Snort mailing list archives

RE: SMB alerts doesn't work.

From: Bryce Stenberg <bryce () hrnz co nz>
Date: Tue, 4 Mar 2003 15:27:38 +1300

Hi Jimmy,

I attempted to use smb alerts on a windows nt4 box and trying to alert to
the same box without success.  Possibly it's a broken idea?  If someone does
have it running I would be interested in how they managed it.  I tried with
the command line flag and by using snort.conf file without success.

Regards,
  Bryce Stenberg.


P.S - don't html formatted emails have a lot of rubbish embedded in them to
wade through if you get them in a text only reader or delivered in digest
mode from the list. (see below)

----------------Original Message---------------------
Date: Mon, 3 Mar 2003 14:35:03 -0800
From: "Jimmy Hernandez" <jimmyh () provcom com>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] SMB alerts doesn't work.

This is a multi-part message in MIME format.

------=_NextPartTM-000-34d6cdc0-60d5-4338-a4b2-a099f9d60c1b
Content-Type: multipart/alternative;
      boundary="----_=_NextPart_001_01C2E1D5.21BB8FDA"

------_=_NextPart_001_01C2E1D5.21BB8FDA
Content-Type: text/plain;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I am currently using snort 1.9.0 on OpenBSD 3.2. I am having a problem
with the smbalerts. I checked the snort configure file and it have the
plug in for smbalerts. I also ran it specifying the switch ./configure
--enable-smbalerts then make and make install all looks good 
but when I
try to run snort -c snort.conf -b -M workstation   I keep getting the
Error : "SMB support not compiled into program, exiting...   Fatal
Error, Quitting..=20

I made sure that the /etc/services file has all the 
appropriate settings
for netbios etc.. Everything else I've tried is running fine.

I can't find any whitepapers that would help me fix that. I am using
SAMBA 2.2.7 and snort 1.9.0 do you think I should downgrade snort to
1.8.0? Is anyone else having this problem?

Thanks,

Jimmy Hernandez

Network Systems Engineer

jimmyh () provcom com

=20


------_=_NextPart_001_01C2E1D5.21BB8FDA
Content-Type: text/html;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
      {margin:0in;
      margin-bottom:.0001pt;
      font-size:12.0pt;
      font-family:"Times New Roman";}
a:link, span.MsoHyperlink
      {color:blue;
      text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
      {color:purple;
      text-decoration:underline;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
      {margin:0in;
      margin-bottom:.0001pt;
      font-size:12.0pt;
      font-family:"Times New Roman";}
span.EmailStyle17
      {font-family:Arial;
      color:windowtext;}
@page Section1
      {size:8.5in 11.0in;
      margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
      {page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I am currently using snort 1.9.0 on 
OpenBSD 3.2. I am =
having
a problem with the smbalerts. I checked the snort configure 
file and it =
have
the plug in for smbalerts. I also ran it specifying the switch <font
color=3D"#3366ff"><span style=3D'color:#3366FF'>./configure =
--enable-smbalerts</span></font>
then make and make install all looks good but when I try to 
run snort =
<font
color=3D"#3366ff"><span style=3D'color:#3366FF'>&#8211;c snort.conf =
&#8211;b
&#8211;M workstation</span></font> &nbsp;&nbsp;I keep getting 
the Error =
: &#8220;SMB
support not compiled into program, exiting&#8230;&nbsp;&nbsp; Fatal =
Error,
Quitting.. </span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I made sure that the /etc/services file has all the
appropriate settings for netbios etc.. Everything else 
I&#8217;ve tried =
is
running fine.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I can&#8217;t find any whitepapers that 
would help me =
fix
that. I am using SAMBA 2.2.7 and snort 1.9.0 do you think I should =
downgrade
snort to 1.8.0? Is anyone else having this problem?</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Thanks,</span></font></p>

<p class=3DMsoAutoSig><b><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt;font-weight:bold'>Jimmy =
Hernandez</span></font></b></p>

<p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Network Systems Engineer</span></font></p>

<p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>jimmyh () provcom com</span></font></p>

<p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;</span></font></p>

</div>

</body>

</html>
=00
------_=_NextPart_001_01C2E1D5.21BB8FDA--

------=_NextPartTM-000-34d6cdc0-60d5-4338-a4b2-a099f9d60c1b--



CAUTION: This email message and accompanying data may contain information
that is confidential and subject to legal privilege. If you are not the
intended recipient you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you have
received this email message in error please notify us immediately and erase
all copies of the message and attachments.
 ALSO, unless expressly stated otherwise, the contents of this message
represent only the views of the sender as expressed only to the intended
recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of
action and are not intended to impose any legal obligation upon HRNZ.




-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SMB alerts doesn't work. Jimmy Hernandez (Mar 03)
- Re: SMB alerts doesn't work. Erek Adams (Mar 04)
- <Possible follow-ups>
- RE: SMB alerts doesn't work. Bryce Stenberg (Mar 03)