[Snort-users] -i switch

Snort Snort at ...13151...
Mon Mar 21 14:18:26 EST 2005


The changing of the interfaces is a windows thing... I am not sure how
you would hardcode the interface to a particular number. In the Unix
world, no matter if you disable or not use an interface, it will always
be what it was installed as or what you specify it as in the modules
file. In windows, it changes based on if you disable or enable NIC, like
you are experiencing now. To defeat the issue, you might have to come up
with a script that will look for that NIC device string (found when you
do snort -W), grep the interface number and start snort based on that
interface. That makes your install a bit smarter so that you install 4
more nics for virtual webserver or pptp, snort will always start on that
interface your looking for.

Interface       Device          Description
-------------------------------------------
1  \Device\NPF_{9C7E2353-B2CB-4716-B424-582C30D2C4E2} (Broadcom
NetXtreme Gigabi
t Ethernet Driver)
2 \Device\NPF_{444422A1-AB79-4CDB-B3C9-FF274A4C6152} (Intel(R) PRO/1000
XT Netwo
rk Connection)


knowing the above, a script could* look like this

eth="Snort.exe -W | grep.exe -i "C6152" | cut.exe -b 1"  

  ^ this will produce a result of "2"

Snort.exe -i"$eth" -o -c ../etc/snort.conf 


Michael Brown

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Lee
Clemens
Posted At: Monday, March 21, 2005 4:26 PM
Posted To: Snort
Conversation: [Snort-users] -i switch
Subject: [Snort-users] -i switch


I have seen documentation with using the -i switch followed by a number
and
with eth0, eth1, etc... However, it seems this is OS dependent. 

I am using windows and "Snort -W" does not supply the names of the
connections (eth0,...). Is there any way I can cause these numbers to
remain
static or work around this issue some other way? I have tried installing
Snort with "-i eth0" but OpenPcap fails to open the device.

I am asking this because I disable/enable some network connections on
this
computer periodically and this disrupts the numbering scheme, causing
Snort
to be looking at the wrong NIC. Thanks!






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list