Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: -i switch

From: "Chris Reid" <chris.reid () codecraftconsultants com>
Date: Mon, 21 Mar 2005 22:01:43 -0700 (MST)
Some time ago the WinPcap developers gave us some code that could let you
specify the GUID/UUID string instead of the interface number.  I'm not at
my Snort development machine right now to verify that it was committed to
the Snort source code, but try putting the whole "Device" string in quotes
after the -i.  For example, using the interface below...

    -i "\Device\NPF_{9C7E2353-B2CB-4716-B424-582C30D2C4E2}"

would be the same as:

    -i 1

Chris Reid


On Mon, March 21, 2005 3:18 pm, Snort said:

The changing of the interfaces is a windows thing... I am not sure how
you would hardcode the interface to a particular number. In the Unix
world, no matter if you disable or not use an interface, it will always
be what it was installed as or what you specify it as in the modules
file. In windows, it changes based on if you disable or enable NIC, like
you are experiencing now. To defeat the issue, you might have to come up
with a script that will look for that NIC device string (found when you
do snort -W), grep the interface number and start snort based on that
interface. That makes your install a bit smarter so that you install 4
more nics for virtual webserver or pptp, snort will always start on that
interface your looking for.

Interface       Device          Description
-------------------------------------------
1  \Device\NPF_{9C7E2353-B2CB-4716-B424-582C30D2C4E2} (Broadcom
NetXtreme Gigabi
t Ethernet Driver)
2 \Device\NPF_{444422A1-AB79-4CDB-B3C9-FF274A4C6152} (Intel(R) PRO/1000
XT Netwo
rk Connection)


knowing the above, a script could* look like this

eth="Snort.exe -W | grep.exe -i "C6152" | cut.exe -b 1"

  ^ this will produce a result of "2"

Snort.exe -i"$eth" -o -c ../etc/snort.conf


Michael Brown

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Lee
Clemens
Posted At: Monday, March 21, 2005 4:26 PM
Posted To: Snort
Conversation: [Snort-users] -i switch
Subject: [Snort-users] -i switch


I have seen documentation with using the -i switch followed by a number
and
with eth0, eth1, etc... However, it seems this is OS dependent.

I am using windows and "Snort -W" does not supply the names of the
connections (eth0,...). Is there any way I can cause these numbers to
remain
static or work around this issue some other way? I have tried installing
Snort with "-i eth0" but OpenPcap fails to open the device.

I am asking this because I disable/enable some network connections on
this
computer periodically and this disrupts the numbering scheme, causing
Snort
to be looking at the wrong NIC. Thanks!






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&opÌk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: