Snort mailing list archives

RE: Snort on Windows not Alerting

From: <afischer () frontporch com>
Date: Mon, 13 Feb 2006 09:26:50 -0800

Thank you for the reply. I am a bit confused though. Primarily because
the same setup as far as software installation goes, and using the same
command line parameters, works fine on an unlatched XP Pro box. Secondly
I have some questions about your responses.

Looking at your start line (keep in mind this OVERRIDES YOUR

SNORT.CONF) your only logging.

Doesn't the "-A full" parameter set the ALERT mode? And if it is the
default, then it shouldn't matter whether I specify it or not. I use
this parameter on an unlatched XP box with no issues. I removed the
option on the patched box and unfortunately that did not make a
difference.

You may want to remove the -K option as this states to log all output

to an ascii file.

I have yet to see ANY information be output to a log file on my patched
box. Even though I can watch captured traffic fly by in the DOS window.
I'm looking in C:\Snort\log I also removed the "-K" option, ran Snort
again, no log files were created, pcap format or otherwise.

A couple of other things to point out is that I am testing this from one
computer only. i.e. I've got snort running on a PC with the HOME_NET
variable set to "any", (also tried specifying my own IP with a /24
subnet), and I'm testing traffic that Snort should alert on from the
same PC.

When I stop Snort from running on the command line I can scroll up a bit
and see the following...

        Action Stats:
        ALERTS: 0
        LOGGED: 0
        PASSED: 0

The last line that I see displayed upon stopping Snort reads,
        "pcap_loop: read error: PacketReceivePacket failed"

But I also see this when successfully testing from my unlatched version
of XP which happens to be running on VirtualPC. Perhaps the "VirtualPC"
part also throws another variable into the equation?

--
Anthony Fischer


-----Original Message-----
From: Our World Is Here [mailto:info () lucretia ca] 
Sent: Saturday, February 11, 2006 6:49 AM
To: Anthony Fischer
Subject: RE: [Snort-users] Snort on Windows not Alerting

Looking at your start line (keep in mind this OVERRIDES YOUR SNORT.CONF)
your only logging.

My guess is you have no alert output defined.  Your command line is a
default option and is not required on the command line.

"-A full Full alert mode. This is the default alert mode and will be
used automatically if you do not specify a mode."

You may want to remove the -K option as this states to log all output to
an ascii file.

As for alerts, what is the output type for your alerts.  Review the
snort manual or snort.conf if you are unclear what the difference
between logging and alerting is, yes you can use both.


Cheers,

James Friesen, CIO

Lucretia Enterprises
"Our World Is Here..."

-----Original Message-----
From: afischer () frontporch com [mailto:afischer () frontporch com]
Sent: Friday, February 10, 2006 10:03 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort on Windows not Alerting

I've seen one or two posts on the net with someone having the same 
problem that I am experiencing, but no replies. So hopefully I have 
better luck here! :)

I have installed Snort version 2.4.3 on a Windows XP Professional box 
and can not seem to get it to alert. I have also installed Ethereal 
version 0.10.14 which installs WinPcap version 3.1.

I can start Snort from a command line by typing the following from the

C:\Snort\bin directory "snort.exe -c "C:\Snort\etc\snort.conf" -K 
ascii -l "C:\Snort\log" -A full -I 4 -d -e -X"

When I stop Snort, I can see in the statistics that Snort has seen 
traffic and I can run Snort in verbose mode and watch packets fly by 
so I'm confident that Snort is actually seeing the traffic that I am 
sending, it's just not alerting on anything because when I go into the

C:\Snort\log directory, there's nothing there even though I have rules

enabled and put rules in the C:\Snort\rules directory.

Any thoughts? I can provide my snort.conf file. Can I send attachments

to the mailing list or do I have to paste the contents into the body?

--
Anthony Fischer





-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort on Windows not Alerting afischer (Feb 10)
- <Possible follow-ups>
- RE: Snort on Windows not Alerting afischer (Feb 13)
  - RE: Snort on Windows not Alerting Michael Steele (Feb 13)