Snort mailing list archives

Re: Snort on Windows starts but doesn't create any alerts

From: "Michael Green" <Michael.Green () gbst com>
Date: Wed, 5 May 2010 07:19:37 +1000

To discover what interfaces are available on Windows try windump -D that
will enumerate the interfaces. Also it will return a numbered list of
really long device names, with the -i switch you can just specify the
number. Since both snort and windump both use the -i switch you can test
it first using windump.

 

i.e.          windump -i 1

 

If you get the traffic you are expecting you are good to go otherwise
just try -i 2 etc.

 

Hope this helps

 

Michael

 

From: Max Williams [mailto:Max.Williams () mflow com] 
Sent: Tuesday, 4 May 2010 11:39 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort on Windows starts but doesn't create
any alerts

 

Thanks for the ideas so far but I still cannot get any alerts out of
Snort on Windows 2008 R2.

 

"Large pings and nmap scans will not necessarily generate any alerts.
nmap may trigger the portscan preprocessor if you have it configured to
look for scans. Doesn't look like you're using it."

They both do on Linux and I have configured sfportscan too but still no
alerts.

 

"To better test, create a simple rule in local.rules, such as:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Test for web traffic";
sid: 1000001;)

Make sure your local.rules file is enabled in your snort.conf, click on
a web page and you should have alerts."

Tried this too and still no alerts.

 

"Also, Joel is right. You need to specify an interface when starting
Snort. I haven't used Snort on Windows for quite some time, but remember
a -w switch that was used to determine what Windows interfaces are
available.  I don't see it in my current build; perhaps others on the
list might know more about it. "

I've tried specifying either of the interfaces on the command line but
no luck.

 

Anyone got any other ideas?

I've googled heaps and followed guides on winsnort.com (thanks Michael)

 

I'm guessing that since a simple rule in local.rules (as suggested by
Nick) is not triggering an alert then there is some major issue with my
config?

Snort is definitely seeing all the packets because if I run it with -v
it prints loads!

 

 

From: Nick Moore [mailto:nmoore () sourcefire com] 
Sent: 30 April 2010 14:46
To: Max Williams
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort on Windows starts but doesn't create
any alerts

 

Max, 

 

Large pings and nmap scans will not necessarily generate any alerts.
nmap may trigger the portscan preprocessor if you have it configured to
look for scans. Doesn't look like you're using it.

 

To better test, create a simple rule in local.rules, such as:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Test for web traffic";
sid: 1000001;)

 

Make sure your local.rules file is enabled in your snort.conf, click on
a web page and you should have alerts. 

 

Also, Joel is right. You need to specify an interface when starting
Snort. I haven't used Snort on Windows for quite some time, but remember
a -w switch that was used to determine what Windows interfaces are
available.  I don't see it in my current build; perhaps others on the
list might know more about it. 

 

Nick

On Fri, Apr 30, 2010 at 5:16 AM, Max Williams <Max.Williams () mflow com>
wrote:

Hi,

I am new to snort but have got it running on Linux hosts with no
problems. I have an issue with Windows 2008 though. I can start snort
but it just doesn't register any alerts:

 

c:\Snort\bin>snort.exe -c c:\Snort\etc\snort.conf -l C:\Snort\log -A
console

 

<snip>

 

[ Port Based Pattern Matching Memory ]

+-[AC-BNFA Search Info Summary]------------------------------

| Instances        : 422

| Patterns         : 129205

| Pattern Chars    : 1125821

| Num States       : 769140

| Num Match States : 116175

| Memory           :   18.72Mbytes

|   Patterns       :   4.03M

|   Match Lists    :   5.48M

|   Transitions    :   9.11M

+-------------------------------------------------

[ Number of null byte prefixed patterns trimmed: 16976 ]

 

        --== Initialization Complete ==--

 

   ,,_     -*> Snort! <*-

  o"  )~   Version 2.8.6-ODBC-MySQL-FlexRESP-WIN32 IPv6 GRE (Build 38)

   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team

           Copyright (C) 1998-2010 Sourcefire, Inc., et al.

           Using PCRE version: 7.4 2007-09-21

           Using ZLIB version: 1.2.3

 

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build
18>

           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>

           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>

           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>

           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>

           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build
13>

           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>

           Preprocessor Object: SF_DCERPC (IPV6)  Version 1.1  <Build 5>

           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build
3>

Not Using PCAP_FRAMES

 

While its running as above I've tried pinging the host with large
packets and various nmap scans which all register alerts on the linux
hosts but on windows nothing is printed on the console. I've got the
latest rules.

Can someone give me some pointers on how to troubleshoot this further?

TIA and Best Regards,

Max Williams

 


------------------------------------------------------------------------
------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com         www.snort.org

The information transmitted is intended only for the person or entity to which it is addressed and may contain 
confidential and / or privileged material that may be governed by confidential information provisions contained in the 
agreement between GBST and your company. Any disclosure, copying, distribution, or other use without the express 
consent of the sender is prohibited. If you received this in error, please contact the sender and delete the material 
from any computer. All rights in the information transmitted, including copyright, are reserved. Nothing in this 
message should be interpreted as a digital signature that can be used to authenticate a document. No warranty is given 
by the sender that any attachments to this email are free from viruses or other defects.

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort on Windows starts but doesn't create any alerts Max Williams (Apr 30)
- Message not available
  - Re: Snort on Windows starts but doesn't create any alerts Max Williams (Apr 30)
- Re: Snort on Windows starts but doesn't create any alerts Joel Esler (Apr 30)
  - Re: Snort on Windows starts but doesn't create any alerts Max Williams (Apr 30)
- Re: Snort on Windows starts but doesn't create any alerts Nick Moore (Apr 30)
  - Re: Snort on Windows starts but doesn't create any alerts Max Williams (May 04)
    - Re: Snort on Windows starts but doesn't create any alerts Michael Green (May 04)
    - Re: Snort on Windows starts but doesn't create any alerts Max Williams (May 05)