Snort mailing list archives
Re: win2k/snort and weird output
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 7 Mar 2002 08:24:34 -0800 (PST)
On Thu, 7 Mar 2002, Rommel, Florian wrote:
Hi all, i run snort on all our web/sql servers that have win2k and on all of them it works fine except 2 of them. Those 2 are running an application level cluster (in house coded) and Apache together with Resin. they both have 2 IPs on interface 1, the snort.conf is here at the bottom that i use. I then use Demarc to see the alerts from the databases, and i double checked in the mysql database but code red requests do not get logged with the source Ip that they actually came from (as recorded in the access.log in apache) they get as the source IP the 1st IP of the interface and as a destination IP the second ip and that gets logged!!! Like i said in other servers (running IIS etc) it works well and all attempts get logged withthe REAL source IP and with the destination IP it was meant for.
Ummm... Just following the logic trail on this one, since I really don't do Windows. 1) Snort works fine on all boxes but 2. 2( Those boxes that it doesn't work on have a special bit of software. 3) That software is a 'application level cluster (in house coded)' 4) The alerts show up in a funky fashion on those two boxes. That leads me to think it's your homebrew cluster software mucking about with winpcap's way of seeing packets. Suggestions? Kill the cluster and see if it happens. You could also try running the console on a standalone box. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- win2k/snort and weird output Rommel, Florian (Mar 07)
- Re: win2k/snort and weird output Erek Adams (Mar 07)