Using snort for windows, connecting to a remote machine

Question

I'm trying to run snort in windows, but instead of using -i eth0, can i use remote (rpcap). I'm using windows 7 in vmware

Here is the command i run c:\Snort\bin>snort -c c:\Snort\etc\snort.conf -l c:\Snort\log --daq pcap --daq-mode inline -i rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}

I run on ERROR:pcap does not support inline

run command snort --daq-list; the result is Available DAQ modules: pcap(v3): readback live multi unpriv

Please help, how can i connect and collect data to my remote machine.

Many thanks!

Answer 1

Your problem is that you are trying to operate in inline mode and read a pcap, which doesn't make sense. You would do one or the other. Notes:

• The argument "--daq pcap" isn't required for you because pcap is the default, but this won't cause any problems, just a note.
• The argument "--daq-mode inline" should be completely removed from the command. You are playing a pcap so the device isn't inspecting traffic inline, it doesn't make any sense to use this here.
• Using the -i option is for specifying the interface to listen on. You don't want to specify a pcap file here. Since you are replaying a pcap you need to change this argument to "-r". snort help for this option: -r <tf> Read and process tcpdump file <tf>

Your command should be as follows:

c:\Snort\bin>snort -c c:\Snort\etc\snort.conf -l c:\Snort\log -r rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}