|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Karl Lovink (karl
lovink.net)Date: Thu Nov 01 2001 - 14:04:25 CST
Bulent and Marty,
We are using several snort sensors on tokenring without any problems.
The only difference is the Operating System. We are using Linux and not
Win32. Maybe it's a libpcap problem?
Greetz,
Karl
-----Oorspronkelijk bericht-----
Van: snort-users-adminlists.sourceforge.net
[mailto:snort-users-adminlists.sourceforge.net] Namens Martin Roesch
Verzonden: donderdag 1 november 2001 17:02
Aan: bulent_sahintb.net.tr
CC: snort-userslists.sourceforge.net
Onderwerp: Re: [Snort-users] Token ring support of snort
That's very possible, the Token Ring users of Snort are a pretty small
set of people, and I think you're the first person that's tried it on
Windows. If you could capture some packets with Ethereal and mail them
to me (the binary packet captures), I'll see if I can update the
decoder.
-Marty
bulent_sahintb.net.tr wrote:
>
> Yes, the interface name is correct. I tried, but same thing happened.
> Program captures some frames, but categorizes them as OTHER. I suppose
> that snort does not undestand token-ring, llc2 and snap headers?
> Thanks
> Bulent
>
> Martin Roesch
> <roeschsourcefire.com> To:
> Sent by: bulent_sahintb.net.tr
> roeschmail.sourcefire.com cc:
> snort-userslists.sourceforge.net
> 01.11.2001 17:04 Subject: Re:
> [Snort-users] Token ring support of
> snort
>
> Is that the right interface name for the T/R interface? To get a list
> of the interfaces that are available run 'snort -W', then set the
> sniffing interface with 'snort -i <intf>'
>
> -Marty
>
> bulent_sahintb.net.tr wrote:
> >
> > Hi,
> >
> > Does anybody know about token ring support of snort?A few days ago I
> > installed snort on my computer, but when I try "snort -v" it assumes
> > that all packets are ethernet packets. Winpcap and ethereal works
> > fine. I pasted "snort -v" output below.
> >
> > C:\Downloads\Snort-1.8.1-win32-static\Snort-1.8.1-win32\snort -v
> > Log directory =
> >
> > --== Initializing Snort ==--
> >
> > Initializing Network Interface \
> > Decoding Ethernet on interface \Device\Packet_MDGNDIS41
> >
> > --== Initialization Complete ==--
> >
> > -*> Snort! <*-
> > Version 1.8-WIN32 (Build 74)
> > By Martin Roesch (roeschsourcefire.com, www.snort.org)
> > 1.7-WIN32 Port By Michael Davis (mikedatanerds.net, ww
> > 1.8-WIN32 Port By Chris Reid (chris.reidcodecraftconsu
> > (based on code from 1.7 port)
> >
> > =======================================================
> > Snort analyzed 1312 out of 1312 packets, dropping 0(0.0
> >
> > Breakdown by protocol: Action Stats:
> > TCP: 0 (0.000%) ALERTS: 0
> > UDP: 0 (0.000%) LOGGED: 0
> > ICMP: 0 (0.000%) PASSED: 0
> > ARP: 0 (0.000%)
> > IPv6: 0 (0.000%)
> > IPX: 0 (0.000%)
> > OTHER: 1311 (99.924%)
> > DISCARD: 0 (0.000%)
> > =======================================================
> > Fragmentation Stats:
> > Fragmented IP Packets: 0 (0.000%)
> > Fragment Trackers: 0
> > Rebuilt IP Packets: 0
> > Frag elements used: 0
> > Discarded(incomplete): 0
> > Discarded(timeout): 0
> > Frag2 memory faults: 0
> > =======================================================
> > TCP Stream Reassembly Stats:
> > TCP Packets Used: 0 (0.000%)
> > Stream Trackers: 0
> > Stream flushes: 0
> > Segments used: 0
> > Stream4 Memory Faults: 0
> > =======================================================
> > pcap_loop: read error: PacketReceivePacket failedpcap_s
> > r
> > Snort received signal 3, exiting
> >
> > Thanks,
> > Bulent
>
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roeschsourcefire.com - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch_______________________________________________ Snort-users mailing list Snort-users
_______________________________________________ Snort-users mailing list Snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]