[Snort-users] Win2K Advanced Server problems

Frank Knobbe FKnobbe at ...649...
Thu Apr 12 10:47:03 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: John Girvin [mailto:john.girvin at ...1795...]
> Sent: Wednesday, April 11, 2001 9:40 AM
> 
> When I run snort it initialises OK and seems to capture packets as
> you would expect. However when a port 25 packet comes in, I get 
> lots of the
> following message:
> 	PacketSendPacket failed 
> 
> When I quit snort it complains as follows:
> 	pcap_loop: read error: PacketReceivePacket failed
> 	pcap_stats: PacketGetStats error


I can't find the 'PacketSendPacket' string in the snort source, so I
assume that's generated by the PCap or LibNet driver.

When I wrote snarp, an ARP poison and redirect/proxy tool for NT, I
noticed that, even though it runs great under NT4, it crashes under
W2K. Specifically, the 'libnet_write_ip' function fails. It appears
to me that the LibNetNT.dll is not fully compatible with the IP stack
of W2K. Snort uses that function in sp_react.c and sp_respond.c. So,
from what I can tell, LibNetNT is broken under W2K, which means that,
for now, you won't be able to get the active response to work under
W2K. I recommend you run snort on a dedicated NT4 box 'in front' of
that W2K application server.

Another option would be to change the 'libnet_write_ip' functions to
some NT raw socket function, although I'm not sure how flexible that
function would be. Maybe someone else can shed some light on this.

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOtW/5pytSsEygtEFEQKr9ACguWzosB84sNPePnHnsZhipFvsXoQAoJln
W6Yy3J/u0/7WM5+Gv12KFAeU
=udaL
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list