[Snort-users] Win98 Internet Connection Sharing

Andy Duncan andyduncan at ...1382...
Tue Jun 5 20:37:51 EDT 2001 

Hi Lee.

My WinPcap version is 2.01.000 (I believe this is the 
latest).  I am passing snort the interface number that
corresponds to the ICSHARE interface.  Thanks for the
-W tip, I hadn't spotted that.  Much easier that digging
through the registry :).

Given that, my thought process is below:

Output of snort -W:

-*> Snort ! <*-
By Martin Roesch (roesch at ...66..., www.snort.org)
WIN32 Port By Michael Davis (mike at ...92..., www.datanerds.net/~mike)

Interface       Device         Description
------------------------------------------
1  PPPMAC (PPP Adapter.)
2 PPPMAC (PPP Adapter.)
3 pptp ()
4 PCINT ()
5 SpeedTouch ()
6 SpeedTouch ()
7 ICSHARE ()
8 SpeedTouch ()
9 SpeedTouch ()

Output of ipconfig /all:

Windows 98 IP Configuration

	Host Name . . . . . . . . . : macguffin.lotsofbeer.demon.co.uk
	DNS Servers . . . . . . . . : 192.168.0.8
	Node Type . . . . . . . . . : Hybrid
	NetBIOS Scope ID. . . . . . : 
	IP Routing Enabled. . . . . : Yes
	WINS Proxy Enabled. . . . . : No
	NetBIOS Resolution Uses DNS : Yes

0 Ethernet adapter :

	Description . . . . . . . . : PPP Adapter.
	Physical Address. . . . . . : 44-45-53-54-00-01
	DHCP Enabled. . . . . . . . : Yes
	IP Address. . . . . . . . . : 0.0.0.0
	Subnet Mask . . . . . . . . : 0.0.0.0
	Default Gateway . . . . . . : 
	DHCP Server . . . . . . . . : 255.255.255.255
	Primary WINS Server . . . . : 
	Secondary WINS Server . . . : 
	Lease Obtained. . . . . . . : 
	Lease Expires . . . . . . . : 

1 Ethernet adapter :

	Description . . . . . . . . : Realtek RTL8029(AS) Ethernet Adapt
	Physical Address. . . . . . : 00-60-52-04-25-2D
	DHCP Enabled. . . . . . . . : No
	IP Address. . . . . . . . . : 192.168.0.1
	Subnet Mask . . . . . . . . : 255.255.255.0
	Default Gateway . . . . . . : 
	Primary WINS Server . . . . : 192.168.0.8
	Secondary WINS Server . . . : 
	Lease Obtained. . . . . . . : 
	Lease Expires . . . . . . . : 

2 Ethernet adapter :

	Description . . . . . . . . : ICSHARE Adapter.
	Physical Address. . . . . . : 44-45-53-54-00-00
	DHCP Enabled. . . . . . . . : Yes
	IP Address. . . . . . . . . : 213.123.152.159
	Subnet Mask . . . . . . . . : 255.255.255.0
	Default Gateway . . . . . . : 213.123.152.159
	DHCP Server . . . . . . . . : 255.255.255.255
	Primary WINS Server . . . . : 
	Secondary WINS Server . . . : 
	Lease Obtained. . . . . . . : 01 01 80 00:00:00
	Lease Expires . . . . . . . : 01 01 80 00:00:00

So I went for ICSHARE (interface 7) as my interface.

Thus:

snort -c snort.conf -l log -i7

leading to:


        --== Initializing Snort ==--

Initializing Network Interface ICSHARE
ERROR: OpenPcap() device ICSHARE open:
        Error opening adapter


Now, am I choosing the wrong adapter to snort, or is there a 
problem with sniffing ICS 


> -----Original Message-----
> From: Burleson, Lee (IA) [mailto:Lee.Burleson at ...1358...]
> Sent: 05 June 2001 19:01
> To: Andy Duncan; Snort-Users Maillist (E-mail)
> Subject: RE: [Snort-users] Win98 Internet Connection Sharing
> 
> 
> Andy -
> 
> I believe that you need to specify an interface _number_, not 
> a name.  Try
> "snort -W" for a list of them.  Additionally, you need to 
> install the latest
> WinPcap .  I don't remember the URL, but an archive search 
> would easily
> reveal it.
> 
> - Lee
> 
> > -----Original Message-----
> > From: Andy Duncan [mailto:andyduncan at ...1382...]
> > Sent: Tuesday, June 05, 2001 9:13 AM
> > To: Snort-Users Maillist (E-mail)
> > Subject: [Snort-users] Win98 Internet Connection Sharing
> > 
> > 
> > Hi,
> > 
> > I have been using snort successfully on Linux for a while now, and
> > this weekend I attempted to add some protection to my windows 98
> > 'firewall' running Internet Connection Sharing (I know, I know,
> > but my USB ADSL modem doesn't work under Linux).
> > 
> > I'm not 100% sure of the details here as win98 networking isn't
> > my thing, but the interface that seems to get the external ip
> > is called ICSSHARE.  However, starting snort using this interface
> > results in a message along the lines of:
> > 
> > Using interface ICSSHARE.
> > Cannot open interface.
> > 
> > Snort stops at this point and the machine often freezes.
> > 
> > snort command line:
> > 
> > snort -c snort.conf -l log\ -i 7
> > 
> > (Apologies for the vagueness, I'm at work atm and doing this
> > from memory)
> > 
> > Attaching to any other interface results in either snort exiting
> > or no alerts being logged.
> > 
> > Is snorting an ICS interface possible, or am I in a world of hurt?
> > 
> > TIA,
> > 
> > Andy
> > 
> > PS.  I've got a FreeBSD ISO on the way which will hopefully make
> > all this academic :)
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

More information about the Snort-users mailing list