Snort 1.9.0 Build 209 Weirdness on Win2K

["L. Christopher Luther" <CLuther () Xybernaut com>]

I've just upgraded my two Win32 sensors from Snort 1.8.7 to Snort 1.9.0
build 209 and have encountered a weirdness that I'm *hoping* someone has
encountered and solved.  

Situation:  Both sensors were running Snort 1.8.7 build 128 (w/ a small
patch to handle '-s host' on the command line) and were using the same set
of 1.8.x rules, snort.conf, and command line parameters.  One sensor is a
WinNT4 SMP running WinPCap 2.2; the other sensor is a Win2K running WinPCap
2.3.  Up until the 1.9.0 upgrade, both sensors were functioning w/in normal
parameters are were alerting/logging according to the rule set.  

The 1.9.0 Installation:  No changes to WinPCap, and again, both sensors are
using the same set of rules (1.9.x rule set not the previous 1.8.x rule
set), same snort.conf, and command line parameters.  

Current Behavior:  The WinNT4 SMP sensor w/ WinPCap 2.2 is properly
alerting/logging when CodeRed, Nimda, SMBnuke, etc. attacks are thrown
against the network.  The Win2K sensor w/ WinPCap 2.3 does *not* alert/log
at all no matter which attack is thrown against the network.  

For example:  I can run a full Snort NIDS instance (i.e., rule set usage,
logging to MySQL, alert to file and Syslog) as well as a "sniffer" instance
using the command line 'snort -i1 -vde -C' side-by-side.  When I throw the
SMBnuke attack against the WinNT4 and Win2K sensors, the "sniffer" instances
of Snort log to the console the SMBnuke signature contents "WrLeh\0B13BWz"
(\0 being null), but only the WinNT4 sensor generates an alert for the
attack and logs to MySQL.  The Win2K sensor seems oblivious to attack thrown
against it.  It's only when I revert the Win2K sensor back to Snort 1.8.7
and the appropriate 1.8.7 rule set that it again detects attacks thrown
against the network.  

Any clues or ideas about this one?  

BTW:  To make describing this weirdness simpler, I stated that the
snort.conf files were identical.  Obviously they cannot be identical.  The
configuration of the output plugin for MySQL in each of the snort.conf files
specifies a different sensor identifier so that both sensors can log to the
same MySQL database.  So please, don't anyone point this out to me. ;)  



Sincerely,  

L. Christopher Luther  
Technical Consultant  
Xybernaut Solutions, Inc.  
(703) 654-3642  
cluther () xybernaut com  
http://www.xybernautsolutions.com  

My PGP Public Key:  
http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88

CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 631-6925. 

============================================
Unsolicited commercial e-mail will automatically be 
reported to the appropriate abuse@ - without exception.
============================================