[Snort-users] Win98 Internet Connection Sharing

Burleson, Lee (IA) Lee.Burleson at ...1358...
Wed Jun 6 11:45:37 EDT 2001


Andy -

Sorry that I didn't see your using the interface number in your original
command line post.

Looking through your ipconfig output, it seems that you are attempting to
bind to the correct interface.  There may be a problem with Snort->ICS in
Win98.  I may try snort with ICS on Win2k and see if I can achieve better
results.  My guess is that it will work.  ICS in Win98 is kind of a hack,
whereas in Win2k it's NAT on original interfaces.

Of course, if you're switching to FreeBSD, this is all academic anyway... :)

- Lee

> -----Original Message-----
> From: Andy Duncan [mailto:andyduncan at ...1382...]
> Sent: Tuesday, June 05, 2001 7:38 PM
> To: 'Burleson, Lee (IA)'; Snort-Users Maillist (E-mail)
> Subject: RE: [Snort-users] Win98 Internet Connection Sharing
> 
> 
> Hi Lee.
> 
> My WinPcap version is 2.01.000 (I believe this is the 
> latest).  I am passing snort the interface number that
> corresponds to the ICSHARE interface.  Thanks for the
> -W tip, I hadn't spotted that.  Much easier that digging
> through the registry :).
> 
> Given that, my thought process is below:
> 
> Output of snort -W:
> 
> -*> Snort ! <*-
> By Martin Roesch (roesch at ...66..., www.snort.org)
> WIN32 Port By Michael Davis (mike at ...92..., 
> www.datanerds.net/~mike)
> 
> Interface       Device         Description
> ------------------------------------------
> 1  PPPMAC (PPP Adapter.)
> 2 PPPMAC (PPP Adapter.)
> 3 pptp ()
> 4 PCINT ()
> 5 SpeedTouch ()
> 6 SpeedTouch ()
> 7 ICSHARE ()
> 8 SpeedTouch ()
> 9 SpeedTouch ()
> 
> Output of ipconfig /all:
> 
> Windows 98 IP Configuration
> 
> 	Host Name . . . . . . . . . : macguffin.lotsofbeer.demon.co.uk
> 	DNS Servers . . . . . . . . : 192.168.0.8
> 	Node Type . . . . . . . . . : Hybrid
> 	NetBIOS Scope ID. . . . . . : 
> 	IP Routing Enabled. . . . . : Yes
> 	WINS Proxy Enabled. . . . . : No
> 	NetBIOS Resolution Uses DNS : Yes
> 
> 0 Ethernet adapter :
> 
> 	Description . . . . . . . . : PPP Adapter.
> 	Physical Address. . . . . . : 44-45-53-54-00-01
> 	DHCP Enabled. . . . . . . . : Yes
> 	IP Address. . . . . . . . . : 0.0.0.0
> 	Subnet Mask . . . . . . . . : 0.0.0.0
> 	Default Gateway . . . . . . : 
> 	DHCP Server . . . . . . . . : 255.255.255.255
> 	Primary WINS Server . . . . : 
> 	Secondary WINS Server . . . : 
> 	Lease Obtained. . . . . . . : 
> 	Lease Expires . . . . . . . : 
> 
> 1 Ethernet adapter :
> 
> 	Description . . . . . . . . : Realtek RTL8029(AS) Ethernet Adapt
> 	Physical Address. . . . . . : 00-60-52-04-25-2D
> 	DHCP Enabled. . . . . . . . : No
> 	IP Address. . . . . . . . . : 192.168.0.1
> 	Subnet Mask . . . . . . . . : 255.255.255.0
> 	Default Gateway . . . . . . : 
> 	Primary WINS Server . . . . : 192.168.0.8
> 	Secondary WINS Server . . . : 
> 	Lease Obtained. . . . . . . : 
> 	Lease Expires . . . . . . . : 
> 
> 2 Ethernet adapter :
> 
> 	Description . . . . . . . . : ICSHARE Adapter.
> 	Physical Address. . . . . . : 44-45-53-54-00-00
> 	DHCP Enabled. . . . . . . . : Yes
> 	IP Address. . . . . . . . . : 213.123.152.159
> 	Subnet Mask . . . . . . . . : 255.255.255.0
> 	Default Gateway . . . . . . : 213.123.152.159
> 	DHCP Server . . . . . . . . : 255.255.255.255
> 	Primary WINS Server . . . . : 
> 	Secondary WINS Server . . . : 
> 	Lease Obtained. . . . . . . : 01 01 80 00:00:00
> 	Lease Expires . . . . . . . : 01 01 80 00:00:00
> 
> So I went for ICSHARE (interface 7) as my interface.
> 
> Thus:
> 
> snort -c snort.conf -l log -i7
> 
> leading to:
> 
> 
>         --== Initializing Snort ==--
> 
> Initializing Network Interface ICSHARE
> ERROR: OpenPcap() device ICSHARE open:
>         Error opening adapter
> 
> 
> Now, am I choosing the wrong adapter to snort, or is there a 
> problem with sniffing ICS 
> 
> 
> > -----Original Message-----
> > From: Burleson, Lee (IA) [mailto:Lee.Burleson at ...1358...]
> > Sent: 05 June 2001 19:01
> > To: Andy Duncan; Snort-Users Maillist (E-mail)
> > Subject: RE: [Snort-users] Win98 Internet Connection Sharing
> > 
> > 
> > Andy -
> > 
> > I believe that you need to specify an interface _number_, not 
> > a name.  Try
> > "snort -W" for a list of them.  Additionally, you need to 
> > install the latest
> > WinPcap .  I don't remember the URL, but an archive search 
> > would easily
> > reveal it.
> > 
> > - Lee
> > 
> > > -----Original Message-----
> > > From: Andy Duncan [mailto:andyduncan at ...1382...]
> > > Sent: Tuesday, June 05, 2001 9:13 AM
> > > To: Snort-Users Maillist (E-mail)
> > > Subject: [Snort-users] Win98 Internet Connection Sharing
> > > 
> > > 
> > > Hi,
> > > 
> > > I have been using snort successfully on Linux for a while now, and
> > > this weekend I attempted to add some protection to my windows 98
> > > 'firewall' running Internet Connection Sharing (I know, I know,
> > > but my USB ADSL modem doesn't work under Linux).
> > > 
> > > I'm not 100% sure of the details here as win98 networking isn't
> > > my thing, but the interface that seems to get the external ip
> > > is called ICSSHARE.  However, starting snort using this interface
> > > results in a message along the lines of:
> > > 
> > > Using interface ICSSHARE.
> > > Cannot open interface.
> > > 
> > > Snort stops at this point and the machine often freezes.
> > > 
> > > snort command line:
> > > 
> > > snort -c snort.conf -l log\ -i 7
> > > 
> > > (Apologies for the vagueness, I'm at work atm and doing this
> > > from memory)
> > > 
> > > Attaching to any other interface results in either snort exiting
> > > or no alerts being logged.
> > > 
> > > Is snorting an ICS interface possible, or am I in a world of hurt?
> > > 
> > > TIA,
> > > 
> > > Andy
> > > 
> > > PS.  I've got a FreeBSD ISO on the way which will hopefully make
> > > all this academic :)
> > > 
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > 
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 




More information about the Snort-users mailing list