[Snort-users] Win32 Misconfiguration

Julian Brown jbrown at ...8965...
Thu Apr 24 12:42:23 EDT 2003


Latest Snort on Win32 as a service.  Logging to the NTEventLogger.

snort /SERVICE /INSTALL -de -E -l C:\Snort\log -h 192.168.168.0/24 -c 
C:\Snort\etc\snort.conf

I have a whole bunch of the following type messages in the EventViewer

The description for Event ID ( 1 ) in Source ( snort ) cannot be found. The 
local computer may not have the necessary registry information or message 
DLL files to display messages from a remote computer. The following 
information is part of the event: [1:2101:1] NETBIOS SMB 
SMB_COM_TRANSACTION Max Parameter of 0 DOS Attempt [Classification: 
Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 
192.168.168.4:3512 -> 192.168.168.3:139.

I do not believe I have it set to output to alert_smb, I definitely do not 
want alert_smb.

With the exception of these lines

#
# Include classification & priority settings
#

include c:\snort\etc\classification.config

#
# Include reference systems
#

include c:\snort\etc\reference.config

All of the output options are commented out in snort.conf

These files are all in there original state and not been modified.

What have I done wrong to get the above messages?

Thanx

Julian Brown
jbrown at ...9006...






More information about the Snort-users mailing list