Snort mailing list archives
Trouble getting started
From: "Peter Youll" <petery () ambri com au>
Date: Tue, 1 Oct 2002 13:26:45 +1000
Dear snort users I am new to snort, and so far am not having much success - can't even get windump to work on the required device. I am trying to use a Win2K server system, which is dedicated to network functionality tasks (RAS, dns, firewall management etc) with 2 NICs installed - a 100mbps for normal network traffic and a 10Mbps for snort. The later will be connected to a port on the network core switch which mirrors traffic on the port connected to the firewall. For testing purposes it is connected to a fairly busy hub. To enumerate the NICs in the server, I run snort -W with results as follows... ________________________________ D:\snort>snort -W -*> Snort! <*- Version 1.8.7-WIN32 (Build 121) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) 1.8-WIN32 Compiled By Michael Steele (michaels () silicondefense com, www.silicondefense.com) (based on code from 1.7 port) Interface Device Description ------------------------------------------- 1 \Device\Packet_{51BC396F-9CC4-4D79-BB71-0C8F51D6D8D5} (Unknown) 2 \Device\Packet_{882F1156-FCDE-429C-B47B-11991AFDD62C} (Unknown) 3 \Device\Packet_NdisWanIp (Unknown) D:\snort> _____________________________________ Question 1 - why are the devices (Unknown)? When I run snort on my Win2K Pro workstation it responds with the NIC type, as follows... ________________________________________________ Interface Device Description ------------------------------------------- 1 \Device\Packet_{43C8B349-34E5-4EBE-AEC7-2D9DE3B46F21} (Novell 2000 Adapter.) 2 \Device\Packet_NdisWanIp (NdisWan Adapter) ________________________________________________ Running windump selecting device 1 works, but from the GUID appears to be listening on device 2 ________________________________________________ D:\SnortInstallers>windump -i 1 windump: listening on\Device\Packet_{882F1156-FCDE-429C-B47B-11991AFDD62C} . Lots of stuff removed. . 972 packets received by filter 0 packets dropped by kernel ________________________________________________ Running windump selecting device 2 doesn't hear any traffic, probably because there is none to be heard on the ndis device ________________________________________________ D:\SnortInstallers> D:\SnortInstallers>windump -i 2 windump: listening on\Device\Packet_NdisWanIp windump: WARNING: The operation completed successfully. 0 packets received by filter 0 packets dropped by kernel D:\SnortInstallers> _____________________________________________________ Running windump on device 3 brings up a GUID not previously seen, and no traffic is heard _____________________________________________________ D:\SnortInstallers>windump -i 3 windump: listening on\Device\Packet_NdisWanNbfIn{971C9CDB-07A3-42A4-9E82-4192A3E3D33F windump: WARNING: The operation completed successfully. 0 packets received by filter 0 packets dropped by kernel D:\SnortInstallers> ______________________________________________________ Any clues on what is going wrong would be much appreciated. Thanks in advance. PeterY ____________________________________________ Eschew obfuscation! Peter Youll Director IT & Communication Ambri Limited Level 3, 126 Greville Street Chatswood NSW 2067 Australia Telephone: +61 2 94223092 Fax: +61 2 94223199 Mobile: +61 4 12803058 Email: petery () ambri com Disclaimer: Any unauthorised form of reproduction of this message is strictly prohibited. Ambri Limited does not guarantee the security of any information electronically transmitted and is not liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt. PLEASE NOTE - The time in Sydney is UTC + 10 hours April to October and UTC + 11 hours November to March
Current thread:
- Trouble getting started Peter Youll (Sep 30)