[Snort-users] Windows Snort & Rules
Dean.Thompson at ...5330...
Mon Mar 18 20:02:02 EST 2002
This is probably going to be an easy question to answer, but it has me
stumped at the moment. I recently upgraded from RC2 to the release of DeMarc
and decided to test out the DeMarc Windows client on a Win2K box.
All has gone well, the server is up and running and the Snort program has
been started as a service on the Win2K server. Communications between the
windows client and the MySQL server are going fine.
My problems comes when I take a look at Snort initialising itself on the
Win2K box. It reports that it has read in 0 rules. As a consequence of
having "zero" rules, the snort client on the Win2K machine picks up only basic
IDS incidents and doesn't apply the vast other rules that are out there in the
In an effort to try and get some rules into the system, I took the rules
from the snort-current package and placed them into a directory which snort
could load when it starts. Snort was able to find the rules, but is unable to
process them correctly. Everytime it tries to access the rules, for instance
the first line in the DNS rule set:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt";
content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16;
reference:arachnids,277; reference:cve,CVE-1999-0009; reference:bugtraq,134;
Will complain that the port is not defined. Now, I am not sure whether this
is a case that the "any" variable is being mapped to a range of ports or
whether there is something else going on here.
Has anyone had a similar problem or been able to get the "snort-rules" to work
with snort under Windows ?
| Dean Thompson | E-mail - Dean.Thompson at ...5330... |
| Bach. Computing (Hons) | ICQ - 45191180 |
| PhD Student | Office - <Off-Campus> |
| School Comp.Sci & Soft.Eng | Phone - +61 3 9903 2787 (Gen. Office) |
| MONASH (Caulfield Campus) | Fax - +61 3 9903 1077 |
| Melbourne, Australia | |
More information about the Snort-users