[Snort-users] Win2K Advanced Server problems
FKnobbe at ...649...
Thu Apr 12 10:47:03 EDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
> -----Original Message-----
> From: John Girvin [mailto:john.girvin at ...1795...]
> Sent: Wednesday, April 11, 2001 9:40 AM
> When I run snort it initialises OK and seems to capture packets as
> you would expect. However when a port 25 packet comes in, I get
> lots of the
> following message:
> PacketSendPacket failed
> When I quit snort it complains as follows:
> pcap_loop: read error: PacketReceivePacket failed
> pcap_stats: PacketGetStats error
I can't find the 'PacketSendPacket' string in the snort source, so I
assume that's generated by the PCap or LibNet driver.
When I wrote snarp, an ARP poison and redirect/proxy tool for NT, I
noticed that, even though it runs great under NT4, it crashes under
W2K. Specifically, the 'libnet_write_ip' function fails. It appears
to me that the LibNetNT.dll is not fully compatible with the IP stack
of W2K. Snort uses that function in sp_react.c and sp_respond.c. So,
from what I can tell, LibNetNT is broken under W2K, which means that,
for now, you won't be able to get the active response to work under
W2K. I recommend you run snort on a dedicated NT4 box 'in front' of
that W2K application server.
Another option would be to change the 'libnet_write_ip' functions to
some NT raw socket function, although I'm not sure how flexible that
function would be. Maybe someone else can shed some light on this.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.
-----END PGP SIGNATURE-----
More information about the Snort-users