Snort mailing list archives
RE: Snort Event Ids on win2000
From: Joe Kinsella <jkinsella () silverbacktech com>
Date: Wed, 28 May 2003 11:52:46 -0400
But the reason the event message is not formatted is because there is no message resource DLL registered for the SnortService event source. It wouldn't take much to fix this (just use the message compiler & change the install to add this to the registry). Is this not considered a bug? Joe -----Original Message----- From: Michael Steele [mailto:michaels () winsnort com] Sent: Wednesday, May 28, 2003 10:45 AM To: Joe Kinsella Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort Event Ids on win2000 C, This is normal, why, don't ask me but I see this all the time. My best guess is in the way the Service is installed? Here is my log: The description for Event ID ( 1 ) in Source ( snort ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: [1:1002:5] WEB-IIS cmd.exe access [Classification: Web Application Attack] [Priority: 1]: {TCP} 68.54.249.224:1499 -> 192.168.1.100:80. In other words, Snort is functioning and this is a normal operation. Snort has been like this for, well, since the Service option was added to Snort for Windows. Cheers... -Michael Steele -- System Engineer / Security Support Technician mailto:michaels () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Joe Kinsella Sent: Wednesday, May 28, 2003 6:06 AM To: 'C Wells'; 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] Snort Event Ids on win2000 If you use the -E parameter, Snort logs to the Application event log under a source called SnortService. However, I still am unclear how this is supposed to work since it does not appear as though the Snort install on Windows registers a message resource DLL. So even when I log to the event log, I get the following (note that the Event Viewer cannot properly format the message since it cannot locate a valid resource DLL): Event Type: Error Event Source: SnortService Event Category: None Event ID: 1 Date: 5/27/2003 Time: 5:55:21 PM User: N/A Computer: MYCOMPUTER Description: The description for Event ID ( 1 ) in Source ( SnortService ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: [SNORT_SERVICE] Error while adding the Snort service to the Services database. Unrecognized error (1072). The specified service has been marked for deletion. Have you had any better luck? -----Original Message----- From: C Wells [mailto:s2audi () yahoo com] Sent: Tuesday, May 27, 2003 8:10 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Snort Event Ids on win2000 Is there documentation of the Snort Event Ids that one could find in the Application Event Log of Windows 2000 ? If Snort doesn't write to the Event log on win2000 where might I find 'log' type information ? Thanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort Event Ids on win2000 Joe Kinsella (May 28)
- RE: Snort Event Ids on win2000 Michael Steele (May 28)
- <Possible follow-ups>
- RE: Snort Event Ids on win2000 Joe Kinsella (May 28)
- RE: Snort Event Ids on win2000 Michael Steele (May 28)
- Re: Snort Event Ids on win2000 Chris Reid (May 28)
- Re: Snort Event Ids on win2000 Michael A. Davis (May 28)
- RE: Snort Event Ids on win2000 Michael Steele (May 28)