[Snort-users] Snort analyzed 0 out of 0 packets, .

Bill Pennington billp at ...400...
Thu Nov 15 17:27:02 EST 2001


I never had the pleasure *ahem* of installing snort on a Win32 platform but
a couple of thoughts spring to mind:

(Sorry if you have already tried these)

1. You are on a switched network so snort does not see any traffic.

2. Your EXTERNAL_NET variable is set incorrectly. A lot of rules only alert
on stuff coming from external to internal and it sounds like maybe you have
stuff going internal to internal.

3. You might want to run snort -vd, this will just dump all the packets
snorts sees to the command prompt window. This can help you determine if you
can see any traffic at all. If you see traffic but it is not alerting I
would suspect something like #2 or another rule set issue.

Good Luck!

----- Original Message -----
From: "Michael Green" <michael.green at ...4098...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, November 15, 2001 1:23 PM
Subject: [Snort-users] Snort analyzed 0 out of 0 packets, .


> Hi
>
> I just finished Installing Snort Version 1.8-WIN32 (Build 86) on a Win2k
> box. Installed with MySql & Acid.
>
> Everything seemed fine when I installed it, the required databases were
> created and the acid setup connected and I hit the "Create ACID AG"
button,
> this was also successful.
>
> I then ran Cerberus Internet Scanner against the network that the Snort
> machaine was installed, and nothing! The ACID console "# of Sensors:" has
0.
> This concerns me.
>
> So I ran snort command line:
>
> C:\Snort\Snort-1.8.2\snort.exe -c C:\Snort\Snort-1.8.2\snort.conf -l
> C:\Snort\Snort-1.8.2 -A full -h 203.0.171.64/26 -i 1 -d
> Log directory = C:\Snort\Snort-1.8.2
>
> And it ran without errors, I then ran the scanner again, the broke out of
> the snort session and the stats displayed showed "Snort analyzed 0 out of
0
> packets, ."
>
> Now I'm thinking Winpcap can't be installed properly so I opened Control
> Panel, Administrative Tools, Computer Management, then chose System Tools,
> System Information, Software Environment, Drivers. The NPF Kernel Driver
was
> displayed as "Running OK".
> Any ideas?
> I'm including the output from the snort command line run here:
> C:\Snort\Snort-1.8.2\snort.exe -c C:\Snort\Snort-1.8.2\snort.conf -l
> C:\Snort\Snort-1.8.2 -A full -h 203.0.171.64/26 -i 1 -d
> Log directory = C:\Snort\Snort-1.8.2
>
>         --== Initializing Snort ==--
>
> Initializing Network Interface \
> Decoding Ethernet on interface \Device\Packet_NdisWanIp
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file C:\Snort\Snort-1.8.2\snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
> No arguments to stream4_reassemble, setting defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111 513
>      Reassembly alerts: ACTIVE
> Back Orifice detection brute force: DISABLED
> Using LOCAL time
> WARNING: command line overrides rules file alert plugin!
> WARNING: command line overrides rules file alert plugin!
> limit == 128
> UnifiedLogFilename = snort.log
> Opening C:\Snort\Snort-1.8.2/snort.log.1005854049
> 882 Snort rules read...
> 882 Option Chains linked into 101 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Rule application order: ->activation->dynamic->alert->pass->log
>
>         --== Initialization Complete ==--
>
> -*> Snort! <*-
> Version 1.8-WIN32 (Build 86)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 1.7-WIN32 Port By Michael Davis (mike at ...92...,
> www.datanerds.net/~mike)
> 1.8-WIN32 Port By Chris Reid (chris.reid at ...3029...)
>           (based on code from 1.7 port)
>
>
>
============================================================================
> ===
> Snort analyzed 0 out of 0 packets, .
> Breakdown by protocol:                Action Stats:
>     TCP: 0          (0.000%)          ALERTS: 0
>     UDP: 0          (0.000%)          LOGGED: 0
>    ICMP: 0          (0.000%)          PASSED: 0
>     ARP: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 0          (0.000%)
> DISCARD: 0          (0.000%)
>
============================================================================
> ===
> Fragmentation Stats:
> Fragmented IP Packets: 0          (0.000%)
>     Fragment Trackers: 0
>    Rebuilt IP Packets: 0
>    Frag elements used: 0
> Discarded(incomplete): 0
>    Discarded(timeout): 0
>   Frag2 memory faults: 0
>
============================================================================
> ===
> TCP Stream Reassembly Stats:
>         TCP Packets Used: 0          (0.000%)
>          Stream Trackers: 0
>           Stream flushes: 0
>            Segments used: 0
>    Stream4 Memory Faults: 0
>
============================================================================
> ===
> pcap_loop: read error: PacketReceivePacket failedpcap_stats:
PacketGetStats
> error
> Snort received signal 3, exiting
>
>
> Michael Green
> Senior Systems Engineer Communication Systems
> Global Banking & Securities Transactions
> Telephone + 61 7 3331 5555
> Michael.Green at ...4098...
> www.gbst.com
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list