[Snort-users] Token ring support of snort

Fyodor fygrave at ...121...
Fri Nov 2 03:22:02 EST 2001


I had the similar report while ago that running snort on real tocket ring iface brings lots of junk while tcpdump saved file interpreted just fine. The thing is that I never had any access to tockenring device while coding tockenring support piece, therefore I used tcpdump files to figure out the protocol/test the code. The person who was assiting me at that time, told, that it worked on real device as well, but maybe something got changed. if someone could provide me with access to a box with token ring interface on it, I may try to fix tokerning support.

On Thu, Nov 01, 2001 at 11:02:29AM -0500, Martin Roesch wrote:
> That's very possible, the Token Ring users of Snort are a pretty small
> set of people, and I think you're the first person that's tried it on
> Windows.  If you could capture some packets with Ethereal and mail them
> to me (the binary packet captures), I'll see if I can update the
> decoder.
> 
>      -Marty
> 
> bulent_sahin at ...3967... wrote:
> > 
> > Yes, the interface name is correct. I tried, but same thing happened.
> > Program captures some frames, but categorizes them as OTHER. I suppose
> > that snort does not undestand  token-ring, llc2 and snap headers?
> > Thanks
> > Bulent
> > 
> >  Martin Roesch
> >  <roesch at ...1935...>               To:
> >  Sent by:                       bulent_sahin at ...3967...
> >  roesch at ...2250...            cc:
> >                                 snort-users at lists.sourceforge.net
> >  01.11.2001 17:04                      Subject:        Re:
> >                                [Snort-users] Token ring support of
> >                                snort
> > 
> > Is that the right interface name for the T/R interface?  To get a list
> > of the interfaces that are available run 'snort -W', then set the
> > sniffing interface with 'snort -i <intf>'
> > 
> >     -Marty
> > 
> > bulent_sahin at ...3967... wrote:
> > >
> > > Hi,
> > >
> > > Does anybody know about token ring support of snort?A few days ago I
> > > installed snort on my computer, but when I try "snort -v" it assumes
> > > that all packets are ethernet packets.  Winpcap and ethereal works
> > > fine. I  pasted "snort -v" output below.
> > >
> > > C:\Downloads\Snort-1.8.1-win32-static\Snort-1.8.1-win32\snort -v
> > > Log directory =
> > >
> > >         --== Initializing Snort ==--
> > >
> > > Initializing Network Interface \
> > > Decoding Ethernet on interface \Device\Packet_MDGNDIS41
> > >
> > >         --== Initialization Complete ==--
> > >
> > > -*> Snort! <*-
> > > Version 1.8-WIN32 (Build 74)
> > > By Martin Roesch (roesch at ...1935..., www.snort.org)
> > > 1.7-WIN32 Port By Michael Davis (mike at ...92..., ww
> > > 1.8-WIN32 Port By Chris Reid (chris.reid at ...3968...
> > >           (based on code from 1.7 port)
> > >
> > > =======================================================
> > > Snort analyzed 1312 out of 1312 packets, dropping 0(0.0
> > >
> > > Breakdown by protocol:                Action Stats:
> > >     TCP: 0          (0.000%)          ALERTS: 0
> > >     UDP: 0          (0.000%)          LOGGED: 0
> > >    ICMP: 0          (0.000%)          PASSED: 0
> > >     ARP: 0          (0.000%)
> > >    IPv6: 0          (0.000%)
> > >     IPX: 0          (0.000%)
> > >   OTHER: 1311       (99.924%)
> > > DISCARD: 0          (0.000%)
> > > =======================================================
> > > Fragmentation Stats:
> > > Fragmented IP Packets: 0          (0.000%)
> > >     Fragment Trackers: 0
> > >    Rebuilt IP Packets: 0
> > >    Frag elements used: 0
> > > Discarded(incomplete): 0
> > >    Discarded(timeout): 0
> > >   Frag2 memory faults: 0
> > > =======================================================
> > > TCP Stream Reassembly Stats:
> > >         TCP Packets Used: 0          (0.000%)
> > >          Stream Trackers: 0
> > >           Stream flushes: 0
> > >            Segments used: 0
> > >    Stream4 Memory Faults: 0
> > > =======================================================
> > > pcap_loop: read error: PacketReceivePacket failedpcap_s
> > > r
> > > Snort received signal 3, exiting
> > >
> > > Thanks,
> > > Bulent
> > 
> > --
> > Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> > roesch at ...1935... - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org
> 
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch at ...1935... - http://www.sourcefire.com  
> Snort: Open Source Network IDS - http://www.snort.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list