Re: [Snort-users] catching some alerts, but NOT consistent

From: Jason Brvenik <jasonb(at)sourcefire.com>
Date: Mon Sep 17 2007 - 09:28:15 EDT

• Where is snort running relative to the attack?
• Where is the attack being launched from?
• Can you capture a pcap of the traffic?

Casiano, Jason (Sys Admin) wrote:
> I should add that pipe -i2 -v into find "3389" will detect the connection traffic. Its strange and I cannot get snort to alert for the life of me
>
> -----Original Message-----
> From: Jason Brvenik [mailto:jasonb@sourcefire.com]
> Sent: Sunday, September 16, 2007 8:44 PM
> To: Casiano, Jason (Sys Admin)
> Cc: snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] catching some alerts, but NOT consistent
>
>
>
> Casiano, Jason (Sys Admin) wrote:
>
>> broadcom BCM5708C
>>
>> Winsrv2k3 wsp2
>>
>> Winpcap 401
>>
>> Snort exec= -cc:\snort\etc\snort.conf –ld:\logs\snort –Kascii –i2
>>
>>
>>
>> im using a terminal service request alert to verify snort functionality
>> on my servers, however ive got a couple using the broadcom BCM5708C
>> netextreme 2 adapters that dont seem to report on a term server request,
>> however icmp request report just dandy.
>>
>> any ideas? i truly would like to iron this out, ive been pulling my hair
>> our for 3 weeks now.
>>
>>

---

This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Mon Sep 17 09:29:02 2007