Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Windows snort in amazon aws

From: "Vinson, John" <john.vinson () ancile com>
Date: Tue, 3 Jan 2017 14:37:43 +0000
Hello,

I'm setting up a snort instance on Amazon AWS EC2 instance. I have a Windows install running Snort 2.9.9.0 / Barnyard2 
this server is running the following windows cmd line:

C:\IDS\Snort\bin>snort -c C:\IDS\Snort\etc\snort.conf -l C:\IDS\Snort\log -p -i1

I have applied several test rules to just generate some traffic to the Windows box. I need to run with promiscuous mode 
disabled due to the AWS network environment.
I run the setup and do not see any packet activity. I can run a similar setup and generate activity in packet logging 
mode or print to stdout (-A console), but there is no data being logged as an IDS.my confirmation of this is the 
merged.log.[timestamp] file does not grow once the snort process has been started. Branyard2 finds the 
merged.log.[timestamp] file and tracks it using the barnyard2.waldo file but neither file grows. The exiting statistics 
for barnyard2 are all 0's. Snort reports that 80-97% of its packets have a bad checksum during its exiting statistics.

I have an Ubuntu server 16.04 as well hosting a MySQL database and the Ruby on rails front end Snorby for processing 
the snort data.

Barnyard functions normally but is not seeing any packets from snort. I'm using the Unified2 output specified in the 
snort.conf file

My goal is just to track network packets that are sent to this one windows server with snort installed. I do not need 
to monitor more than this.
Dou you have any recommendations for running Snort in AWS environment? I have replicated this exact setup in an 
on-premise virtual lab and saw everything work as expected.

Thanks,

John Vinson
This message may contain confidential or privileged information and is intended only for the individuals addressed in 
the body of the email. Nothing in this message shall be construed as making or accepting an offer to form a contract 
unless this message is followed by a written signed confirmation. If you have received this message in error, please 
notify the sender and then delete the message and all copies. Thank you.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: