Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] Snort on Windows not Alerting

from [afischer] Network Security [Permanent Link]
Subject: RE: [Snort-users] Snort on Windows not Alerting
Date: Mon, 13 Feb 2006 09:26:50 -0800 
Thank you for the reply. I am a bit confused though. Primarily because
the same setup as far as software installation goes, and using the same
command line parameters, works fine on an unlatched XP Pro box. Secondly
I have some questions about your responses.


Looking at your start line (keep in mind this OVERRIDES YOUR

SNORT.CONF) your only logging.

Doesn't the "-A full" parameter set the ALERT mode? And if it is the
default, then it shouldn't matter whether I specify it or not. I use
this parameter on an unlatched XP box with no issues. I removed the
option on the patched box and unfortunately that did not make a
difference.


You may want to remove the -K option as this states to log all output

to an ascii file.

I have yet to see ANY information be output to a log file on my patched
box. Even though I can watch captured traffic fly by in the DOS window.
I'm looking in C:\Snort\log I also removed the "-K" option, ran Snort
again, no log files were created, pcap format or otherwise.

A couple of other things to point out is that I am testing this from one
computer only. i.e. I've got snort running on a PC with the HOME_NET
variable set to "any", (also tried specifying my own IP with a /24
subnet), and I'm testing traffic that Snort should alert on from the
same PC.

When I stop Snort from running on the command line I can scroll up a bit
and see the following...

        Action Stats:
        ALERTS: 0
        LOGGED: 0
        PASSED: 0

The last line that I see displayed upon stopping Snort reads,
        "pcap_loop: read error: PacketReceivePacket failed"

But I also see this when successfully testing from my unlatched version
of XP which happens to be running on VirtualPC. Perhaps the "VirtualPC"
part also throws another variable into the equation?

--
Anthony Fischer


-----Original Message-----
From: Our World Is Here [mailto:info@lucretia.ca] 
Sent: Saturday, February 11, 2006 6:49 AM
To: Anthony Fischer
Subject: RE: [Snort-users] Snort on Windows not Alerting

Looking at your start line (keep in mind this OVERRIDES YOUR SNORT.CONF)
your only logging.

My guess is you have no alert output defined.  Your command line is a
default option and is not required on the command line.

"-A full Full alert mode. This is the default alert mode and will be
used automatically if you do not specify a mode."

You may want to remove the -K option as this states to log all output to
an ascii file.

As for alerts, what is the output type for your alerts.  Review the
snort manual or snort.conf if you are unclear what the difference
between logging and alerting is, yes you can use both.


Cheers,

James Friesen, CIO

Lucretia Enterprises
"Our World Is Here..."


-----Original Message-----
From: afischer@frontporch.com [mailto:afischer@frontporch.com]
Sent: Friday, February 10, 2006 10:03 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort on Windows not Alerting

I've seen one or two posts on the net with someone having the same 
problem that I am experiencing, but no replies. So hopefully I have 
better luck here! :)

I have installed Snort version 2.4.3 on a Windows XP Professional box 
and can not seem to get it to alert. I have also installed Ethereal 
version 0.10.14 which installs WinPcap version 3.1.

I can start Snort from a command line by typing the following from the



C:\Snort\bin directory "snort.exe -c "C:\Snort\etc\snort.conf" -K 
ascii -l "C:\Snort\log" -A full -I 4 -d -e -X"

When I stop Snort, I can see in the statistics that Snort has seen 
traffic and I can run Snort in verbose mode and watch packets fly by 
so I'm confident that Snort is actually seeing the traffic that I am 
sending, it's just not alerting on anything because when I go into the



C:\Snort\log directory, there's nothing there even though I have rules



enabled and put rules in the C:\Snort\rules directory.

Any thoughts? I can provide my snort.conf file. Can I send attachments



to the mailing list or do I have to paste the contents into the body?

--
Anthony Fischer





-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] FLoP-1.5.1 released, Dirk Geschke
Next by Date:  [Snort-users] Snort Security Masters Dojo at EUSecWest, Jennifer Steffens
Previous by Thread:  [Snort-users] Snort on Windows not Alerting, afischer
Next by Thread:  RE: [Snort-users] Snort on Windows not Alerting, Michael Steele
Indexes:  [Date] [Thread] [Top] [All Lists]