[Snort-users] using "react" on w32 snort ...

Rich Adamson radamson at ...2127...
Fri Jun 20 05:18:08 EDT 2003


> > i was attempting to test the react keyword on W32 and it spit out
> > "PacketSendPacket failed" and then bailed out the win xp error sig is listed
> > below (if it helps any) ...
> >
> > AppName: snort.exe AppVer: 0.0.0.0 ModName: ntdll.dll
> > ModVer: 5.1.2600.1217 Offset: 00033adb
> >
> > is it just not supported @ this time?
> 
> It works just fine.
> 
> You need to install libnet package so that you can create packets.  React
> builds a packet and then sends it.  That's what you'd need to make that
> work.
> 
> http://www.securiteam.com/tools/5MP000A1YU.html

No, the above problem is related to a coding issue on the win32 version of
snort. Proven several times over, and its been there since v1.8 at least.
The flex resp output is sent "only" on the first winpcap interface found 
(snort -W) even if that particular interface is not active, etc. Your
error message suggests that interface is either not configured or is
inactive. One of the developers (Jeff) is rewritting the code to fix 
the problem.

The only work around at this time is to reconfigure the windows box to use
that first interface as your sensor (and therefor for flex resp output). 
Then it works fine. You'll also find that using different versions of
winpcap will list the interfaces in a different order, thus requiring
you to reconfigure the windows box again to restore the flex response
function.

The problem relates to the original coder assumed the flex resp packet
would use the internal system routing table for the delivery of the resp
packet, which was incorrect.







More information about the Snort-users mailing list