[Snort-users] -i switch

Michael Steele michaels at ...9077...
Mon Mar 21 21:35:59 EST 2005


You will need to dive into the registry for those settings.

Kindest regards, 
Michael...

WINSNORT.com Management Team Member
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Chris Reid
> Sent: Monday, March 21, 2005 9:02 PM
> To: snort-users at lists.sourceforge.net
> Cc: Lee Clemens; Snort
> Subject: RE: [Snort-users] -i switch
> 
> Some time ago the WinPcap developers gave us some code that could let you
> specify the GUID/UUID string instead of the interface number.  I'm not at
> my Snort development machine right now to verify that it was committed to
> the Snort source code, but try putting the whole "Device" string in quotes
> after the -i.  For example, using the interface below...
> 
>     -i "\Device\NPF_{9C7E2353-B2CB-4716-B424-582C30D2C4E2}"
> 
> would be the same as:
> 
>     -i 1
> 
> Chris Reid
> 
> 
> On Mon, March 21, 2005 3:18 pm, Snort said:
> > The changing of the interfaces is a windows thing... I am not sure how
> > you would hardcode the interface to a particular number. In the Unix
> > world, no matter if you disable or not use an interface, it will always
> > be what it was installed as or what you specify it as in the modules
> > file. In windows, it changes based on if you disable or enable NIC, like
> > you are experiencing now. To defeat the issue, you might have to come up
> > with a script that will look for that NIC device string (found when you
> > do snort -W), grep the interface number and start snort based on that
> > interface. That makes your install a bit smarter so that you install 4
> > more nics for virtual webserver or pptp, snort will always start on that
> > interface your looking for.
> >
> > Interface       Device          Description
> > -------------------------------------------
> > 1  \Device\NPF_{9C7E2353-B2CB-4716-B424-582C30D2C4E2} (Broadcom
> > NetXtreme Gigabi
> > t Ethernet Driver)
> > 2 \Device\NPF_{444422A1-AB79-4CDB-B3C9-FF274A4C6152} (Intel(R) PRO/1000
> > XT Netwo
> > rk Connection)
> >
> >
> > knowing the above, a script could* look like this
> >
> > eth="Snort.exe -W | grep.exe -i "C6152" | cut.exe -b 1"
> >
> >   ^ this will produce a result of "2"
> >
> > Snort.exe -i"$eth" -o -c ../etc/snort.conf
> >
> >
> > Michael Brown
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Lee
> > Clemens
> > Posted At: Monday, March 21, 2005 4:26 PM
> > Posted To: Snort
> > Conversation: [Snort-users] -i switch
> > Subject: [Snort-users] -i switch
> >
> >
> > I have seen documentation with using the -i switch followed by a number
> > and
> > with eth0, eth1, etc... However, it seems this is OS dependent.
> >
> > I am using windows and "Snort -W" does not supply the names of the
> > connections (eth0,...). Is there any way I can cause these numbers to
> > remain
> > static or work around this issue some other way? I have tried installing
> > Snort with "-i eth0" but OpenPcap fails to open the device.
> >
> > I am asking this because I disable/enable some network connections on
> > this
> > computer periodically and this disrupts the numbering scheme, causing
> > Snort
> > to be looking at the wrong NIC. Thanks!
> >
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_ide95&alloc_id396&opÌk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list
> >
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users









More information about the Snort-users mailing list