[Snort-users] Token ring support of snort

Karl Lovink karl at ...501...
Thu Nov 1 12:16:02 EST 2001


Bulent and Marty,

We are using several snort sensors on tokenring without any problems.
The only difference is the Operating System. We are using Linux and not
Win32. Maybe it's a libpcap problem?

Greetz,
Karl


-----Oorspronkelijk bericht-----
Van: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] Namens Martin Roesch
Verzonden: donderdag 1 november 2001 17:02
Aan: bulent_sahin at ...3967...
CC: snort-users at lists.sourceforge.net
Onderwerp: Re: [Snort-users] Token ring support of snort

That's very possible, the Token Ring users of Snort are a pretty small
set of people, and I think you're the first person that's tried it on
Windows.  If you could capture some packets with Ethereal and mail them
to me (the binary packet captures), I'll see if I can update the
decoder.

     -Marty

bulent_sahin at ...3967... wrote:
>
> Yes, the interface name is correct. I tried, but same thing happened.
> Program captures some frames, but categorizes them as OTHER. I suppose
> that snort does not undestand  token-ring, llc2 and snap headers?
> Thanks
> Bulent
>
>  Martin Roesch
>  <roesch at ...1935...>               To:
>  Sent by:                       bulent_sahin at ...3967...
>  roesch at ...2250...            cc:
>                                 snort-users at lists.sourceforge.net
>  01.11.2001 17:04                      Subject:        Re:
>                                [Snort-users] Token ring support of
>                                snort
>
> Is that the right interface name for the T/R interface?  To get a list
> of the interfaces that are available run 'snort -W', then set the
> sniffing interface with 'snort -i <intf>'
>
>     -Marty
>
> bulent_sahin at ...3967... wrote:
> >
> > Hi,
> >
> > Does anybody know about token ring support of snort?A few days ago I
> > installed snort on my computer, but when I try "snort -v" it assumes
> > that all packets are ethernet packets.  Winpcap and ethereal works
> > fine. I  pasted "snort -v" output below.
> >
> > C:\Downloads\Snort-1.8.1-win32-static\Snort-1.8.1-win32\snort -v
> > Log directory =
> >
> >         --== Initializing Snort ==--
> >
> > Initializing Network Interface \
> > Decoding Ethernet on interface \Device\Packet_MDGNDIS41
> >
> >         --== Initialization Complete ==--
> >
> > -*> Snort! <*-
> > Version 1.8-WIN32 (Build 74)
> > By Martin Roesch (roesch at ...1935..., www.snort.org)
> > 1.7-WIN32 Port By Michael Davis (mike at ...92..., ww
> > 1.8-WIN32 Port By Chris Reid (chris.reid at ...3968...
> >           (based on code from 1.7 port)
> >
> > =======================================================
> > Snort analyzed 1312 out of 1312 packets, dropping 0(0.0
> >
> > Breakdown by protocol:                Action Stats:
> >     TCP: 0          (0.000%)          ALERTS: 0
> >     UDP: 0          (0.000%)          LOGGED: 0
> >    ICMP: 0          (0.000%)          PASSED: 0
> >     ARP: 0          (0.000%)
> >    IPv6: 0          (0.000%)
> >     IPX: 0          (0.000%)
> >   OTHER: 1311       (99.924%)
> > DISCARD: 0          (0.000%)
> > =======================================================
> > Fragmentation Stats:
> > Fragmented IP Packets: 0          (0.000%)
> >     Fragment Trackers: 0
> >    Rebuilt IP Packets: 0
> >    Frag elements used: 0
> > Discarded(incomplete): 0
> >    Discarded(timeout): 0
> >   Frag2 memory faults: 0
> > =======================================================
> > TCP Stream Reassembly Stats:
> >         TCP Packets Used: 0          (0.000%)
> >          Stream Trackers: 0
> >           Stream flushes: 0
> >            Segments used: 0
> >    Stream4 Memory Faults: 0
> > =======================================================
> > pcap_loop: read error: PacketReceivePacket failedpcap_s
> > r
> > Snort received signal 3, exiting
> >
> > Thanks,
> > Bulent
>
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list