Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Corrupt Snort Logging - Win32 Terminal Server 2000

From: "Michael Steele" <michaels () winsnort com>
Date: Wed, 3 Dec 2003 21:03:03 -0800
That's bazaar... Have you tried rebooting? I know you hate too, It's been
214 days without a reboot on mine, not a record yet but getting there. How
much memory do you have? When did this start to happen? Was any changes made
just before it started to do this? Have you restarted the database? Have you
tried to start the log over? Have you updated your NIC drivers? Have you
tried to switch out your memory modules? Have you tried to switch out your
NIC? Have you..... :)

Cheers...

-The WINSNORT.com Management Team
-- 
 Pick up your FREE Windows or UNIX Snort installation guides       
 mailto:support () winsnort com
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of Jim Robinson
Sent: Wednesday, December 03, 2003 7:30 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Corrupt Snort Logging - Win32 Terminal Server 2000

Hi,

I am using snort on a Win32 Terminal Server 2000 platform and am having
problems with snort logging strange mixed entries in the log file.  The
other non-Terminal server installs (mixed NT4 and Win2000 Server) all
work just fine.  Here's a snip of what I get:

10.16.32.60:139
12/03/03-21:46:21.536704  [**] [1:538:7]1NETBIOS SMB IPC$ share access
(unicode) [**] [ClassificaETBIOS SMB IPC$ share access (unicodeti[**]
on: Attempted Information Leak$14 -> 10.16.32.60:139
12/03/03-21:48:04.28928912/03/03-21:48:04.289294 [**]  [**] [:1:111:1:]
] NMP public access udp [**] [NMP public access udpC[**]
lClassification: ttempted Information
Leak$
12/03/03-21:58:04.327276  [**] [[**] 1:1411:3] SNMP public access udp
[**] ublic access udp[[**] Classification: Attempted Information Leak]
[Priority: 2] {UDP}
10.16.81.$12/03/03-21:58:21.53516212/03/03-21:58:21.535159 [**]  [**]
[:5:538:7] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share
access (unicode) [**] [lassification:
:$
12/03/03-22:08:04.365115  [**] [[**] [1:1411:3] SNMP public access udp
[**] [Classificcation: Attempted Information Leak] [Prioority: 2] {UDP}
10.16.81.42:1026 -> 10.16.32$12/03/03-22:10:21.534525  [**] [[**]
[1:538:7]  NETBIOS SMB IPC$ share access (unicode) [**] [[**]
Classification:  Attempted Information Leakk] [Priority:  2]  {TCP}
10.$12/03/03-22:16:24.20597512/03/03-22:16:24.205977 [**]  [**]
[:5:538:] ] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share
access (unicode) [**] [lassification: $9
12/03/03-22:16:32.683796  [**] 12/03/03-22:16:32.683800 :4[**]
83:483:2CMP PING CyberKit 2.2 Windows [**] [ClCMP PING CyberKit 2.2
Windows [**] [Classifiioat: on: c activi$.18.220.25 -> 10.16.32.25
12/03/03-22:16:32.840032  [**] [[**] [1:483:2]  ICMP PING CyberKit 2.2
Windows [**] [Classification:  Misc activity] [Priority:  3] {ICMP}
10.18.220.25 -> 10.16.32.3255->
.16.32.35
12/03/03-22:16:33.246272  [**] [1:483:2] ICMP PING CyberKit 2.2 Windows
[**] [C2/03/03-22:16:33.246274  [**] [ssif83:2] onCMP PING CyberKit 2.2
Windows:[**]  Clasc activit$3] {ICMP} 10.18.220.25 -> 10.16.32.61
12/03/03-22:16:33.248385  [**] [1:2192:1] NETBIOS DCERPC
ISystemActivator bind attempt [**] [2/03/03-22:16:33.248386  [**]
[assi192:ationETBIOS DCERPC ISystemActivator bin$.18.220.25:3481 ->
10.16.32.61:135
12/03/03-22:16:33.355616  [**] [1:483:2] 2/03/03-22:16:33.355620ICMP
PING CyberKit 2.2 Windows [**] [Classi2] ICMP PING CyberKit 2.2 Windows
[**] [Con: Misccation: Misc ac$ICMP} 10.18.220.25 -> 10.16.32.68
12/03/03-22:16:35.386720  [**] [[**] [1:483:2] ICMP PING CyberKit 2.2
Windows [**] [[**] Classification:  Misc activity] [Priorityy: 3]
{ICMP} 10.18.220.25 -> 8.220.25
->$
12/03/03-22:16:35.87112912/03/03-22:16:35.871125 [**] [1[**] :48383:2]
CMP PING CyberKit 2.2 Windows [**] [CMP PING CyberKit 2.2 WindowsC[**]
lClassification: isc activity$> 10.16.32.230
12/03/03-22:22:21.533306  [**] [[**] [1:538:7] NETBIOS SMB IPC$ share
access (unicode) [**] [Classification: Attempted Information Leak]
[Priority: 2]  {TCP}
10.16.32.61:$
I am running the latest build of both Snort for Win32 and WINCAP and
wondered if anyone could shed any light as to what is going on?

Thanks in advance.

jim



-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: