[Snort-users] -i switch

Chris Reid chris.reid at ...3029...
Mon Mar 21 21:02:16 EST 2005


Some time ago the WinPcap developers gave us some code that could let you
specify the GUID/UUID string instead of the interface number.  I'm not at
my Snort development machine right now to verify that it was committed to
the Snort source code, but try putting the whole "Device" string in quotes
after the -i.  For example, using the interface below...

    -i "\Device\NPF_{9C7E2353-B2CB-4716-B424-582C30D2C4E2}"

would be the same as:

    -i 1

Chris Reid


On Mon, March 21, 2005 3:18 pm, Snort said:
> The changing of the interfaces is a windows thing... I am not sure how
> you would hardcode the interface to a particular number. In the Unix
> world, no matter if you disable or not use an interface, it will always
> be what it was installed as or what you specify it as in the modules
> file. In windows, it changes based on if you disable or enable NIC, like
> you are experiencing now. To defeat the issue, you might have to come up
> with a script that will look for that NIC device string (found when you
> do snort -W), grep the interface number and start snort based on that
> interface. That makes your install a bit smarter so that you install 4
> more nics for virtual webserver or pptp, snort will always start on that
> interface your looking for.
>
> Interface       Device          Description
> -------------------------------------------
> 1  \Device\NPF_{9C7E2353-B2CB-4716-B424-582C30D2C4E2} (Broadcom
> NetXtreme Gigabi
> t Ethernet Driver)
> 2 \Device\NPF_{444422A1-AB79-4CDB-B3C9-FF274A4C6152} (Intel(R) PRO/1000
> XT Netwo
> rk Connection)
>
>
> knowing the above, a script could* look like this
>
> eth="Snort.exe -W | grep.exe -i "C6152" | cut.exe -b 1"
>
>   ^ this will produce a result of "2"
>
> Snort.exe -i"$eth" -o -c ../etc/snort.conf
>
>
> Michael Brown
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Lee
> Clemens
> Posted At: Monday, March 21, 2005 4:26 PM
> Posted To: Snort
> Conversation: [Snort-users] -i switch
> Subject: [Snort-users] -i switch
>
>
> I have seen documentation with using the -i switch followed by a number
> and
> with eth0, eth1, etc... However, it seems this is OS dependent.
>
> I am using windows and "Snort -W" does not supply the names of the
> connections (eth0,...). Is there any way I can cause these numbers to
> remain
> static or work around this issue some other way? I have tried installing
> Snort with "-i eth0" but OpenPcap fails to open the device.
>
> I am asking this because I disable/enable some network connections on
> this
> computer periodically and this disrupts the numbering scheme, causing
> Snort
> to be looking at the wrong NIC. Thanks!
>
>
>
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&opÌk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list
>





More information about the Snort-users mailing list