Snort mailing list archives

Previous By Date Next
Previous By Thread Next

App Eventlog: missing event id

From: "Romulo M. Cholewa" <rmc () rmc eti br>
Date: Thu, 15 Jan 2004 21:20:11 -0300
Hi there,

Since I installed snort 210 in a new machine Im getting strange event
logs. In the past, I used the application eventlogs generated by snort
to send emails when certain alerts were generated.

An alert used to be something like this:

[code]
Event Type:     Information
Event Source:   snort
Event Category: None
Event ID:       1
Date:           15/1/2004
Time:           18:47:50
User:           N/A
Computer:       ELMER
Description:
[1:1042:6] WEB-IIS view source via translate header [Classification:
access to a potentially vulnerable web application] [Priority: 2]: {TCP}
10.255.255.1:1237 -> 10.255.255.252:80 
[/code]

... but now Im getting this:

[code]
Event Type:     Information
Event Source:   snort
Event Category: None
Event ID:       1
Date:           15/1/2004
Time:           20:38:08
User:           N/A
Computer:       PIONEER
Description:
The description for Event ID ( 1 ) in Source ( snort ) cannot be found.
The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help
and Support for details. The following information is part of the event:
[1:408:4] ICMP Echo Reply [Classification: Misc activity] [Priority: 3]:
{ICMP} xxx.yyy.zzz.www -> 10.255.255.1.
[/code]

Details:

The first machine is a test 2k Server (fully updated) but running snort
190 build 209. This machine was setup a long time ago, and now Im trying
to upgrade everything to the latest version of snort.

The second machine is a test XP Pro workstation (fully updated) running
210 build 10.

I checked the eventlog service in the registry on both machines...

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\application\snort

...and there are 2 entries:

EventMessageFile (expand_sz pointing to the snort.exe)
TypesSupported (dword with 0x31fh - 31d)


Needless to say, the fact that the XP Pro install is not recognizing the
event id is disrupting my email alerts.

snort etup bug ?

I would like to know if any1 faced such issue, and possible solutions /
workarounds.

Any help would be appreciated.

Thanks in advance,

Romulo M. Cholewa
Home : http://www.rmc.eti.br
PGP Keys Available @ website.


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: