[Snort-users] Corrupt Snort Logging - Win32 Terminal Server 2000

Michael Steele michaels at ...9077...
Wed Dec 3 21:06:01 EST 2003


That's bazaar... Have you tried rebooting? I know you hate too, It's been
214 days without a reboot on mine, not a record yet but getting there. How
much memory do you have? When did this start to happen? Was any changes made
just before it started to do this? Have you restarted the database? Have you
tried to start the log over? Have you updated your NIC drivers? Have you
tried to switch out your memory modules? Have you tried to switch out your
NIC? Have you..... :)

Cheers...

-The WINSNORT.com Management Team
-- 
 Pick up your FREE Windows or UNIX Snort installation guides       
 mailto:support at ...9077...
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Jim Robinson
> Sent: Wednesday, December 03, 2003 7:30 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Corrupt Snort Logging - Win32 Terminal Server 2000
> 
> Hi,
> 
> I am using snort on a Win32 Terminal Server 2000 platform and am having
> problems with snort logging strange mixed entries in the log file.  The
> other non-Terminal server installs (mixed NT4 and Win2000 Server) all
> work just fine.  Here's a snip of what I get:
> 
> 10.16.32.60:139
> 12/03/03-21:46:21.536704  [**] [1:538:7]1NETBIOS SMB IPC$ share access
> (unicode) [**] [ClassificaETBIOS SMB IPC$ share access (unicodeti[**]
> on: Attempted Information Leak$14 -> 10.16.32.60:139
> 12/03/03-21:48:04.28928912/03/03-21:48:04.289294 [**]  [**] [:1:111:1:]
> ] NMP public access udp [**] [NMP public access udpC[**]
> lClassification: ttempted Information
> Leak$
> 12/03/03-21:58:04.327276  [**] [[**] 1:1411:3] SNMP public access udp
> [**] ublic access udp[[**] Classification: Attempted Information Leak]
> [Priority: 2] {UDP}
> 10.16.81.$12/03/03-21:58:21.53516212/03/03-21:58:21.535159 [**]  [**]
> [:5:538:7] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share
> access (unicode) [**] [lassification:
> :$
> 12/03/03-22:08:04.365115  [**] [[**] [1:1411:3] SNMP public access udp
> [**] [Classificcation: Attempted Information Leak] [Prioority: 2] {UDP}
> 10.16.81.42:1026 -> 10.16.32$12/03/03-22:10:21.534525  [**] [[**]
> [1:538:7]  NETBIOS SMB IPC$ share access (unicode) [**] [[**]
> Classification:  Attempted Information Leakk] [Priority:  2]  {TCP}
> 10.$12/03/03-22:16:24.20597512/03/03-22:16:24.205977 [**]  [**]
> [:5:538:] ] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share
> access (unicode) [**] [lassification: $9
> 12/03/03-22:16:32.683796  [**] 12/03/03-22:16:32.683800 :4[**]
> 83:483:2CMP PING CyberKit 2.2 Windows [**] [ClCMP PING CyberKit 2.2
> Windows [**] [Classifiioat: on: c activi$.18.220.25 -> 10.16.32.25
> 12/03/03-22:16:32.840032  [**] [[**] [1:483:2]  ICMP PING CyberKit 2.2
> Windows [**] [Classification:  Misc activity] [Priority:  3] {ICMP}
> 10.18.220.25 -> 10.16.32.3255->
> .16.32.35
> 12/03/03-22:16:33.246272  [**] [1:483:2] ICMP PING CyberKit 2.2 Windows
> [**] [C2/03/03-22:16:33.246274  [**] [ssif83:2] onCMP PING CyberKit 2.2
> Windows:[**]  Clasc activit$3] {ICMP} 10.18.220.25 -> 10.16.32.61
> 12/03/03-22:16:33.248385  [**] [1:2192:1] NETBIOS DCERPC
> ISystemActivator bind attempt [**] [2/03/03-22:16:33.248386  [**]
> [assi192:ationETBIOS DCERPC ISystemActivator bin$.18.220.25:3481 ->
> 10.16.32.61:135
> 12/03/03-22:16:33.355616  [**] [1:483:2] 2/03/03-22:16:33.355620ICMP
> PING CyberKit 2.2 Windows [**] [Classi2] ICMP PING CyberKit 2.2 Windows
> [**] [Con: Misccation: Misc ac$ICMP} 10.18.220.25 -> 10.16.32.68
> 12/03/03-22:16:35.386720  [**] [[**] [1:483:2] ICMP PING CyberKit 2.2
> Windows [**] [[**] Classification:  Misc activity] [Priorityy: 3]
> {ICMP} 10.18.220.25 -> 8.220.25
> ->$
> 12/03/03-22:16:35.87112912/03/03-22:16:35.871125 [**] [1[**] :48383:2]
> CMP PING CyberKit 2.2 Windows [**] [CMP PING CyberKit 2.2 WindowsC[**]
> lClassification: isc activity$> 10.16.32.230
> 12/03/03-22:22:21.533306  [**] [[**] [1:538:7] NETBIOS SMB IPC$ share
> access (unicode) [**] [Classification: Attempted Information Leak]
> [Priority: 2]  {TCP}
> 10.16.32.61:$
> I am running the latest build of both Snort for Win32 and WINCAP and
> wondered if anyone could shed any light as to what is going on?
> 
> Thanks in advance.
> 
> jim
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN's Audience Survey.
> Help shape OSDN's sites and tell us what you think. Take this
> five minute survey and you could win a $250 Gift Certificate.
> http://www.wrgsurveys.com/2003/osdntech03.php?site=8
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list