[Snort-users] Win32 Misconfiguration

Michael Steele michaels at ...155...
Thu Apr 24 13:43:06 EDT 2003


Julian,

This is happening to all our XP boxes. Snort is functioning properly. If
you find the root cause, please let me know.

The description for Event ID ( 1 ) in Source ( snort ) cannot be found.
The 
local computer may not have the necessary registry information or
message 
DLL files to display messages from a remote computer. The following 
information is part of the event: 


-Michael
-- 
 Michael Steele | System Engineer / Support Technician     
 mailto:michaels at ...155...    
 Silicon Defense - The Cyber-War Defense Company
 Website: http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Julian
Brown
Sent: Thursday, April 24, 2003 9:10 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Win32 Misconfiguration

Latest Snort on Win32 as a service.  Logging to the NTEventLogger.

snort /SERVICE /INSTALL -de -E -l C:\Snort\log -h 192.168.168.0/24 -c 
C:\Snort\etc\snort.conf

I have a whole bunch of the following type messages in the EventViewer

The description for Event ID ( 1 ) in Source ( snort ) cannot be found.
The 
local computer may not have the necessary registry information or
message 
DLL files to display messages from a remote computer. The following 
information is part of the event: [1:2101:1] NETBIOS SMB 
SMB_COM_TRANSACTION Max Parameter of 0 DOS Attempt [Classification: 
Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 
192.168.168.4:3512 -> 192.168.168.3:139.

I do not believe I have it set to output to alert_smb, I definitely do
not 
want alert_smb.

With the exception of these lines

#
# Include classification & priority settings
#

include c:\snort\etc\classification.config

#
# Include reference systems
#

include c:\snort\etc\reference.config

All of the output options are commented out in snort.conf

These files are all in there original state and not been modified.

What have I done wrong to get the above messages?

Thanx

Julian Brown
jbrown at ...9006...




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list