[SPAM] - RE: [Snort-users] -i switch - Email found in subject

Marc Hering mhering at ...13116...
Tue Mar 22 06:27:29 EST 2005


Or just install a copy of Etheral and run a packet capture...it will give you the full interface name on a Winblows box :) 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...3204...ts.sourceforge.net] On Behalf Of Michael Steele
Sent: Tuesday, March 22, 2005 12:35 AM
To: 'Snort Users Postings'
Subject: [SPAM] - RE: [Snort-users] -i switch - Email found in subject

You will need to dive into the registry for those settings.

Kindest regards,
Michael...

WINSNORT.com Management Team Member
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users- 
> admin at lists.sourceforge.net] On Behalf Of Chris Reid
> Sent: Monday, March 21, 2005 9:02 PM
> To: snort-users at lists.sourceforge.net
> Cc: Lee Clemens; Snort
> Subject: RE: [Snort-users] -i switch
> 
> Some time ago the WinPcap developers gave us some code that could let 
> you specify the GUID/UUID string instead of the interface number.  I'm 
> not at my Snort development machine right now to verify that it was 
> committed to the Snort source code, but try putting the whole "Device" 
> string in quotes after the -i.  For example, using the interface below...
> 
>     -i "\Device\NPF_{9C7E2353-B2CB-4716-B424-582C30D2C4E2}"
> 
> would be the same as:
> 
>     -i 1
> 
> Chris Reid
> 
> 
> On Mon, March 21, 2005 3:18 pm, Snort said:
> > The changing of the interfaces is a windows thing... I am not sure 
> > how you would hardcode the interface to a particular number. In the 
> > Unix world, no matter if you disable or not use an interface, it 
> > will always be what it was installed as or what you specify it as in 
> > the modules file. In windows, it changes based on if you disable or 
> > enable NIC, like you are experiencing now. To defeat the issue, you 
> > might have to come up with a script that will look for that NIC 
> > device string (found when you do snort -W), grep the interface 
> > number and start snort based on that interface. That makes your 
> > install a bit smarter so that you install 4 more nics for virtual 
> > webserver or pptp, snort will always start on that interface your looking for.
> >
> > Interface       Device          Description
> > -------------------------------------------
> > 1  \Device\NPF_{9C7E2353-B2CB-4716-B424-582C30D2C4E2} (Broadcom 
> > NetXtreme Gigabi t Ethernet Driver)
> > 2 \Device\NPF_{444422A1-AB79-4CDB-B3C9-FF274A4C6152} (Intel(R) 
> > PRO/1000 XT Netwo rk Connection)
> >
> >
> > knowing the above, a script could* look like this
> >
> > eth="Snort.exe -W | grep.exe -i "C6152" | cut.exe -b 1"
> >
> >   ^ this will produce a result of "2"
> >
> > Snort.exe -i"$eth" -o -c ../etc/snort.conf
> >
> >
> > Michael Brown
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Lee 
> > Clemens Posted At: Monday, March 21, 2005 4:26 PM Posted To: Snort
> > Conversation: [Snort-users] -i switch
> > Subject: [Snort-users] -i switch
> >
> >
> > I have seen documentation with using the -i switch followed by a 
> > number and with eth0, eth1, etc... However, it seems this is OS 
> > dependent.
> >
> > I am using windows and "Snort -W" does not supply the names of the 
> > connections (eth0,...). Is there any way I can cause these numbers 
> > to remain static or work around this issue some other way? I have 
> > tried installing Snort with "-i eth0" but OpenPcap fails to open the 
> > device.
> >
> > I am asking this because I disable/enable some network connections 
> > on this computer periodically and this disrupts the numbering 
> > scheme, causing Snort to be looking at the wrong NIC. Thanks!
> >
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide Read honest & candid 
> > reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide Read honest & candid 
> > reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_ide95&alloc_id396&opÌk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list
> >
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide Read honest & candid 
> reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users







-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




More information about the Snort-users mailing list