[Snort-users] Samba Alerts....

Martin Roesch roesch at ...421...
Fri Jan 26 14:49:56 EST 2001


If SMB alert support isn't compiled into the RPM, you'll have to grab
the source and run 'configure --enable-smbalerts'.  You also need to
make sure that WinPopup is running on the receiver system (Win95/98
only, NT/2k have it as a service).  If you want to see if SMB support is
compiled into the binary, run 'snort -c <conf file> -M /etc/snort/SPACE'
and see if it starts properly and without any error or warning messages.

    -Marty

David Fitches wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Forgive me if I'm raising an often-discussed-thought-dead-and-gone issue,
> but when installing SNORT from the RPM's, EXACTLY how do you get Samba
> Alerts working??
> 
> Currently I've placed the line :
> 
>         output smb_alert: /etc/snort/SPACE
> 
> in my snort.conf file in the "/etc/snort" directory.
> 
> I've created /etc/snort/SPACE containing one entry :
> 
>         Mercury
> 
> (It did have entries for the other machines on the house LAN, but as it
> didn't work with them in it either, I left them out for the time being)
> 
> - From there I performed a restart of SNORT (/etc/rc.d/init.d/snortd
> restart)
> 
> Then I did a port scan over the LAN from my windows box to the linux server.
> 
> It creates a "log" file in the /var/log/snort directory stating that a port
> scan had occured.
> 
> It created complete log entries in the IP specific directory for the PC I
> scanned from (/var/log/snort/192.168.0.1).
> 
> It even created a "portscan.log" file in the "/var/log/snort" directory.
> 
> But no pop-up window on my windows box.
> 
> Any and all suggestions welcome, even constructive flames! :)
> 
> - -
> 
>                         = Dave Fitches =
> 
> ________________________________________________________
>  ,--__|\    David Fitches
> /       \   * ICQ : 2120090   * SATCO CID : 955589
> \_,--\__/   * Mobile : +61-419-466-744
>        v    * E-mail : sticks.au at ...375...
>             Melbourne, Victoria, Australia
>             Web: http://www.bigfoot.com/~sticks.au/
> _______________________________________________________
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.3
> 
> iQA/AwUBOmo70wUhkO6Zt2EDEQJafwCdFrMsPSN4U+W8syNduWlM5UUCNWAAoKtp
> poof213Rh1LWP4P5tkiaPrdS
> =zm/i
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list