Snort mailing list archives
Win32 - multiple interfaces?
From: Rich Adamson <radamson () routers com>
Date: Thu, 1 Jan 2004 07:33:27 -0600
Just upgraded to Win32 v2.1.0 on Win2kPro from CodeCrafters site after being away from snort for a while. Configured and running fine as validated by a simple telnet detection rule, logging low-volume alerts to syslog, etc. Two questions. Question 1: Can I run one instance of snort that will sniff packets on two nic interfaces at the same time? If so, what's the proper config/syntax? (I know I can run two instances to accomplish this, but would rather not waste mem if it can be done with one instance on this low-volume net.) Question 2: I added the following to my local.rules with due care for single line entry:
I *guarantee* you it's a machine infected with Nachi or a new variant of Nachi. # This rule is for tracking Nachi infections alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aa aa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold: type both, track by_src, count 1000, seconds 60; classtype:trojan-activity; si d: 10000008; rev: 4;)
and the startup barfs with: ERROR: *** threshold: count *** Invalid integer input: 1000 Fatal Error, Quitting.. Since I've been away for a couple of snort versions, what am I missing in terms of thresholding? Rich ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Win32 - multiple interfaces? Rich Adamson (Jan 01)
- RE: Win32 - multiple interfaces? Michael Steele (Jan 01)
- RE: Win32 - multiple interfaces? Rich Adamson (Jan 01)
- Re: Win32 - multiple interfaces? Scot Scot (Jan 01)
- Re: Win32 - multiple interfaces? Rich Adamson (Jan 01)
- RE: Win32 - multiple interfaces? Michael Steele (Jan 01)
- RE: Win32 - multiple interfaces? Rich Adamson (Jan 01)
- RE: Win32 - multiple interfaces? Michael Steele (Jan 01)