[Snort-users] Windows snort in amazon aws

Vinson, John john.vinson at ...17715...
Tue Jan 3 09:37:43 EST 2017


I'm setting up a snort instance on Amazon AWS EC2 instance. I have a Windows install running Snort / Barnyard2 this server is running the following windows cmd line:

C:\IDS\Snort\bin>snort -c C:\IDS\Snort\etc\snort.conf -l C:\IDS\Snort\log -p -i1

I have applied several test rules to just generate some traffic to the Windows box. I need to run with promiscuous mode disabled due to the AWS network environment.
I run the setup and do not see any packet activity. I can run a similar setup and generate activity in packet logging mode or print to stdout (-A console), but there is no data being logged as an IDS.my confirmation of this is the merged.log.[timestamp] file does not grow once the snort process has been started. Branyard2 finds the merged.log.[timestamp] file and tracks it using the barnyard2.waldo file but neither file grows. The exiting statistics for barnyard2 are all 0's. Snort reports that 80-97% of its packets have a bad checksum during its exiting statistics.

I have an Ubuntu server 16.04 as well hosting a MySQL database and the Ruby on rails front end Snorby for processing the snort data.

Barnyard functions normally but is not seeing any packets from snort. I'm using the Unified2 output specified in the snort.conf file

My goal is just to track network packets that are sent to this one windows server with snort installed. I do not need to monitor more than this.
Dou you have any recommendations for running Snort in AWS environment? I have replicated this exact setup in an on-premise virtual lab and saw everything work as expected.


John Vinson
This message may contain confidential or privileged information and is intended only for the individuals addressed in the body of the email. Nothing in this message shall be construed as making or accepting an offer to form a contract unless this message is followed by a written signed confirmation. If you have received this message in error, please notify the sender and then delete the message and all copies. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170103/3cdca07b/attachment.html>

More information about the Snort-users mailing list