Snort mailing list archives
RE: Snort 2.1.x support on Win32
From: Rich Adamson <radamson () routers com>
Date: Tue, 22 Jun 2004 06:17:19 -0600
Seems Winpcap has at least some dependencies on other network drivers installed on each machine. When I attempted using v3.0 early releases, the Win2kPro system became very unstable, blue screened, etc. V2.1 was the only pcap that was stable, which is still what I'm using. (In my case the v3.0 stability problem had something to do with NAI Sniffer driver compatibility; the last one I tried was v3.0.a4.) I wouldn't even hazard a guess as to which versions of Winpcap might have issues with various specialized vendor drivers. I do have several other snort systems running later winpcap with no issues, however those don't have Sniffer drivers installed either. For the Win2kPro box, the v2.1 driver has been stable since snort v1.8 or so. Rich ------------------------
Really? How did you do this? Sorry for the inquisitive question but I buggered at this for a while with one of the older 2.0.x somethings just no way working with Winpcap2.1. but working with a 3.0 alpha if I recall. Did you skip this version tree all together?? TIA! J.-----Original Message----- I might add that WinPcap v2.1 works fine with latest Win32 as well, but any threshold rule that uses "seconds" or "count" will fail due to what appears to be a bug interpreting the integer values that follow those keywords. ------------------------FYI - for some of you having issue with the newer versionsof Snort onWin2k/XP... 1) Make sure you have installed WinCap v3.0 2) If you updated Snort i.e. 2.1.2 or 2.1.3 from realierversions, youneed to use the newsnort.conf file and remodify it. There are changes in thefile - such as http_decode is now http_inspect: preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length500 ... thesnort test will balk at the "global" if you don't reconfigure for this; also make useryou have the unicode/map file in the path. (Bestapproach I have found is to turn off http_decode in IDSCenter and edit/add the appropriatehttp_inspect parameters). Refer to the new Snortdocumentation. 3) IDSCenterRC4 DOES run with Snort 2.1.3... IF you don'treload yourold - pre2.1.x config.(see above)Hope this helps. Brian Koski Principal I.T. Analyst City of Citrus Heights Work: 916-727-4735
------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.1.x support on Win32 Koski, Brian (Jun 21)
- Re: Snort 2.1.x support on Win32 Rich Adamson (Jun 21)
- <Possible follow-ups>
- RE: Snort 2.1.x support on Win32 Rich Adamson (Jun 22)