RE: SNORT newbie looking for some help with Snort on Win2k

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

I've had mixed success with IDSCenter as well.  I have, however, had no trouble at all with Snort.Panel by Xato.  Works 
like a charm.
 
<lame_os_plug>
Incidentally, I've had the best success of all by moving Snort to a different platform!
</lame_os_plug>
 
Sorry about that...
 
Cheers
 
Keith

-----Original Message-----
From: Slighter, Tim [mailto:tslighter () itc nrcs usda gov]
Sent: Wednesday, May 15, 2002 11:20 AM
To: 'Richard Roy'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] SNORT newbie looking for some help with Snort on Win2k


Lots of weird issues with that IDS center.  Not 100% certain, but seems that most individuals resort to command line in 
order to get snort to work on win2k...at least that is how I managed to get it to function correctly

-----Original Message-----
From: Richard Roy [mailto:royr () justicetrax com]
Sent: Wednesday, May 15, 2002 8:50 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] SNORT newbie looking for some help with Snort on Win2k



I set up SNORT using IDSCentre and tested the config using the applet.  I received no error messages, the SNORT window 
is minimized and things appear to work, yet there are no alerts, no log entries, nothing.  I know we are under hits all 
the time, my firewall reports blocking them.  

Setup: 
W2K Pro p3 733.  On a hub with router and firewall external interface.  I have 64 public IP's and I'd like to scan the 
range if possible.  I am including the following.   

> From IDSCentre the command line it fires, the snort.conf file and the screen output from the minimized snort window.  
> I can't quite figure out what is wrong.  Another set of eyes looking at this is what I am hoping someone will do and 
> see a problem.

TIA for your help 

Rich 
PS Sorry it is a long post, but I did not want to do an attachment. 

[Begin config] 
[************cmd line*********] 
c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G 
basic -U -y

[*NOTE, yes I blanked out my IP above.  It is a public IP*] 


[***********snort.conf**************] 
#-------------------------------------------------- 
#   http://www.activeworx.com Snort 1.8.6 Ruleset 
#     IDS Policy Manager Version: 1.3 Build(31) 
# Current Database Updated -- May 10, 2002 10:55 AM 
#-------------------------------------------------- 
# 
## Variables 
## --------- 
#var HOME_NET 10.1.1.0/24 
#var HOME_NET $eth0_ADDRESS 
#var HOME_NET [10.1.1.0/24,192.168.1.0/24] 
var HOME_NET any 
var EXTERNAL_NET any 
var SMTP $HOME_NET 
var HTTP_SERVERS $HOME_NET 
var SQL_SERVERS $HOME_NET 
var DNS_SERVERS $HOME_NET 
#var RULE_PATH ./ 
var RULE_PATH c:\snort\rules 
var SHELLCODE_PORTS !80 
#var SPADEDIR . 
# 
## Preprocessor Support 
## -------------------- 
preprocessor http_decode: 80 -cginull -unicode 
preprocessor rpc_decode: 111 32771 
preprocessor bo: 
preprocessor stream4: detect_scans 
preprocessor stream4_reassemble 
preprocessor portscan: $HOME_NET 4 3 portscan.log 
#preprocessor portscan-ignorehosts: 0.0.0.0 
preprocessor frag2 
preprocessor telnet_decode 
# 
# 
## Output Modules 
## -------------- 
#output database: log, unixodbc, dbname=snort user=snort host=localhost password=test 
output CSV: log default 
output log_tcpdump: snorttcp.log 
#output xml: Log, file=/var/log/snortxml 
output log_unified: filename snort.log, limit 128 
# 
#output alert_syslog: LOG_AUTH LOG_ALERT 
#output alert_unified: filename snort.alert, limit 128 
#output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x DES -X "" -a SHA -A "" myTrapListener 
# 
## Custom Rules 
## ------------ 
ruletype suspicious 
{ 
 type log 
 output log_tcpdump: suspicious.log 
} 
ruletype redalert 
{ 
 type alert 
 output alert_syslog: LOG_AUTH LOG_ALERT 
# output database: log, mysql, user=snort dbname=snort host=localhost 
} 
#ruletype <New_Custom_Rules> 
#{ 
#} 
# 
## Include Files 
## ------------- 
include classification.config 
# 
include $RULE_PATH/bad-traffic.rules 
include $RULE_PATH/exploit.rules 
include $RULE_PATH/scan.rules 
include $RULE_PATH/finger.rules 
include $RULE_PATH/ftp.rules 
include $RULE_PATH/telnet.rules 
include $RULE_PATH/smtp.rules 
include $RULE_PATH/rpc.rules 
include $RULE_PATH/rservices.rules 
include $RULE_PATH/dos.rules 
include $RULE_PATH/ddos.rules 
include $RULE_PATH/dns.rules 
include $RULE_PATH/tftp.rules 
include $RULE_PATH/web-cgi.rules 
include $RULE_PATH/web-coldfusion.rules 
include $RULE_PATH/web-iis.rules 
include $RULE_PATH/web-frontpage.rules 
include $RULE_PATH/web-misc.rules 
include $RULE_PATH/web-attacks.rules 
include $RULE_PATH/sql.rules 
include $RULE_PATH/x11.rules 
include $RULE_PATH/icmp.rules 
include $RULE_PATH/netbios.rules 
include $RULE_PATH/misc.rules 
include $RULE_PATH/attack-responses.rules 
include $RULE_PATH/backdoor.rules 
include $RULE_PATH/shellcode.rules 
include $RULE_PATH/policy.rules 
include $RULE_PATH/porn.rules 
include $RULE_PATH/info.rules 
include $RULE_PATH/icmp-info.rules 
include $RULE_PATH/virus.rules 
#include $RULE_PATH/experimental.rules 
include $RULE_PATH/local.rules 


{*********Snort Screen*************} 

Log directory = c:\snort\log 

Initializing Network Interface \ 

        --== Initializing Snort ==-- 
Decoding Ethernet on interface \Device\Packet_NdisWanIp 
Initializing Preprocessors! 
Initializing Plug-ins! 
Initializating Output Plugins! 
Parsing Rules file c:\snort\snort.conf 

+++++++++++++++++++++++++++++++++++++++++++++++++++ 
Initializing rule chains... 
Stream4 config: 
    Stateful inspection: ACTIVE 
    Session statistics: INACTIVE 
    Session timeout: 30 seconds 
    Session memory cap: 8388608 bytes 
    State alerts: INACTIVE 
    Scan alerts: ACTIVE 
    Log Flushed Streams: INACTIVE 
No arguments to stream4_reassemble, setting defaults: 
     Reassemble client: ACTIVE 
     Reassemble server: INACTIVE 
     Reassemble ports: 21 23 25 53 80 143 110 111 513 
     Reassembly alerts: ACTIVE 
     Reassembly method: FAVOR_OLD 
Using GMT time 
No arguments to frag2 directive, setting defaults to: 
    Fragment timeout: 60 seconds 
    Fragment memory cap: 4194304 bytes 
ProcessFileOption: c:\snort\log/log 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
980 Snort rules read... 
980 Option Chains linked into 100 Chain Headers 
0 Dynamic rules 
+++++++++++++++++++++++++++++++++++++++++++++++++++ 

Rule application order: ->activation->dynamic->alert->pass->log->suspicious->red 
alert 

        --== Initialization Complete ==-- 

-*> Snort! <*- 
Version 1.8-WIN32 (Build 103) 
By Martin Roesch (roesch () sourcefire com, www.snort.org) 
1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 
1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) 
          (based on code from 1.7 port) 

[End config]