[Snort-users] Snort analyzed 0 out of 0 packets, .

Michael Green michael.green at ...4098...
Thu Nov 15 17:14:05 EST 2001


	Hi

	I worked it out. WinPcap was binding to a nonexistant WAN interface.
Using a -i 2 in snort allowed it to connect to my only interface.

> -----Original Message-----
> From:	Michael Green [SMTP:michael.green at ...4098...]
> Sent:	Friday, 16 November 2001 7:24
> To:	'snort-users at lists.sourceforge.net'
> Subject:	[Snort-users] Snort analyzed 0 out of 0 packets, .
> 
> Hi
> 
> I just finished Installing Snort Version 1.8-WIN32 (Build 86) on a Win2k
> box. Installed with MySql & Acid. 
> 
> Everything seemed fine when I installed it, the required databases were
> created and the acid setup connected and I hit the "Create ACID AG"
> button,
> this was also successful.
> 
> I then ran Cerberus Internet Scanner against the network that the Snort
> machaine was installed, and nothing! The ACID console "# of Sensors:" has
> 0.
> This concerns me.
> 
> So I ran snort command line:
> 
> C:\Snort\Snort-1.8.2\snort.exe -c C:\Snort\Snort-1.8.2\snort.conf -l
> C:\Snort\Snort-1.8.2 -A full -h 203.0.171.64/26 -i 1 -d
> Log directory = C:\Snort\Snort-1.8.2
> 
> And it ran without errors, I then ran the scanner again, the broke out of
> the snort session and the stats displayed showed "Snort analyzed 0 out of
> 0
> packets, ."
> 
> Now I'm thinking Winpcap can't be installed properly so I opened Control
> Panel, Administrative Tools, Computer Management, then chose System Tools,
> System Information, Software Environment, Drivers. The NPF Kernel Driver
> was
> displayed as "Running OK".
> Any ideas?
> I'm including the output from the snort command line run here:
> C:\Snort\Snort-1.8.2\snort.exe -c C:\Snort\Snort-1.8.2\snort.conf -l
> C:\Snort\Snort-1.8.2 -A full -h 203.0.171.64/26 -i 1 -d
> Log directory = C:\Snort\Snort-1.8.2
> 
>         --== Initializing Snort ==--
> 
> Initializing Network Interface \
> Decoding Ethernet on interface \Device\Packet_NdisWanIp
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file C:\Snort\Snort-1.8.2\snort.conf
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
> No arguments to stream4_reassemble, setting defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111 513
>      Reassembly alerts: ACTIVE
> Back Orifice detection brute force: DISABLED
> Using LOCAL time
> WARNING: command line overrides rules file alert plugin!
> WARNING: command line overrides rules file alert plugin!
> limit == 128
> UnifiedLogFilename = snort.log
> Opening C:\Snort\Snort-1.8.2/snort.log.1005854049
> 882 Snort rules read...
> 882 Option Chains linked into 101 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> Rule application order: ->activation->dynamic->alert->pass->log
> 
>         --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 1.8-WIN32 (Build 86)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 1.7-WIN32 Port By Michael Davis (mike at ...92...,
> www.datanerds.net/~mike)
> 1.8-WIN32 Port By Chris Reid (chris.reid at ...3029...)
>           (based on code from 1.7 port)
> 
> 
> ==========================================================================
> ==
> ===
> Snort analyzed 0 out of 0 packets, .
> Breakdown by protocol:                Action Stats:
>     TCP: 0          (0.000%)          ALERTS: 0
>     UDP: 0          (0.000%)          LOGGED: 0
>    ICMP: 0          (0.000%)          PASSED: 0
>     ARP: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 0          (0.000%)
> DISCARD: 0          (0.000%)
> ==========================================================================
> ==
> ===
> Fragmentation Stats:
> Fragmented IP Packets: 0          (0.000%)
>     Fragment Trackers: 0
>    Rebuilt IP Packets: 0
>    Frag elements used: 0
> Discarded(incomplete): 0
>    Discarded(timeout): 0
>   Frag2 memory faults: 0
> ==========================================================================
> ==
> ===
> TCP Stream Reassembly Stats:
>         TCP Packets Used: 0          (0.000%)
>          Stream Trackers: 0
>           Stream flushes: 0
>            Segments used: 0
>    Stream4 Memory Faults: 0
> ==========================================================================
> ==
> ===
> pcap_loop: read error: PacketReceivePacket failedpcap_stats:
> PacketGetStats
> error
> Snort received signal 3, exiting
> 
> 
> Michael Green
> Senior Systems Engineer Communication Systems
> Global Banking & Securities Transactions
> Telephone + 61 7 3331 5555
> Michael.Green at ...4098...
> www.gbst.com
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list