Snort mailing list archives

Re: using "react" on w32 snort ...

From: Rich Adamson <radamson () routers com>
Date: Fri, 20 Jun 2003 06:46:43 -0600

i was attempting to test the react keyword on W32 and it spit out
"PacketSendPacket failed" and then bailed out the win xp error sig is listed
below (if it helps any) ...

AppName: snort.exe AppVer: 0.0.0.0 ModName: ntdll.dll
ModVer: 5.1.2600.1217 Offset: 00033adb

is it just not supported @ this time?


It works just fine.

You need to install libnet package so that you can create packets.  React
builds a packet and then sends it.  That's what you'd need to make that
work.

http://www.securiteam.com/tools/5MP000A1YU.html


No, the above problem is related to a coding issue on the win32 version of
snort. Proven several times over, and its been there since v1.8 at least.
The flex resp output is sent "only" on the first winpcap interface found 
(snort -W) even if that particular interface is not active, etc. Your
error message suggests that interface is either not configured or is
inactive. One of the developers (Jeff) is rewritting the code to fix 
the problem.

The only work around at this time is to reconfigure the windows box to use
that first interface as your sensor (and therefor for flex resp output). 
Then it works fine. You'll also find that using different versions of
winpcap will list the interfaces in a different order, thus requiring
you to reconfigure the windows box again to restore the flex response
function.

The problem relates to the original coder assumed the flex resp packet
would use the internal system routing table for the delivery of the resp
packet, which was incorrect.





-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

using "react" on w32 snort ... Jon Baer (Jun 19)
- Re: using "react" on w32 snort ... Erek Adams (Jun 19)
  - Re: using "react" on w32 snort ... Rich Adamson (Jun 20)
    - Re: using "react" on w32 snort ... Jeff Nathan (Jun 23)