[Snort-users] Making sense of "snort -W" output

Moshe Aelion ma0934 at ...125...
Sun Nov 17 12:22:03 EST 2002


Hi everybody

I would welcome some help: we have a NAT/ICMP ADSL gateway computer. It has two network interface cards, one for the internal LAN, and one for the ethernet link to the ADSL modem. There are three networks defined at TCP/IP level: the internal LAN (192.168.x.x), where the actual computers are positioned; another internal LAN (10.0.0.x), on which the ADSL modem has an address - 10.0.0.x; and the Internet link (which obtains an external IP address dynamically upon connection, from the ISP using DHCP - that's the address seen by "the outside world").

Since there are two interface cards, I thought "snort -W" will output two entries. Instead, there are nine! Why is that?
Can you suggest which ones are significant for the -i option? What's the meaning of "NdisWanNbfIn/Out?

Thanks in advance

Moshe

Here is the "snort -W" output:


Interface Device  Description
-------------------------------------------
1  \Device\Packet_{54B6A635-7753-44DD-9977-B4137EBA5A52} (3Com EtherLink PCI)
2 \Device\Packet_NdisWanIp (NdisWan Adapter)
3 \Device\Packet_NdisWanNbfOut{B5BA17D7-51EE-4B78-9E77-7B4CD2290205} (NdisWan Adapter)
4 \Device\Packet_NdisWanNbfIn{75E313C0-196A-48AD-B9E7-B72E44EAA0EB} (NdisWan Adapter)
5 \Device\Packet_NdisWanNbfIn{3BD08A8F-C44A-4364-B9A5-38E60E86FC1C} (NdisWan Adapter)
6 \Device\Packet_NdisWanNbfIn{A6B7853E-8766-419C-89C7-C6A5AAEA0956} (NdisWan Adapter)
7 \Device\Packet_NdisWanNbfOut{718B4E5C-2065-43E1-BBA9-26979539C0DB} (NdisWan Adapter)
8 \Device\Packet_NdisWanNbfOut{DCBA58B7-B33C-4ED3-B81F-D64A73A203D9} (NdisWan Adapter)
9 \Device\Packet_{17D59C5C-F6AD-4936-9A52-1C622D441FC4} (3Com EtherLink PCI)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021117/c1defeeb/attachment.html>


More information about the Snort-users mailing list