RE: Snort analyzed 0 out of 0 packets, .

[Michael Green <michael.green () gbst com>]

        Hi

        I worked it out. WinPcap was binding to a nonexistant WAN interface.
Using a -i 2 in snort allowed it to connect to my only interface.

> -----Original Message-----
> From: Michael Green [SMTP:michael.green () gbst com]
> Sent: Friday, 16 November 2001 7:24
> To:   'snort-users () lists sourceforge net'
> Subject:      [Snort-users] Snort analyzed 0 out of 0 packets, .
>
> Hi
>
> I just finished Installing Snort Version 1.8-WIN32 (Build 86) on a Win2k
> box. Installed with MySql & Acid. 
>
> Everything seemed fine when I installed it, the required databases were
> created and the acid setup connected and I hit the "Create ACID AG"
> button,
> this was also successful.
>
> I then ran Cerberus Internet Scanner against the network that the Snort
> machaine was installed, and nothing! The ACID console "# of Sensors:" has
> 0.
> This concerns me.
>
> So I ran snort command line:
>
> C:\Snort\Snort-1.8.2\snort.exe -c C:\Snort\Snort-1.8.2\snort.conf -l
> C:\Snort\Snort-1.8.2 -A full -h 203.0.171.64/26 -i 1 -d
> Log directory = C:\Snort\Snort-1.8.2
>
> And it ran without errors, I then ran the scanner again, the broke out of
> the snort session and the stats displayed showed "Snort analyzed 0 out of
> 0
> packets, ."
>
> Now I'm thinking Winpcap can't be installed properly so I opened Control
> Panel, Administrative Tools, Computer Management, then chose System Tools,
> System Information, Software Environment, Drivers. The NPF Kernel Driver
> was
> displayed as "Running OK".
> Any ideas?
> I'm including the output from the snort command line run here:
> C:\Snort\Snort-1.8.2\snort.exe -c C:\Snort\Snort-1.8.2\snort.conf -l
> C:\Snort\Snort-1.8.2 -A full -h 203.0.171.64/26 -i 1 -d
> Log directory = C:\Snort\Snort-1.8.2
>
>         --== Initializing Snort ==--
>
> Initializing Network Interface \
> Decoding Ethernet on interface \Device\Packet_NdisWanIp
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file C:\Snort\Snort-1.8.2\snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
> No arguments to stream4_reassemble, setting defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111 513
>      Reassembly alerts: ACTIVE
> Back Orifice detection brute force: DISABLED
> Using LOCAL time
> WARNING: command line overrides rules file alert plugin!
> WARNING: command line overrides rules file alert plugin!
> limit == 128
> UnifiedLogFilename = snort.log
> Opening C:\Snort\Snort-1.8.2/snort.log.1005854049
> 882 Snort rules read...
> 882 Option Chains linked into 101 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Rule application order: ->activation->dynamic->alert->pass->log
>
>         --== Initialization Complete ==--
>
> -*> Snort! <*-
> Version 1.8-WIN32 (Build 86)
> By Martin Roesch (roesch () sourcefire com, www.snort.org)
> 1.7-WIN32 Port By Michael Davis (mike () datanerds net,
> www.datanerds.net/~mike)
> 1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
>           (based on code from 1.7 port)
>
>
> ==========================================================================
> ==
> ===
> Snort analyzed 0 out of 0 packets, .
> Breakdown by protocol:                Action Stats:
>     TCP: 0          (0.000%)          ALERTS: 0
>     UDP: 0          (0.000%)          LOGGED: 0
>    ICMP: 0          (0.000%)          PASSED: 0
>     ARP: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 0          (0.000%)
> DISCARD: 0          (0.000%)
> ==========================================================================
> ==
> ===
> Fragmentation Stats:
> Fragmented IP Packets: 0          (0.000%)
>     Fragment Trackers: 0
>    Rebuilt IP Packets: 0
>    Frag elements used: 0
> Discarded(incomplete): 0
>    Discarded(timeout): 0
>   Frag2 memory faults: 0
> ==========================================================================
> ==
> ===
> TCP Stream Reassembly Stats:
>         TCP Packets Used: 0          (0.000%)
>          Stream Trackers: 0
>           Stream flushes: 0
>            Segments used: 0
>    Stream4 Memory Faults: 0
> ==========================================================================
> ==
> ===
> pcap_loop: read error: PacketReceivePacket failedpcap_stats:
> PacketGetStats
> error
> Snort received signal 3, exiting
>
>
> Michael Green
> Senior Systems Engineer Communication Systems
> Global Banking & Securities Transactions
> Telephone + 61 7 3331 5555
> Michael.Green () gbst com
> www.gbst.com
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users