[Snort-users] No Alerts in Windows, Last Try

Mike mike at ...12183...
Thu Jul 29 14:57:29 EDT 2004


Sorry for the same email again, but unfortunately my snort is still not
working in windows. I thought due to my automated spamming (sorry) the issue
might have got dropped. I thought I would try one more time.

The original message was here:
http://marc.theaimsgroup.com/?l=snort-users&m=109089003631842&w=2

Replies:
http://marc.theaimsgroup.com/?l=snort-users&m=109089621129524&w=2 
http://marc.theaimsgroup.com/?l=snort-users&m=109090420805445&w=2


Basically I am running snort 2.20 with windows 2003 server on a dual
processor machine (with hyperthreading on) and no alerts are being generated
accept:
[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
07/26-23:18:43.852390 6.123.123.7:2142 -> 123.192.123.421:135
TCP TTL:119 TOS:0x0 ID:11549 IpLen:20 DgmLen:284 DF
***AP*** Seq: 0x704EA903  Ack: 0xCA6F4421  Win: 0x21FC  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

I go to site.com/cmd.exe or site.com/default.ida?NNNN from a remote box and
nothing is logged. The snort rules file I am using is almost identical to
the one I am using on my linux boxes where it is working perfectly.

I have tried running snort various ways including 
bin\snort.exe -c etc\snort.conf
bin\snort.exe -c etc\snort.conf -i 1

I only have one lan card in the box and it shows up as:
1  \Device\NPF_{66C08459-44B6-49F8-B602-E9E0D2731745} (Intel(R) PRO/1000 MT
Network Connection)

If I run snort with: bin\snort -vX -c etc\snort.conf
I can see the packets that should set it off, but for whatever reason no
alerts are generated.

I would love to get the windows boxes tied into our snort ids, I just can't
figure out why it isn't logging.

Thanks,
   Mike





More information about the Snort-users mailing list