, "alert fast", and
"alert full".  But of course, I've not actually tried to use this parameter.

I did notice that when both of my sensors start up, the text "Initializing
Network Interface \" is displayed, which comes from the source:  

    LogMessage("\nInitializing Network Interface %s\n", pv.interfaces[num]);


in OpenPCap() function (snort.c).  But further on in my Snort startup
output, the text "Decoding Ethernet on interface
\Device\Packet_{C4F961EB-4DD5-47F8-98E2-5FDE544E8621}" is displayed, which
comes from the source:  

    LogMessage("Decoding Ethernet on interface %s\n",
PRINT_INTERFACE(pv.interfaces[num])); 

In the SetPktProcessor() function (snort.c).  It may be that the
"Initializing ..." message needs the PRINT_INTERFACE macro placed on it.  

When I get a chance I'll play w/ the source code to see what happens.  

- Christopher 


-----Original Message----- 
From: Mark Scott [mailto:mscott () mtgroup com] 
Sent: Thursday, January 09, 2003 1:23 PM 
To: 'L. Christopher Luther' 
Subject: RE: [Snort-users] Question about alerts and Windows environment 
Sensitivity: Confidential 


Thanks... 

Can you get the -I (uppercase i) to display the interface name. I have it
turned on but it logs nothing but a '/' in this field.

Mark 

[snip ...]