Snort mailing list archives

Corrupt Snort Logging - Win32 Terminal Server 2000

From: Jim Robinson <jim () linux-sp com>
Date: 03 Dec 2003 22:29:34 -0500

Hi,

I am using snort on a Win32 Terminal Server 2000 platform and am having
problems with snort logging strange mixed entries in the log file.  The
other non-Terminal server installs (mixed NT4 and Win2000 Server) all
work just fine.  Here's a snip of what I get:

10.16.32.60:139
12/03/03-21:46:21.536704  [**] [1:538:7]1NETBIOS SMB IPC$ share access
(unicode) [**] [ClassificaETBIOS SMB IPC$ share access (unicodeti[**]
on: Attempted Information Leak$14 -> 10.16.32.60:139
12/03/03-21:48:04.28928912/03/03-21:48:04.289294 [**]  [**] [:1:111:1:]
] NMP public access udp [**] [NMP public access udpC[**]
lClassification: ttempted Information
Leak$                                                                                                                   
                                                         
12/03/03-21:58:04.327276  [**] [[**] 1:1411:3] SNMP public access udp
[**] ublic access udp[[**] Classification: Attempted Information Leak]
[Priority: 2] {UDP} 
10.16.81.$12/03/03-21:58:21.53516212/03/03-21:58:21.535159 [**]  [**]
[:5:538:7] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share
access (unicode) [**] [lassification:
:$                                                                                                                      
                                                      
12/03/03-22:08:04.365115  [**] [[**] [1:1411:3] SNMP public access udp
[**] [Classificcation: Attempted Information Leak] [Prioority: 2] {UDP}
10.16.81.42:1026 -> 10.16.32$12/03/03-22:10:21.534525  [**] [[**]
[1:538:7]  NETBIOS SMB IPC$ share access (unicode) [**] [[**]
Classification:  Attempted Information Leakk] [Priority:  2]  {TCP} 
10.$12/03/03-22:16:24.20597512/03/03-22:16:24.205977 [**]  [**]
[:5:538:] ] ETBIOS SMB IPC$ share access (unicode) [**] S SMB IPC$ share
access (unicode) [**] [lassification: $9
12/03/03-22:16:32.683796  [**] 12/03/03-22:16:32.683800 :4[**]
83:483:2CMP PING CyberKit 2.2 Windows [**] [ClCMP PING CyberKit 2.2
Windows [**] [Classifiioat: on: c activi$.18.220.25 -> 10.16.32.25
12/03/03-22:16:32.840032  [**] [[**] [1:483:2]  ICMP PING CyberKit 2.2
Windows [**] [Classification:  Misc activity] [Priority:  3] {ICMP}
10.18.220.25 -> 10.16.32.3255->
.16.32.35
12/03/03-22:16:33.246272  [**] [1:483:2] ICMP PING CyberKit 2.2 Windows
[**] [C2/03/03-22:16:33.246274  [**] [ssif83:2] onCMP PING CyberKit 2.2
Windows:[**]  Clasc activit$3] {ICMP} 10.18.220.25 -> 10.16.32.61
12/03/03-22:16:33.248385  [**] [1:2192:1] NETBIOS DCERPC
ISystemActivator bind attempt [**] [2/03/03-22:16:33.248386  [**]
[assi192:ationETBIOS DCERPC ISystemActivator bin$.18.220.25:3481 ->
10.16.32.61:135
12/03/03-22:16:33.355616  [**] [1:483:2] 2/03/03-22:16:33.355620ICMP
PING CyberKit 2.2 Windows [**] [Classi2] ICMP PING CyberKit 2.2 Windows
[**] [Con: Misccation: Misc ac$ICMP} 10.18.220.25 -> 10.16.32.68
12/03/03-22:16:35.386720  [**] [[**] [1:483:2] ICMP PING CyberKit 2.2
Windows [**] [[**] Classification:  Misc activity] [Priorityy: 3] 
{ICMP} 10.18.220.25 -> 8.220.25
->$                                                                                                                     
                                                       
12/03/03-22:16:35.87112912/03/03-22:16:35.871125 [**] [1[**] :48383:2]
CMP PING CyberKit 2.2 Windows [**] [CMP PING CyberKit 2.2 WindowsC[**]
lClassification: isc activity$> 10.16.32.230
12/03/03-22:22:21.533306  [**] [[**] [1:538:7] NETBIOS SMB IPC$ share
access (unicode) [**] [Classification: Attempted Information Leak]
[Priority: 2]  {TCP} 
10.16.32.61:$                                                                                                           
                                                                 
I am running the latest build of both Snort for Win32 and WINCAP and
wondered if anyone could shed any light as to what is going on?

Thanks in advance.

jim



-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Corrupt Snort Logging - Win32 Terminal Server 2000 Jim Robinson (Dec 03)
- RE: Corrupt Snort Logging - Win32 Terminal Server 2000 Michael Steele (Dec 03)
  - RE: Corrupt Snort Logging - Win32 Terminal Server 2000 Jim Robinson (Dec 04)
    - RE: Corrupt Snort Logging - Win32 Terminal Server 2000 John Tapparo (Dec 04)
    - RE: Corrupt Snort Logging - Win32 Terminal Server2000 Michael Steele (Dec 04)