[Snort-users] Snort on Windows not Alerting

afischer at ...13701... afischer at ...13701...
Mon Feb 13 09:27:03 EST 2006


Thank you for the reply. I am a bit confused though. Primarily because
the same setup as far as software installation goes, and using the same
command line parameters, works fine on an unlatched XP Pro box. Secondly
I have some questions about your responses.

>> Looking at your start line (keep in mind this OVERRIDES YOUR
SNORT.CONF) your only logging.

Doesn't the "-A full" parameter set the ALERT mode? And if it is the
default, then it shouldn't matter whether I specify it or not. I use
this parameter on an unlatched XP box with no issues. I removed the
option on the patched box and unfortunately that did not make a
difference.

>> You may want to remove the -K option as this states to log all output
to an ascii file.

I have yet to see ANY information be output to a log file on my patched
box. Even though I can watch captured traffic fly by in the DOS window.
I'm looking in C:\Snort\log I also removed the "-K" option, ran Snort
again, no log files were created, pcap format or otherwise.

A couple of other things to point out is that I am testing this from one
computer only. i.e. I've got snort running on a PC with the HOME_NET
variable set to "any", (also tried specifying my own IP with a /24
subnet), and I'm testing traffic that Snort should alert on from the
same PC.

When I stop Snort from running on the command line I can scroll up a bit
and see the following...

	Action Stats:
	ALERTS: 0
	LOGGED: 0
	PASSED: 0

The last line that I see displayed upon stopping Snort reads,
	"pcap_loop: read error: PacketReceivePacket failed"

But I also see this when successfully testing from my unlatched version
of XP which happens to be running on VirtualPC. Perhaps the "VirtualPC"
part also throws another variable into the equation?

--
Anthony Fischer


-----Original Message-----
From: Our World Is Here [mailto:info at ...2282...] 
Sent: Saturday, February 11, 2006 6:49 AM
To: Anthony Fischer
Subject: RE: [Snort-users] Snort on Windows not Alerting

Looking at your start line (keep in mind this OVERRIDES YOUR SNORT.CONF)
your only logging.

My guess is you have no alert output defined.  Your command line is a
default option and is not required on the command line.

"-A full Full alert mode. This is the default alert mode and will be
used automatically if you do not specify a mode."

You may want to remove the -K option as this states to log all output to
an ascii file.

As for alerts, what is the output type for your alerts.  Review the
snort manual or snort.conf if you are unclear what the difference
between logging and alerting is, yes you can use both.


Cheers,

James Friesen, CIO

Lucretia Enterprises
"Our World Is Here..."

> -----Original Message-----
> From: afischer at ...13701... [mailto:afischer at ...13701...]
> Sent: Friday, February 10, 2006 10:03 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort on Windows not Alerting
>
> I've seen one or two posts on the net with someone having the same 
> problem that I am experiencing, but no replies. So hopefully I have 
> better luck here! :)
>
> I have installed Snort version 2.4.3 on a Windows XP Professional box 
> and can not seem to get it to alert. I have also installed Ethereal 
> version 0.10.14 which installs WinPcap version 3.1.
>
> I can start Snort from a command line by typing the following from the

> C:\Snort\bin directory "snort.exe -c "C:\Snort\etc\snort.conf" -K 
> ascii -l "C:\Snort\log" -A full -I 4 -d -e -X"
>
> When I stop Snort, I can see in the statistics that Snort has seen 
> traffic and I can run Snort in verbose mode and watch packets fly by 
> so I'm confident that Snort is actually seeing the traffic that I am 
> sending, it's just not alerting on anything because when I go into the

> C:\Snort\log directory, there's nothing there even though I have rules

> enabled and put rules in the C:\Snort\rules directory.
>
> Any thoughts? I can provide my snort.conf file. Can I send attachments

> to the mailing list or do I have to paste the contents into the body?
>
> --
> Anthony Fischer






More information about the Snort-users mailing list