Snort mailing list archives
Corrupt Snort Logging - Win32 Terminal Server 2000
From: Jim Robinson <jim () linux-sp com>
Date: 03 Dec 2003 22:29:34 -0500
Hi, I am using snort on a Win32 Terminal Server 2000 platform and am having problems with snort logging strange mixed entries in the log file. The other non-Terminal server installs (mixed NT4 and Win2000 Server) all work just fine. Here's a snip of what I get: 10.16.32.60:139 12/03/03-21:46:21.536704 [**] [1:538:7]1NETBIOS SMB IPC$ share access (unicode) [**] [ClassificaETBIOS SMB IPC$ share access (unicodeti[**] on: Attempted Information Leak$14 -> 10.16.32.60:139 12/03/03-21:48:04.28928912/03/03-21:48:04.289294 [**] [**] [:1:111:1:] ] NMP public access udp [**] [NMP public access udpC[**] lClassification: ttempted Information Leak$ 12/03/03-21:58:04.327276 [**] [[**] 1:1411:3] SNMP public access udp [**] ublic access udp[[**] Classification: Attempted Information Leak] [Priority: 2] {UDP} 10.16.81.$12/03/03-21:58:21.53516212/03/03-21:58:21.535159 [**] [**] [:5:538:7] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share access (unicode) [**] [lassification: :$ 12/03/03-22:08:04.365115 [**] [[**] [1:1411:3] SNMP public access udp [**] [Classificcation: Attempted Information Leak] [Prioority: 2] {UDP} 10.16.81.42:1026 -> 10.16.32$12/03/03-22:10:21.534525 [**] [[**] [1:538:7] NETBIOS SMB IPC$ share access (unicode) [**] [[**] Classification: Attempted Information Leakk] [Priority: 2] {TCP} 10.$12/03/03-22:16:24.20597512/03/03-22:16:24.205977 [**] [**] [:5:538:] ] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share access (unicode) [**] [lassification: $9 12/03/03-22:16:32.683796 [**] 12/03/03-22:16:32.683800 :4[**] 83:483:2CMP PING CyberKit 2.2 Windows [**] [ClCMP PING CyberKit 2.2 Windows [**] [Classifiioat: on: c activi$.18.220.25 -> 10.16.32.25 12/03/03-22:16:32.840032 [**] [[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] {ICMP} 10.18.220.25 -> 10.16.32.3255-> .16.32.35 12/03/03-22:16:33.246272 [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [C2/03/03-22:16:33.246274 [**] [ssif83:2] onCMP PING CyberKit 2.2 Windows:[**] Clasc activit$3] {ICMP} 10.18.220.25 -> 10.16.32.61 12/03/03-22:16:33.248385 [**] [1:2192:1] NETBIOS DCERPC ISystemActivator bind attempt [**] [2/03/03-22:16:33.248386 [**] [assi192:ationETBIOS DCERPC ISystemActivator bin$.18.220.25:3481 -> 10.16.32.61:135 12/03/03-22:16:33.355616 [**] [1:483:2] 2/03/03-22:16:33.355620ICMP PING CyberKit 2.2 Windows [**] [Classi2] ICMP PING CyberKit 2.2 Windows [**] [Con: Misccation: Misc ac$ICMP} 10.18.220.25 -> 10.16.32.68 12/03/03-22:16:35.386720 [**] [[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [[**] Classification: Misc activity] [Priorityy: 3] {ICMP} 10.18.220.25 -> 8.220.25 ->$ 12/03/03-22:16:35.87112912/03/03-22:16:35.871125 [**] [1[**] :48383:2] CMP PING CyberKit 2.2 Windows [**] [CMP PING CyberKit 2.2 WindowsC[**] lClassification: isc activity$> 10.16.32.230 12/03/03-22:22:21.533306 [**] [[**] [1:538:7] NETBIOS SMB IPC$ share access (unicode) [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.16.32.61:$ I am running the latest build of both Snort for Win32 and WINCAP and wondered if anyone could shed any light as to what is going on? Thanks in advance. jim ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Corrupt Snort Logging - Win32 Terminal Server 2000 Jim Robinson (Dec 03)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 Michael Steele (Dec 03)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 Jim Robinson (Dec 04)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 John Tapparo (Dec 04)
- RE: Corrupt Snort Logging - Win32 Terminal Server2000 Michael Steele (Dec 04)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 Jim Robinson (Dec 04)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 Michael Steele (Dec 03)