Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

[Snort-users] Re:[ hello]

0 views

Skip to first unread message

Matt Scarborough

unread,

Jul 9, 2001, 5:02:24 PM7/9/01

On Mon, 09 Jul 2001 15:16:42 +0530, Raviraj Patil wrote:

>Hello,
>I got it solved the problem :
>When I quit snort it complains as follows:
>>
>> pcap_loop: read error: PacketReceivePacket failed
>> pcap_stats: PacketGetStats error
>>May i know the reson for the same.
>By using (install)the winpcap-2.02.
>
>But i were unable to get it solved is :
>When i want to use MSQL & FLEXRESP features enabled , that time snort code
giving
>a unable to read the memory location (some mem address) i.e run time error
for
>Win NT & Win2000.
>As u said the statment i did not get it :
>Some things to consider, Both LibNetNT and Snort-W32 FlexResp were
>a) written for NT
>b) prior to the introduction of WinPCap 2.1.
>
>Further, the preferred method of packet injection in Windows 2000 is
>IP_HDRINCL, not WRITE_IP.
>
>
>Please eloberate it..

Raviraj,

You mentioned using VC++ 6.0 to complile Snort. So I mentioned a reminder
about the differences between IP stacks in WinNT and Win2K. OK, more.

FlexResp enables packet injection such as sending a RST to both source and
dest IP addrrs, thus "closing" an offending connection. This is/will/could be
done differently in Windows 2000.

<<~Webmail Wonder poster Activate!!! Shape of a Gibson post... Form of
FUD...~>>

Windows 2000 supports the use of
*** RAW SOCKETS ***
making Snort a deadly tool in the
hands of skilled FlexResp hackers!

<<~Webmail Wonder poster de-activate~>>

That was an aside, and a needle at Mr. Gibson who announced building
Spoofarino (tm) based on WinPcap 2.1 when he wrote, "I know *ALL* about those
add-on kernel-level packet drivers Spoofarino will DEPEND upon the best of
them -- the one at netgroup- serv.polito..."

So.... in WinNT, packet injection used LibNetNT. Snort 1.7 FlexResp assumes
WinNT. While certainly people are running Snort in IDS mode on Windows 2000,
Snort FlexResp on Windows 2000 is a different animal.

Windows 2000 contains an updated Winsock ver 2.2, and supports raw sockets
natively through the IP_HDRINCL API. WinNT needed help to do this. LibNetNT
provided this help in LibnetNT.dll with WRITE_IP.

You also wish to compile and build MySQL support into the same binary
SNORT.EXE running the whole deal on Windows 2000.

I am certainly cheering for you. Really I am. But you are faced with an
arduous task resulting in a Snort ver. 1.7 flogged and beaten to work on
Windows 2000. All the while the latest Snort 1.8 is around the corner (NO, not
the Windows version YET, but yes Snort 1.8 nonetheless.)

HTH,

Matt Scarborough 2001-07-09

>Matt Scarborough wrote:
>
>> On Fri, 06 Jul 2001 14:21:30 +0530, Raviraj Patil wrote:
>>
>> >I down loaded the snort-1.7-w32-felxresp-static(ie.
>> >binery).snort-1.7-w32-MySql-static(ie. binery) from the site
>> >www.datanerds.net/~mike.These two r working properly on WinNT .Without
>> >any proble .But from the same (www.datanerds.net/~mike) site i down
>> >loaded snort-1.7-w32-felxresp-source.snort-1.7-w32-MySql-sourec. but it
>> >is not working when i build it with VC ++ 6.0.It is giving a problem of
>> >..When I quit snort it complains as follows:
>> >
>> > pcap_loop: read error: PacketReceivePacket failed
>> > pcap_stats: PacketGetStats error
>> >May i know the reson for the same.
>>
>> If you are running Windows 2000 and using the WinPCap ver. 2.1 driver,
remove
>> that driver in Control Panel |Add /Remove Programs and try WinPCap driver
>> version 2.02 (for Windows 2000.)
>>
>> Some things to consider, Both LibNetNT and Snort-W32 FlexResp were
>> a) written for NT
>> b) prior to the introduction of WinPCap 2.1.
>>
>> Further, the preferred method of packet injection in Windows 2000 is
>> IP_HDRINCL, not WRITE_IP.
>>
>> I find it unreasonable to expect Snort Win32-FlexResp, designed for
another
>> Operating System, Winsock version, and device driver, to run without error
on
>> Windows 2000. That is not a deficiency in Snort.
>>
>> It seems a deficiency in user expectation.
>>
>> >I think which i down loaded from the site www.datanerds.net/~mike for
>> >binary are not same as sourcess on the same site.
>> >May i get the sources of these snort-1.7-w32-felxresp-static(ie.
>> >binery).snort-1.7-w32-MySql-static(ie. binery) binaries.
>>
>> Try the links for "development" or "source." The last I checked all were
in
>> the same Snort-Win32 package, configurable at build with some check boxes
or
>> NMake switches.

____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1

_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list

0 new messages