Snort mailing list archives

RE: Snort Event Ids on win2000

From: "Michael Steele" <michaels () winsnort com>
Date: Wed, 28 May 2003 07:45:18 -0700

C,

This is normal, why, don't ask me but I see this all the time. My best guess
is in the way the Service is installed?

Here is my log:
The description for Event ID ( 1 ) in Source ( snort ) cannot be found. The
local computer may not have the necessary registry information or message
DLL files to display messages from a remote computer. The following
information is part of the event: [1:1002:5] WEB-IIS cmd.exe access
[Classification: Web Application Attack] [Priority: 1]: {TCP}
68.54.249.224:1499 -> 192.168.1.100:80.

In other words, Snort is functioning and this is a normal operation. Snort
has been like this for, well, since the Service option was added to Snort
for Windows.

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Joe Kinsella
Sent: Wednesday, May 28, 2003 6:06 AM
To: 'C Wells'; 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Snort Event Ids on win2000

If you use the -E parameter, Snort logs to the Application event log under a
source called SnortService.  However, I still am unclear how this is
supposed to work since it does not appear as though the Snort install on
Windows registers a message resource DLL.  So even when I log to the event
log, I get the following (note that the Event Viewer cannot properly format
the message since it cannot locate a valid resource DLL):

Event Type:     Error
Event Source:   SnortService
Event Category: None
Event ID:       1
Date:           5/27/2003
Time:           5:55:21 PM
User:           N/A
Computer:       MYCOMPUTER
Description:
The description for Event ID ( 1 ) in Source ( SnortService ) cannot be
found. The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. The following
information is part of the event:  [SNORT_SERVICE] Error while adding the
Snort service to the Services database. Unrecognized error (1072). The
specified service has been marked for deletion.


Have you had any better luck?


-----Original Message-----
From: C Wells [mailto:s2audi () yahoo com]
Sent: Tuesday, May 27, 2003 8:10 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Snort Event Ids on win2000


Is there documentation of the Snort Event Ids that one
could find in the Application Event Log of Windows
2000 ? If Snort doesn't write to the Event log on
win2000 where might I find 'log' type information ? 

Thanks


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Snort Event Ids on win2000 Joe Kinsella (May 28)
- RE: Snort Event Ids on win2000 Michael Steele (May 28)
- <Possible follow-ups>
- RE: Snort Event Ids on win2000 Joe Kinsella (May 28)
  - RE: Snort Event Ids on win2000 Michael Steele (May 28)
    - Re: Snort Event Ids on win2000 Chris Reid (May 28)
    - Re: Snort Event Ids on win2000 Michael A. Davis (May 28)