RE: Snort 2.1.x support on Win32

[Rich Adamson <radamson () routers com>]

Seems Winpcap has at least some dependencies on other network drivers
installed on each machine. When I attempted using v3.0 early releases,
the Win2kPro system became very unstable, blue screened, etc. V2.1 was
the only pcap that was stable, which is still what I'm using. (In my 
case the v3.0 stability problem had something to do with NAI Sniffer 
driver compatibility; the last one I tried was v3.0.a4.) I wouldn't
even hazard a guess as to which versions of Winpcap might have issues
with various specialized vendor drivers. I do have several other snort
systems running later winpcap with no issues, however those don't have
Sniffer drivers installed either. For the Win2kPro box, the v2.1 driver
has been stable since snort v1.8 or so.

Rich

------------------------
> Really?  How did you do this?
>
> Sorry for the inquisitive question but I buggered at this for a while
> with one of the older 2.0.x somethings just no way working with
> Winpcap2.1. but working with a 3.0 alpha if I recall.  Did you skip this
> version tree all together??
>
> TIA!
>
> J.
> > -----Original Message-----
> > I might add that WinPcap v2.1 works fine with latest Win32 as 
> > well, but any threshold rule that uses "seconds" or "count" 
> > will fail due to what appears to be a bug interpreting the 
> > integer values that follow those keywords.
> >
> > ------------------------
> > > FYI - for some of you having issue with the newer versions 
> > of Snort on 
> > > Win2k/XP...
> > >  
> > > 1) Make sure you have installed WinCap v3.0
> > >  
> > > 2) If you updated Snort i.e. 2.1.2 or 2.1.3 from realier 
> > versions, you 
> > > need to use the new
> > snort.conf file and remodify it. There are changes in the
> > > file - such as http_decode is now http_inspect:
> > >  
> > > preprocessor http_inspect: global \
> > >     iis_unicode_map unicode.map 1252
> > >  
> > > preprocessor http_inspect_server: server default \
> > >     profile all ports { 80 8080 8180 } oversize_dir_length 
> > 500 ... the 
> > > snort test will balk at the "global" if you don't reconfigure for 
> > > this; also make user
> > you have the unicode/map file in the path. (Best
> > > approach I have found is to turn off http_decode in IDSCenter and 
> > > edit/add the appropriate
> > http_inspect parameters). Refer to the new Snort
> > > documentation.
> > >  
> > >  
> > > 3) IDSCenterRC4 DOES run with Snort 2.1.3... IF you don't 
> > reload your 
> > > old - pre2.1.x config.
> > (see above)
> > >  
> > > Hope this helps.
> > >  
> > > Brian Koski
> > > Principal I.T.  Analyst
> > > City of Citrus Heights
> > > Work: 916-727-4735
> > >  




-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users