Snort mailing list archives
Snort 1.9.0 Build 209 Weirdness on Win2K
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Mon, 10 Mar 2003 11:59:42 -0500
I've just upgraded my two Win32 sensors from Snort 1.8.7 to Snort 1.9.0 build 209 and have encountered a weirdness that I'm *hoping* someone has encountered and solved. Situation: Both sensors were running Snort 1.8.7 build 128 (w/ a small patch to handle '-s host' on the command line) and were using the same set of 1.8.x rules, snort.conf, and command line parameters. One sensor is a WinNT4 SMP running WinPCap 2.2; the other sensor is a Win2K running WinPCap 2.3. Up until the 1.9.0 upgrade, both sensors were functioning w/in normal parameters are were alerting/logging according to the rule set. The 1.9.0 Installation: No changes to WinPCap, and again, both sensors are using the same set of rules (1.9.x rule set not the previous 1.8.x rule set), same snort.conf, and command line parameters. Current Behavior: The WinNT4 SMP sensor w/ WinPCap 2.2 is properly alerting/logging when CodeRed, Nimda, SMBnuke, etc. attacks are thrown against the network. The Win2K sensor w/ WinPCap 2.3 does *not* alert/log at all no matter which attack is thrown against the network. For example: I can run a full Snort NIDS instance (i.e., rule set usage, logging to MySQL, alert to file and Syslog) as well as a "sniffer" instance using the command line 'snort -i1 -vde -C' side-by-side. When I throw the SMBnuke attack against the WinNT4 and Win2K sensors, the "sniffer" instances of Snort log to the console the SMBnuke signature contents "WrLeh\0B13BWz" (\0 being null), but only the WinNT4 sensor generates an alert for the attack and logs to MySQL. The Win2K sensor seems oblivious to attack thrown against it. It's only when I revert the Win2K sensor back to Snort 1.8.7 and the appropriate 1.8.7 rule set that it again detects attacks thrown against the network. Any clues or ideas about this one? BTW: To make describing this weirdness simpler, I stated that the snort.conf files were identical. Obviously they cannot be identical. The configuration of the output plugin for MySQL in each of the snort.conf files specifies a different sensor identifier so that both sensors can log to the same MySQL database. So please, don't anyone point this out to me. ;) Sincerely, L. Christopher Luther Technical Consultant Xybernaut Solutions, Inc. (703) 654-3642 cluther () xybernaut com http://www.xybernautsolutions.com My PGP Public Key: http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88 CONFIDENTIALITY NOTE: This communication contains information that is confidential and/or legally privileged. This information is intended only for the use of the individual or entity named on this communication. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, printing or other use of, or any action in reliance on, the contents of this communication is strictly prohibited. If you receive this communication in error, please immediately notify us by telephone at (703) 631-6925. ============================================ Unsolicited commercial e-mail will automatically be reported to the appropriate abuse@ - without exception. ============================================
Current thread:
- Snort 1.9.0 Build 209 Weirdness on Win2K L. Christopher Luther (Mar 10)