Snort mailing list archives
Re: Snort on Windows starts but doesn't create any alerts
From: Max Williams <Max.Williams () mflow com>
Date: Fri, 30 Apr 2010 12:10:24 +0100
I thought so too but have tried many combinations of "var HOME_NET any", "var EXTERNAL_NET any", "var HOME_NET 10.1.11.0/24", "var EXTERNAL_NET <the hosts public address>" But no luck. Setting both to "any" should work anyway right? Cheers, Max -----Original Message----- From: rmkml [mailto:rmkml () free fr] Sent: 30 April 2010 09:58 To: Max Williams Cc: rmkml () free fr Subject: Re: [Snort-users] Snort on Windows starts but doesn't create any alerts Hi max, maybe snort listenning on wrong network interface ? Regards Rmkml On Fri, 30 Apr 2010, Max Williams wrote:
Hi,
I am new to snort but have got it running on Linux hosts with no problems. I have an issue with Windows 2008 though.
I can start snort but it just doesn't register any alerts:
c:\Snort\bin>snort.exe -c c:\Snort\etc\snort.conf -l C:\Snort\log -A console
<snip>
[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances : 422
| Patterns : 129205
| Pattern Chars : 1125821
| Num States : 769140
| Num Match States : 116175
| Memory : 18.72Mbytes
| Patterns : 4.03M
| Match Lists : 5.48M
| Transitions : 9.11M
+-------------------------------------------------
[ Number of null byte prefixed patterns trimmed: 16976 ]
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.8.6-ODBC-MySQL-FlexRESP-WIN32 IPv6 GRE (Build 38)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 7.4 2007-09-21
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.12 <Build 18>
Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3>
Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9>
Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13>
Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_DCERPC (IPV6) Version 1.1 <Build 5>
Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3>
Not Using PCAP_FRAMES
While its running as above I've tried pinging the host with large packets and various nmap scans which all register
alerts on the linux hosts but on windows nothing is printed on the console. I've got the latest rules.
Can someone give me some pointers on how to troubleshoot this further?
TIA and Best Regards,
Max Williams
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on Windows starts but doesn't create any alerts Max Williams (Apr 30)
- Message not available
- Re: Snort on Windows starts but doesn't create any alerts Max Williams (Apr 30)
- Message not available
- Re: Snort on Windows starts but doesn't create any alerts Joel Esler (Apr 30)
- Re: Snort on Windows starts but doesn't create any alerts Max Williams (Apr 30)
- Re: Snort on Windows starts but doesn't create any alerts Nick Moore (Apr 30)
- Re: Snort on Windows starts but doesn't create any alerts Max Williams (May 04)
- Re: Snort on Windows starts but doesn't create any alerts Michael Green (May 04)
- Re: Snort on Windows starts but doesn't create any alerts Max Williams (May 05)
- Re: Snort on Windows starts but doesn't create any alerts Max Williams (May 04)