Re: win2k/snort and weird output

[Erek Adams <erek () theadamsfamily net>]

On Thu, 7 Mar 2002, Rommel, Florian wrote:

> Hi all, i run snort on all our web/sql servers that have win2k and on all of
> them it works fine except 2 of them. Those 2 are running an application
> level cluster (in house coded) and Apache together with Resin. they both
> have 2 IPs on interface 1, the snort.conf is here at the bottom that i use.
> I then use Demarc to see the alerts from the databases, and i double checked
> in the mysql database but code red requests do not get logged with the
> source Ip that they actually came from (as recorded in the access.log in
> apache) they get as the source IP the 1st IP of the interface and as a
> destination IP the second ip and that gets logged!!! Like i said in other
> servers (running IIS etc) it works well and all attempts get logged withthe
> REAL source IP and with the destination IP it was meant for.

Ummm...  Just following the logic trail on this one, since I really don't do
Windows.

1)  Snort works fine on all boxes but 2.
2(  Those boxes that it doesn't work on have a special bit of software.
3)  That software is a 'application level cluster (in house coded)'
4)  The alerts show up in a funky fashion on those two boxes.

That leads me to think it's your homebrew cluster software mucking about with
winpcap's way of seeing packets.

Suggestions?  Kill the cluster and see if it happens.  You could also try
running the console on a standalone box.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users