Hi Lee.

My WinPcap version is 2.01.000 (I believe this is the
latest). I am passing snort the interface number that
corresponds to the ICSHARE interface. Thanks for the
-W tip, I hadn't spotted that. Much easier that digging
through the registry :).

Given that, my thought process is below:

Output of snort -W:

-*> Snort ! <*-
By Martin Roesch (roeschclark.net, www.snort.org)
WIN32 Port By Michael Davis (mikedatanerds.net, www.datanerds.net/~mike)

Interface Device Description
------------------------------------------
1 PPPMAC (PPP Adapter.)
2 PPPMAC (PPP Adapter.)
3 pptp ()
4 PCINT ()
5 SpeedTouch ()
6 SpeedTouch ()
7 ICSHARE ()
8 SpeedTouch ()
9 SpeedTouch ()

Output of ipconfig /all:

Windows 98 IP Configuration

        Host Name . . . . . . . . . : macguffin.lotsofbeer.demon.co.uk
        DNS Servers . . . . . . . . : 192.168.0.8
        Node Type . . . . . . . . . : Hybrid
        NetBIOS Scope ID. . . . . . :
        IP Routing Enabled. . . . . : Yes
        WINS Proxy Enabled. . . . . : No
        NetBIOS Resolution Uses DNS : Yes

0 Ethernet adapter :

        Description . . . . . . . . : PPP Adapter.
        Physical Address. . . . . . : 44-45-53-54-00-01
        DHCP Enabled. . . . . . . . : Yes
        IP Address. . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . :
        DHCP Server . . . . . . . . : 255.255.255.255
        Primary WINS Server . . . . :
        Secondary WINS Server . . . :
        Lease Obtained. . . . . . . :
        Lease Expires . . . . . . . :

1 Ethernet adapter :

        Description . . . . . . . . : Realtek RTL8029(AS) Ethernet Adapt
        Physical Address. . . . . . : 00-60-52-04-25-2D
        DHCP Enabled. . . . . . . . : No
        IP Address. . . . . . . . . : 192.168.0.1
        Subnet Mask . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . :
        Primary WINS Server . . . . : 192.168.0.8
        Secondary WINS Server . . . :
        Lease Obtained. . . . . . . :
        Lease Expires . . . . . . . :

2 Ethernet adapter :

        Description . . . . . . . . : ICSHARE Adapter.
        Physical Address. . . . . . : 44-45-53-54-00-00
        DHCP Enabled. . . . . . . . : Yes
        IP Address. . . . . . . . . : 213.123.152.159
        Subnet Mask . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . : 213.123.152.159
        DHCP Server . . . . . . . . : 255.255.255.255
        Primary WINS Server . . . . :
        Secondary WINS Server . . . :
        Lease Obtained. . . . . . . : 01 01 80 00:00:00
        Lease Expires . . . . . . . : 01 01 80 00:00:00

So I went for ICSHARE (interface 7) as my interface.

Thus:

snort -c snort.conf -l log -i7

leading to:

        --== Initializing Snort ==--

Initializing Network Interface ICSHARE
ERROR: OpenPcap() device ICSHARE open:
        Error opening adapter

Now, am I choosing the wrong adapter to snort, or is there a
problem with sniffing ICS

> -----Original Message-----
> From: Burleson, Lee (IA) [mailto:Lee.Burlesonia.ngb.army.mil]
> Sent: 05 June 2001 19:01
> To: Andy Duncan; Snort-Users Maillist (E-mail)
> Subject: RE: [Snort-users] Win98 Internet Connection Sharing
>
>
> Andy -
>
> I believe that you need to specify an interface _number_, not
> a name. Try
> "snort -W" for a list of them. Additionally, you need to
> install the latest
> WinPcap . I don't remember the URL, but an archive search
> would easily
> reveal it.
>
> - Lee
>
> > -----Original Message-----
> > From: Andy Duncan [mailto:andyduncanmotives.co.uk]
> > Sent: Tuesday, June 05, 2001 9:13 AM
> > To: Snort-Users Maillist (E-mail)
> > Subject: [Snort-users] Win98 Internet Connection Sharing
> >
> >
> > Hi,
> >
> > I have been using snort successfully on Linux for a while now, and
> > this weekend I attempted to add some protection to my windows 98
> > 'firewall' running Internet Connection Sharing (I know, I know,
> > but my USB ADSL modem doesn't work under Linux).
> >
> > I'm not 100% sure of the details here as win98 networking isn't
> > my thing, but the interface that seems to get the external ip
> > is called ICSSHARE. However, starting snort using this interface
> > results in a message along the lines of:
> >
> > Using interface ICSSHARE.
> > Cannot open interface.
> >
> > Snort stops at this point and the machine often freezes.
> >
> > snort command line:
> >
> > snort -c snort.conf -l log\ -i 7
> >
> > (Apologies for the vagueness, I'm at work atm and doing this
> > from memory)
> >
> > Attaching to any other interface results in either snort exiting
> > or no alerts being logged.
> >
> > Is snorting an ICS interface possible, or am I in a world of hurt?
> >
> > TIA,
> >
> > Andy
> >
> > PS. I've got a FreeBSD ISO on the way which will hopefully make
> > all this academic :)
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-userslists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]