[Snort-users] Snort on Windows starts but doesn't create any alerts

Max Williams Max.Williams at ...14855...
Fri Apr 30 09:11:22 EDT 2010


OK I tried with the –i switch specifying either of the two interfaces and it makes no difference, still no alerts.
I also tried tcpdump mode (-b) and I can see the dump file it creates but this file doesn’t get bigger than 1kb even though it should have thousands of packets logged in the space of time that it was running.

I can see in the output after ctrl-c that snort has captured some packets:
<snip>
Breakdown by protocol (includes rebuilt packets):
      ETH: 8721       (100.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 8430       (96.663%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 6914       (79.280%)
      UDP: 1506       (17.269%)
     ICMP: 10         (0.115%)
  TCPdisc: 0          (0.000%)
<snip>

Maybe this is a Winpcap issue?


From: Joel Esler [mailto:jesler at ...1935...]
Sent: 30 April 2010 13:00
To: Max Williams
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort on Windows starts but doesn't create any alerts

Looks like you are not specifying an interface to sniff on. Try that.
--
Sent from my iPad
AIM: eslerjoel

On Apr 30, 2010, at 6:16 AM, Max Williams <Max.Williams at ...14855...<mailto:Max.Williams at ...14855...>> wrote:
Hi,
I am new to snort but have got it running on Linux hosts with no problems. I have an issue with Windows 2008 though. I can start snort but it just doesn’t register any alerts:

c:\Snort\bin>snort.exe -c c:\Snort\etc\snort.conf -l C:\Snort\log -A console

<snip>

[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 422
| Patterns         : 129205
| Pattern Chars    : 1125821
| Num States       : 769140
| Num Match States : 116175
| Memory           :   18.72Mbytes
|   Patterns       :   4.03M
|   Match Lists    :   5.48M
|   Transitions    :   9.11M
+-------------------------------------------------
[ Number of null byte prefixed patterns trimmed: 16976 ]

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6-ODBC-MySQL-FlexRESP-WIN32 IPv6 GRE (Build 38)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.4 2007-09-21
           Using ZLIB version: 1.2.3

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build 18>
           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>
           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>
           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build 13>
           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_DCERPC (IPV6)  Version 1.1  <Build 5>
           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build 3>
Not Using PCAP_FRAMES

While its running as above I’ve tried pinging the host with large packets and various nmap scans which all register alerts on the linux hosts but on windows nothing is printed on the console. I’ve got the latest rules.
Can someone give me some pointers on how to troubleshoot this further?
TIA and Best Regards,
Max Williams

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100430/ab194455/attachment.html>


More information about the Snort-users mailing list