[Snort-users] using "react" on w32 snort ...

Jeff Nathan jeff at ...950...
Mon Jun 23 19:31:03 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Actually... the code's all done :)

I'm looking for a few people to test it under Windows and unix systems.

Send email to me directly if you're interested in testing this.

- -Jeff

- --On Friday, June 20, 2003 06:46:43 -0600 Rich Adamson 
<radamson at ...2127...> wrote:

>> > i was attempting to test the react keyword on W32 and it spit out
>> > "PacketSendPacket failed" and then bailed out the win xp error sig is
>> > listed below (if it helps any) ...
>> >
>> > AppName: snort.exe AppVer: 0.0.0.0 ModName: ntdll.dll
>> > ModVer: 5.1.2600.1217 Offset: 00033adb
>> >
>> > is it just not supported @ this time?
>>
>> It works just fine.
>>
>> You need to install libnet package so that you can create packets.  React
>> builds a packet and then sends it.  That's what you'd need to make that
>> work.
>>
>> http://www.securiteam.com/tools/5MP000A1YU.html
>
> No, the above problem is related to a coding issue on the win32 version of
> snort. Proven several times over, and its been there since v1.8 at least.
> The flex resp output is sent "only" on the first winpcap interface found
> (snort -W) even if that particular interface is not active, etc. Your
> error message suggests that interface is either not configured or is
> inactive. One of the developers (Jeff) is rewritting the code to fix
> the problem.
>
> The only work around at this time is to reconfigure the windows box to use
> that first interface as your sensor (and therefor for flex resp output).
> Then it works fine. You'll also find that using different versions of
> winpcap will list the interfaces in a different order, thus requiring
> you to reconfigure the windows box again to restore the flex response
> function.
>
> The problem relates to the original coder assumed the flex resp packet
> would use the internal system routing table for the delivery of the resp
> packet, which was incorrect.
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
http://cerberus.sourcefire.com/~jeff       (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- - Albert Einstein
    
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE+97esEqr8+Gkj0/0RAhPJAJ42+D6uQivqCL0BlHqs5aeN3X4zegCgnYGh
Rl0kMRAwvjmtOdS1wPgg6t4=
=Hc8/
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list