[Dshield] Windoze Questions...

Al Reust areust at comcast.net
Fri Feb 13 03:55:55 GMT 2004

Hello John

As I look questions most have been answered by those that have to deal with 
Win32 on a daily basis.

I think the best answer that I can offer is about the performance of Snort 
in the Win32 and Nix environments. I have 5 Win32's and one Nix. The Nix 
machine and Win32 are on comparable hardware. The real difference is how 
vigilant you are with rulesets (or writing quick rules to stay current with 
events). In My case the 6 machines other than one are at remote locations 
and would take two days to drive to them all (5 DMZ's). Over the past three 
years other than driving like crazy to patch the MS Side, they are all 
running and I still own them. The Uptime is outstanding.

Watching Windump and comparing the snort.logs tends to show that it (Snort) 
does not lose much (I would attribute that to configuration of the MYSql 
Database). I do have one box that is on a network with a bad network card 
and that sometimes causes extra undefined crap and problems.

As long as your database logged entires stay below a 100,000 events 
everything works fairly quickly (in my case that is over the last 4/5 
months of history).

While my rulesets are behind the power curve it did pick up DeadHat (or a 
portions defined by the current ruleset). It showed as a Scan Proxy on 1080 
and Scan Squid Proxy on 3128. The increase in that traffic was the "alert" 
itself. I think that is the key (after eliminating false positives). That 
along with blocking/locking bad IP's in the ACL's, they tend to not come 
back. You find same things happen on a daily basis, what changes is the 
"alert." Any increase in activity means you should take time to look. Yes I 
do have to live with False Positives that I have to deal with (over time 
you learn to filter them visually during that first cup of coffee {this IP 
did this and they refuse to find the answer on how to fix it}).

So as I get ready to upgrade to 2.1.0 and newer versions of PHP, MYSql and 
Acid. I find the performance is adequate.

The basic PC
Dell GX1 PIII-550 256Meg of RAM. Win2K Pro.
(yes the bus speed is not fast 100MHZ nor the drives)
Processes are set to "background processes," Snort is ran as a service. The 
swap file is a fixed size on a separate partition.
All services that are not necessary are removed and the box is locked 
fairly solid.
Local Policy, is set to insure adequate logging is taken care of.
Despite IIS 5.0 (locked down) for the acid console, I have not had one 
toppled in over three years.

I have ran it on a PII-350 with 128meg of RAM and did see a few performance 
problems.  You can get a backlog of entries into the MYSql database.

If you would like, I would be happy to send a copy of the document on how 
to build it.. It provides links to all the components necessary and a 
dialog. It is currently being changed to reflect the update to 2.1.0 (and 
support files). Please contact me offline. Then You can decide.

If after you have looked and it seems acceptable I can make an ISO image 
available of the CD that I carry to handle upgrades at remote locations.

The cd has a few extra things like a file to add extra users, local policy 
that can be imported and a few other simple tools that I like.


At 09:26 AM 2/12/2004 -0500, you wrote:
>As I have said several times before, I am not a windows expert and we use 
>few windows machines in our shop. Thus, I have a few questions about 
>Windows security from a Unix perspective.
>   1) Are there programs equivalent to COPS and TripWire that run on Windows?
>   2) Anyone running SNORT under Windows? Any comparison to how it runs 
> under *nix?
>   3) Does the most common AV software (Symantec, NAI, etc.) catch 
> keystroke loggers and other spyware (not Adware!) that may be present and 
> running or a Windows system?
>   4) About the Windows encrypted file system... if someone gets Admin 
> privilege on a system using the encrypted file system, can they disclose 
> or compromise data that would normally be protected?
>   5) When I search for products that detect adware installed on a Windows 
> box, I get dozens of hits... is any given product better than another, or 
> do you really need a combination of products to detect and stop all the 
> various adware downloads in use?
>   6) Finally, windows firewalls... Is Zone Alarm still considered the 
> best for Windows? What are the strengths and weaknesses of the firewall 
> built into Win/XP?
>TIA for all answers!
>Jon R. Kibler
>Chief Technical Officer
>A.S.E.T., Inc.
>Charleston, SC  USA
>(843) 849-8214
>Filtered by: TRUSTEM.COM's Email Filtering Service
>No Spam. No Viruses. Just Good Clean Email.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list