Re: Snort on Windows starts but doesn't create any alerts

[Max Williams <Max.Williams () mflow com>]

Thanks for the ideas so far but I still cannot get any alerts out of Snort on Windows 2008 R2.

"Large pings and nmap scans will not necessarily generate any alerts. nmap may trigger the portscan preprocessor if you 
have it configured to look for scans. Doesn't look like you're using it."
They both do on Linux and I have configured sfportscan too but still no alerts.

"To better test, create a simple rule in local.rules, such as:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Test for web traffic"; sid: 1000001;)
Make sure your local.rules file is enabled in your snort.conf, click on a web page and you should have alerts."
Tried this too and still no alerts.

"Also, Joel is right. You need to specify an interface when starting Snort. I haven't used Snort on Windows for quite 
some time, but remember a -w switch that was used to determine what Windows interfaces are available.  I don't see it 
in my current build; perhaps others on the list might know more about it. "
I've tried specifying either of the interfaces on the command line but no luck.

Anyone got any other ideas?
I've googled heaps and followed guides on winsnort.com (thanks Michael)

I'm guessing that since a simple rule in local.rules (as suggested by Nick) is not triggering an alert then there is 
some major issue with my config?
Snort is definitely seeing all the packets because if I run it with -v it prints loads!


From: Nick Moore [mailto:nmoore () sourcefire com]
Sent: 30 April 2010 14:46
To: Max Williams
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort on Windows starts but doesn't create any alerts

Max,

Large pings and nmap scans will not necessarily generate any alerts. nmap may trigger the portscan preprocessor if you 
have it configured to look for scans. Doesn't look like you're using it.

To better test, create a simple rule in local.rules, such as:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Test for web traffic"; sid: 1000001;)

Make sure your local.rules file is enabled in your snort.conf, click on a web page and you should have alerts.

Also, Joel is right. You need to specify an interface when starting Snort. I haven't used Snort on Windows for quite 
some time, but remember a -w switch that was used to determine what Windows interfaces are available.  I don't see it 
in my current build; perhaps others on the list might know more about it.

Nick
On Fri, Apr 30, 2010 at 5:16 AM, Max Williams <Max.Williams () mflow com<mailto:Max.Williams () mflow com>> wrote:
Hi,
I am new to snort but have got it running on Linux hosts with no problems. I have an issue with Windows 2008 though. I 
can start snort but it just doesn't register any alerts:

c:\Snort\bin>snort.exe -c c:\Snort\etc\snort.conf -l C:\Snort\log -A console

<snip>

[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 422
| Patterns         : 129205
| Pattern Chars    : 1125821
| Num States       : 769140
| Num Match States : 116175
| Memory           :   18.72Mbytes
|   Patterns       :   4.03M
|   Match Lists    :   5.48M
|   Transitions    :   9.11M
+-------------------------------------------------
[ Number of null byte prefixed patterns trimmed: 16976 ]

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6-ODBC-MySQL-FlexRESP-WIN32 IPv6 GRE (Build 38)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.4 2007-09-21
           Using ZLIB version: 1.2.3

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build 18>
           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>
           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>
           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build 13>
           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_DCERPC (IPV6)  Version 1.1  <Build 5>
           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build 3>
Not Using PCAP_FRAMES

While its running as above I've tried pinging the host with large packets and various nmap scans which all register 
alerts on the linux hosts but on windows nothing is printed on the console. I've got the latest rules.
Can someone give me some pointers on how to troubleshoot this further?
TIA and Best Regards,
Max Williams


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com<mailto:nick.moore () sourcefire com>
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com<http://www.sourcefire.com>         www.snort.org<http://www.snort.org>

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users