RE: Win32 - multiple interfaces?

["Michael Steele" <michaels () winsnort com>]

Q1: You can't detect two interfaces with one Snort instance.

Note: Throw some more RAM in and run 2 Snorts

Kindest regards, 

The WINSNORT.com Management Team
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: snort-users-admin () lists sourceforge net [mailto:snort-users-
> admin () lists sourceforge net] On Behalf Of Rich Adamson
> Sent: Thursday, January 01, 2004 5:33 AM
> To: Snort Users Postings
> Subject: [Snort-users] Win32 - multiple interfaces?
>
>
> Just upgraded to Win32 v2.1.0 on Win2kPro from CodeCrafters site after
> being
> away from snort for a while. Configured and running fine as validated by a
> simple telnet detection rule, logging low-volume alerts to syslog, etc.
> Two
> questions.
>
> Question 1:
> Can I run one instance of snort that will sniff packets on two nic
> interfaces
> at the same time? If so, what's the proper config/syntax?
>
> (I know I can run two instances to accomplish this, but would rather not
> waste mem if it can be done with one instance on this low-volume net.)
>
> Question 2:
> I added the following to my local.rules with due care for single line
> entry:
>
> > I *guarantee* you it's a machine infected with Nachi or a new variant of
> Nachi.
> > # This rule is for tracking Nachi infections
> > alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";
> > content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aa
> > aa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
> > aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|";
> > dsize:64; itype: 8; icode: 0; threshold: type both, track by_src, count
> > 1000, seconds 60; classtype:trojan-activity; si
> > d: 10000008; rev: 4;)
>
> and the startup barfs with:
>  ERROR: *** threshold: count
>  *** Invalid integer input: 1000
>  Fatal Error, Quitting..
> Since I've been away for a couple of snort versions, what am I missing in
> terms of thresholding?
>
> Rich
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users