Snort mailing list archives
RE: Corrupt Snort Logging - Win32 Terminal Server 2000
From: "Michael Steele" <michaels () winsnort com>
Date: Wed, 3 Dec 2003 21:03:03 -0800
That's bazaar... Have you tried rebooting? I know you hate too, It's been 214 days without a reboot on mine, not a record yet but getting there. How much memory do you have? When did this start to happen? Was any changes made just before it started to do this? Have you restarted the database? Have you tried to start the log over? Have you updated your NIC drivers? Have you tried to switch out your memory modules? Have you tried to switch out your NIC? Have you..... :) Cheers... -The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Jim Robinson Sent: Wednesday, December 03, 2003 7:30 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Corrupt Snort Logging - Win32 Terminal Server 2000 Hi, I am using snort on a Win32 Terminal Server 2000 platform and am having problems with snort logging strange mixed entries in the log file. The other non-Terminal server installs (mixed NT4 and Win2000 Server) all work just fine. Here's a snip of what I get: 10.16.32.60:139 12/03/03-21:46:21.536704 [**] [1:538:7]1NETBIOS SMB IPC$ share access (unicode) [**] [ClassificaETBIOS SMB IPC$ share access (unicodeti[**] on: Attempted Information Leak$14 -> 10.16.32.60:139 12/03/03-21:48:04.28928912/03/03-21:48:04.289294 [**] [**] [:1:111:1:] ] NMP public access udp [**] [NMP public access udpC[**] lClassification: ttempted Information Leak$ 12/03/03-21:58:04.327276 [**] [[**] 1:1411:3] SNMP public access udp [**] ublic access udp[[**] Classification: Attempted Information Leak] [Priority: 2] {UDP} 10.16.81.$12/03/03-21:58:21.53516212/03/03-21:58:21.535159 [**] [**] [:5:538:7] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share access (unicode) [**] [lassification: :$ 12/03/03-22:08:04.365115 [**] [[**] [1:1411:3] SNMP public access udp [**] [Classificcation: Attempted Information Leak] [Prioority: 2] {UDP} 10.16.81.42:1026 -> 10.16.32$12/03/03-22:10:21.534525 [**] [[**] [1:538:7] NETBIOS SMB IPC$ share access (unicode) [**] [[**] Classification: Attempted Information Leakk] [Priority: 2] {TCP} 10.$12/03/03-22:16:24.20597512/03/03-22:16:24.205977 [**] [**] [:5:538:] ] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share access (unicode) [**] [lassification: $9 12/03/03-22:16:32.683796 [**] 12/03/03-22:16:32.683800 :4[**] 83:483:2CMP PING CyberKit 2.2 Windows [**] [ClCMP PING CyberKit 2.2 Windows [**] [Classifiioat: on: c activi$.18.220.25 -> 10.16.32.25 12/03/03-22:16:32.840032 [**] [[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] {ICMP} 10.18.220.25 -> 10.16.32.3255-> .16.32.35 12/03/03-22:16:33.246272 [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [C2/03/03-22:16:33.246274 [**] [ssif83:2] onCMP PING CyberKit 2.2 Windows:[**] Clasc activit$3] {ICMP} 10.18.220.25 -> 10.16.32.61 12/03/03-22:16:33.248385 [**] [1:2192:1] NETBIOS DCERPC ISystemActivator bind attempt [**] [2/03/03-22:16:33.248386 [**] [assi192:ationETBIOS DCERPC ISystemActivator bin$.18.220.25:3481 -> 10.16.32.61:135 12/03/03-22:16:33.355616 [**] [1:483:2] 2/03/03-22:16:33.355620ICMP PING CyberKit 2.2 Windows [**] [Classi2] ICMP PING CyberKit 2.2 Windows [**] [Con: Misccation: Misc ac$ICMP} 10.18.220.25 -> 10.16.32.68 12/03/03-22:16:35.386720 [**] [[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [[**] Classification: Misc activity] [Priorityy: 3] {ICMP} 10.18.220.25 -> 8.220.25 ->$ 12/03/03-22:16:35.87112912/03/03-22:16:35.871125 [**] [1[**] :48383:2] CMP PING CyberKit 2.2 Windows [**] [CMP PING CyberKit 2.2 WindowsC[**] lClassification: isc activity$> 10.16.32.230 12/03/03-22:22:21.533306 [**] [[**] [1:538:7] NETBIOS SMB IPC$ share access (unicode) [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.16.32.61:$ I am running the latest build of both Snort for Win32 and WINCAP and wondered if anyone could shed any light as to what is going on? Thanks in advance. jim ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Corrupt Snort Logging - Win32 Terminal Server 2000 Jim Robinson (Dec 03)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 Michael Steele (Dec 03)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 Jim Robinson (Dec 04)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 John Tapparo (Dec 04)
- RE: Corrupt Snort Logging - Win32 Terminal Server2000 Michael Steele (Dec 04)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 Jim Robinson (Dec 04)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 Michael Steele (Dec 03)