Snort mailing list archives

Re: Snort on Windows starts but doesn't create any alerts

From: Nick Moore <nmoore () sourcefire com>
Date: Fri, 30 Apr 2010 08:45:35 -0500

Max,

Large pings and nmap scans will not necessarily generate any alerts. nmap
may trigger the portscan preprocessor if you have it configured to look for
scans. Doesn't look like you're using it.

To better test, create a simple rule in local.rules, such as:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Test for web traffic";
sid: 1000001;)

Make sure your local.rules file is enabled in your snort.conf, click on a
web page and you should have alerts.

Also, Joel is right. You need to specify an interface when starting Snort. I
haven't used Snort on Windows for quite some time, but remember a -w switch
that was used to determine what Windows interfaces are available.  I don't
see it in my current build; perhaps others on the list might know more about
it.

Nick

On Fri, Apr 30, 2010 at 5:16 AM, Max Williams <Max.Williams () mflow com>wrote:

 Hi,

I am new to snort but have got it running on Linux hosts with no problems.
I have an issue with Windows 2008 though. I can start snort but it just
doesn’t register any alerts:



c:\Snort\bin>snort.exe -c c:\Snort\etc\snort.conf -l C:\Snort\log -A
console



<snip>



[ Port Based Pattern Matching Memory ]

+-[AC-BNFA Search Info Summary]------------------------------

| Instances        : 422

| Patterns         : 129205

| Pattern Chars    : 1125821

| Num States       : 769140

| Num Match States : 116175

| Memory           :   18.72Mbytes

|   Patterns       :   4.03M

|   Match Lists    :   5.48M

|   Transitions    :   9.11M

+-------------------------------------------------

[ Number of null byte prefixed patterns trimmed: 16976 ]



        --== Initialization Complete ==--



   ,,_     -*> Snort! <*-

  o"  )~   Version 2.8.6-ODBC-MySQL-FlexRESP-WIN32 IPv6 GRE (Build 38)

   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team

           Copyright (C) 1998-2010 Sourcefire, Inc., et al.

           Using PCRE version: 7.4 2007-09-21

           Using ZLIB version: 1.2.3



           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build
18>

           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>

           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>

           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>

           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>

           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build
13>

           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>

           Preprocessor Object: SF_DCERPC (IPV6)  Version 1.1  <Build 5>

           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build 3>

Not Using PCAP_FRAMES



While its running as above I’ve tried pinging the host with large packets
and various nmap scans which all register alerts on the linux hosts but on
windows nothing is printed on the console. I’ve got the latest rules.

Can someone give me some pointers on how to troubleshoot this further?

TIA and Best Regards,

Max Williams




------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com         www.snort.org

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort on Windows starts but doesn't create any alerts Max Williams (Apr 30)
- Message not available
  - Re: Snort on Windows starts but doesn't create any alerts Max Williams (Apr 30)
- Re: Snort on Windows starts but doesn't create any alerts Joel Esler (Apr 30)
  - Re: Snort on Windows starts but doesn't create any alerts Max Williams (Apr 30)
- Re: Snort on Windows starts but doesn't create any alerts Nick Moore (Apr 30)
  - Re: Snort on Windows starts but doesn't create any alerts Max Williams (May 04)
    - Re: Snort on Windows starts but doesn't create any alerts Michael Green (May 04)
    - Re: Snort on Windows starts but doesn't create any alerts Max Williams (May 05)