[Snort-users] Corrupt Snort Logging - Win32 Terminal Server 2000

Jim Robinson jim at ...10685...
Wed Dec 3 19:30:01 EST 2003


Hi,

I am using snort on a Win32 Terminal Server 2000 platform and am having
problems with snort logging strange mixed entries in the log file.  The
other non-Terminal server installs (mixed NT4 and Win2000 Server) all
work just fine.  Here's a snip of what I get:

10.16.32.60:139
12/03/03-21:46:21.536704  [**] [1:538:7]1NETBIOS SMB IPC$ share access
(unicode) [**] [ClassificaETBIOS SMB IPC$ share access (unicodeti[**]
on: Attempted Information Leak$14 -> 10.16.32.60:139
12/03/03-21:48:04.28928912/03/03-21:48:04.289294 [**]  [**] [:1:111:1:]
] NMP public access udp [**] [NMP public access udpC[**]
lClassification: ttempted Information
Leak$                                                                                                                                                                            
12/03/03-21:58:04.327276  [**] [[**] 1:1411:3] SNMP public access udp
[**] ublic access udp[[**] Classification: Attempted Information Leak]
[Priority: 2] {UDP} 
10.16.81.$12/03/03-21:58:21.53516212/03/03-21:58:21.535159 [**]  [**]
[:5:538:7] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share
access (unicode) [**] [lassification:
:$                                                                                                                                                                            
12/03/03-22:08:04.365115  [**] [[**] [1:1411:3] SNMP public access udp
[**] [Classificcation: Attempted Information Leak] [Prioority: 2] {UDP}
10.16.81.42:1026 -> 10.16.32$12/03/03-22:10:21.534525  [**] [[**]
[1:538:7]  NETBIOS SMB IPC$ share access (unicode) [**] [[**]
Classification:  Attempted Information Leakk] [Priority:  2]  {TCP} 
10.$12/03/03-22:16:24.20597512/03/03-22:16:24.205977 [**]  [**]
[:5:538:] ] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share
access (unicode) [**] [lassification: $9
12/03/03-22:16:32.683796  [**] 12/03/03-22:16:32.683800 :4[**]
83:483:2CMP PING CyberKit 2.2 Windows [**] [ClCMP PING CyberKit 2.2
Windows [**] [Classifiioat: on: c activi$.18.220.25 -> 10.16.32.25
12/03/03-22:16:32.840032  [**] [[**] [1:483:2]  ICMP PING CyberKit 2.2
Windows [**] [Classification:  Misc activity] [Priority:  3] {ICMP}
10.18.220.25 -> 10.16.32.3255->
.16.32.35
12/03/03-22:16:33.246272  [**] [1:483:2] ICMP PING CyberKit 2.2 Windows
[**] [C2/03/03-22:16:33.246274  [**] [ssif83:2] onCMP PING CyberKit 2.2
Windows:[**]  Clasc activit$3] {ICMP} 10.18.220.25 -> 10.16.32.61
12/03/03-22:16:33.248385  [**] [1:2192:1] NETBIOS DCERPC
ISystemActivator bind attempt [**] [2/03/03-22:16:33.248386  [**]
[assi192:ationETBIOS DCERPC ISystemActivator bin$.18.220.25:3481 ->
10.16.32.61:135
12/03/03-22:16:33.355616  [**] [1:483:2] 2/03/03-22:16:33.355620ICMP
PING CyberKit 2.2 Windows [**] [Classi2] ICMP PING CyberKit 2.2 Windows
[**] [Con: Misccation: Misc ac$ICMP} 10.18.220.25 -> 10.16.32.68
12/03/03-22:16:35.386720  [**] [[**] [1:483:2] ICMP PING CyberKit 2.2
Windows [**] [[**] Classification:  Misc activity] [Priorityy: 3] 
{ICMP} 10.18.220.25 -> 8.220.25
->$                                                                                                                                                                            
12/03/03-22:16:35.87112912/03/03-22:16:35.871125 [**] [1[**] :48383:2]
CMP PING CyberKit 2.2 Windows [**] [CMP PING CyberKit 2.2 WindowsC[**]
lClassification: isc activity$> 10.16.32.230
12/03/03-22:22:21.533306  [**] [[**] [1:538:7] NETBIOS SMB IPC$ share
access (unicode) [**] [Classification: Attempted Information Leak]
[Priority: 2]  {TCP} 
10.16.32.61:$                                                                                                                                                                            
I am running the latest build of both Snort for Win32 and WINCAP and
wondered if anyone could shed any light as to what is going on?

Thanks in advance.

jim





More information about the Snort-users mailing list