Snort mailing list archives

Previous By Date Next
Previous By Thread Next

No Alerts in Windows, Last Try

From: "Mike" <mike () Novanix com>
Date: Thu, 29 Jul 2004 17:53:51 -0400
Sorry for the same email again, but unfortunately my snort is still not
working in windows. I thought due to my automated spamming (sorry) the issue
might have got dropped. I thought I would try one more time.

The original message was here:
http://marc.theaimsgroup.com/?l=snort-users&m=109089003631842&w=2

Replies:
http://marc.theaimsgroup.com/?l=snort-users&m=109089621129524&w=2 
http://marc.theaimsgroup.com/?l=snort-users&m=109090420805445&w=2


Basically I am running snort 2.20 with windows 2003 server on a dual
processor machine (with hyperthreading on) and no alerts are being generated
accept:
[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
07/26-23:18:43.852390 6.123.123.7:2142 -> 123.192.123.421:135
TCP TTL:119 TOS:0x0 ID:11549 IpLen:20 DgmLen:284 DF
***AP*** Seq: 0x704EA903  Ack: 0xCA6F4421  Win: 0x21FC  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

I go to site.com/cmd.exe or site.com/default.ida?NNNN from a remote box and
nothing is logged. The snort rules file I am using is almost identical to
the one I am using on my linux boxes where it is working perfectly.

I have tried running snort various ways including 
bin\snort.exe -c etc\snort.conf
bin\snort.exe -c etc\snort.conf -i 1

I only have one lan card in the box and it shows up as:
1  \Device\NPF_{66C08459-44B6-49F8-B602-E9E0D2731745} (Intel(R) PRO/1000 MT
Network Connection)

If I run snort with: bin\snort -vX -c etc\snort.conf
I can see the packets that should set it off, but for whatever reason no
alerts are generated.

I would love to get the windows boxes tied into our snort ids, I just can't
figure out why it isn't logging.

Thanks,
   Mike



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: