Snort mailing list archives
RE: Win32 - multiple interfaces?
From: "Michael Steele" <michaels () winsnort com>
Date: Thu, 1 Jan 2004 10:04:27 -0800
Q1: You can't detect two interfaces with one Snort instance. Note: Throw some more RAM in and run 2 Snorts Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Rich Adamson Sent: Thursday, January 01, 2004 5:33 AM To: Snort Users Postings Subject: [Snort-users] Win32 - multiple interfaces? Just upgraded to Win32 v2.1.0 on Win2kPro from CodeCrafters site after being away from snort for a while. Configured and running fine as validated by a simple telnet detection rule, logging low-volume alerts to syslog, etc. Two questions. Question 1: Can I run one instance of snort that will sniff packets on two nic interfaces at the same time? If so, what's the proper config/syntax? (I know I can run two instances to accomplish this, but would rather not waste mem if it can be done with one instance on this low-volume net.) Question 2: I added the following to my local.rules with due care for single line entry:I *guarantee* you it's a machine infected with Nachi or a new variant ofNachi.# This rule is for tracking Nachi infections alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aa aa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold: type both, track by_src, count 1000, seconds 60; classtype:trojan-activity; si d: 10000008; rev: 4;)and the startup barfs with: ERROR: *** threshold: count *** Invalid integer input: 1000 Fatal Error, Quitting.. Since I've been away for a couple of snort versions, what am I missing in terms of thresholding? Rich ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Win32 - multiple interfaces? Rich Adamson (Jan 01)
- RE: Win32 - multiple interfaces? Michael Steele (Jan 01)
- RE: Win32 - multiple interfaces? Rich Adamson (Jan 01)
- Re: Win32 - multiple interfaces? Scot Scot (Jan 01)
- Re: Win32 - multiple interfaces? Rich Adamson (Jan 01)
- RE: Win32 - multiple interfaces? Michael Steele (Jan 01)
- RE: Win32 - multiple interfaces? Rich Adamson (Jan 01)
- RE: Win32 - multiple interfaces? Michael Steele (Jan 01)