OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Lars Borland (lborland_at_TriadAssoc.com)
Date: Thu Jan 30 2003 - 16:22:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello everyone,
     
    I've been using Snort v1.9.0 on a Win2K (SP3) box for about a month and
    a half now and have recently moved Snort onto a slightly faster machine
    with more RAM. When I did this Win2K re-detected a bunch of things
    including a new/different NIC. Initially Snort wouldn't work but I
    reinstalled WinPCap and I'm back in business again. Since then,
    however, ACID shows 4 Sensors. I only have one NIC and have deleted
    whatever "hidden" adapters were listed in device manager. All my Alerts
    appear to be coming from Sensor #1. How do I get rid of the 3 other
    bogus sensors? I've looked pretty extensively online and through what
    documentation I could find but in most cases "sensors" is used
    interchangeably with an entire Snort machine, not just the NICs or
    instances of Snort you might have running. Anyway, if anyone knew how
    to straighten this out I'd appreciate the info. The 3 additional
    sensors don't appear to be hurting anything but I'd rather not have
    Snort listening attentively to 3 un-needed/unwanted dead-end
    connections.
     
    2nd Question, does anyone know of any rules that listen for the
    death-throes of dying NICs. The initial reason I began looking into
    Snort was to see if I could cost-effectively shed light on some of the
    hidden stuff that occurs within the pipes of networks. In the past I've
    witnessed some nasty things happen due to a failing NIC spewing nonsense
    onto the network and I was wondering if it was possible to be alerted to
    such an event. I realize this isn't as much of an issue in a switched
    environment but I'd still like to know when something like this occurs.
    Is this something that's already covered in the current rulesets? If so
    I probably just need to set up "sensors" on a couple of other switches.
     
    Any help with this would be greatly appreciated. Thanks.
     
    Talk to you later, Lars.

    -------------------------------------------------------
    This SF.NET email is sponsored by:
    SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
    http://www.vasoftware.com
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users