snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Error getting during snort instal

Re: [Snort-users] Error getting during snort installation steps on windows (Not able to run snortstart.bat file)

From: Sadanand Ghagare <sadanandgh_at_nospam>
Date: Wed May 20 2009 - 13:00:23 GMT
To: Joel Esler <jesler@sourcefire.com>


Hi Joel,

After enabling verbose mode, I am getting some output. Following change I made in snortstart.bat

c:\snort\bin\snort -v -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf

but still I am not getting that out put in kiwi. I am new to snort. Can you please to let me know the steps to enable syslog output. I have installed kiwi syslog server v8.3.52 on the same machine on which I have snort installed.

Thanks,
Sadanand
On Wed, May 20, 2009 at 6:10 PM, Joel Esler <jesler@sourcefire.com> wrote:

> Sadanand,
>
> That's the successful completion start up lines. I see no errors there. I
> see nothing to indicate that you *should* be receiving alerts in Kiwi, as
> you don't have the syslog output enabled. Try configuring that, and
> restarting Snort.
>
> Joel
>
> On Wed, May 20, 2009 at 7:05 AM, Sadanand Ghagare <sadanandgh@gmail.com>wrote:
>
>> Hi
>>
>> I followed steps to install snort on windows 2003 standard edition. For
>> this, I used method of installing snort on win xp.
>> After installation, when I tried to run snortstart.bat file as per steps
>> 12, it got stuck on following prompt and I cant see snort piggy as well not
>> I am getting any output in Kiwi.
>>
>> --== Initialization Complete ==--
>>
>> ,,_ -*> Snort! <*-
>> o" )~ Version 2.8.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 26)
>> '''' By Martin Roesch & The Snort Team:
>> http://www.snort.org/team.html
>> Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>> Using PCRE version: 7.4 2007-09-21
>>
>> Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.10 <Build
>> 16>
>> Preprocessor Object: SF_SSLPP Version 1.1 <Build 2>
>> Preprocessor Object: SF_SSH Version 1.1 <Build 1>
>> Preprocessor Object: SF_SMTP Version 1.1 <Build 7>
>> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 11>
>> Preprocessor Object: SF_DNS Version 1.1 <Build 2>
>> Preprocessor Object: SF_DCERPC Version 1.1 <Build 4>
>> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 1>
>> Not Using PCAP_FRAMES
>>
>> ===================================
>>
>> Here is my snortstart.conf file:
>>
>> c:\snort\bin\snort -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
>>
>> ================================
>>
>> Here is my snort.conf file:
>>
>> #VERSION:284
>> #--------------------------------------------------
>> # http://www.snort.org Snort current Ruleset
>> # Contact: snort-sigs@lists.sourceforge.net
>> #--------------------------------------------------
>> # $Id: snort.conf,v 1.183.4.6 2009/04/08 21:40:16 mwatchinski Exp $
>> #
>> ###################################################
>> # This file contains a sample snort configuration.
>> # You can take the following steps to create your own custom
>> configuration:
>> #
>> # 1) Set the variables for your network
>> # 2) Configure dynamic loaded libraries
>> # 3) Configure preprocessors
>> # 4) Configure output plugins
>> # 5) Add any runtime config directives
>> # 6) Customize your rule set
>> #
>> ###################################################
>> # Step #1: Set the network variables:
>> #
>> # You must change the following variables to reflect your local network.
>> The
>> # variable is currently setup for an RFC 1918 address space.
>> #
>> # You can specify it explicitly as:
>> #
>> # var HOME_NET 10.1.1.0/24
>> #
>> # or use global variable $<interfacename>_ADDRESS which will be always
>> # initialized to IP address and netmask of the network interface which you
>> run
>> # snort at. Under Windows, this must be specified as
>> # $(<interfacename>_ADDRESS), such as:
>> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
>> #
>> # var HOME_NET $eth0_ADDRESS
>> #
>> # You can specify lists of IP addresses for HOME_NET
>> # by separating the IPs with commas like this:
>> #
>> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>> #
>> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>> #
>> # or you can specify the variable to be any IP address
>> # like this:
>>
>> # Set up network addresses you are protecting. A simple start might be
>> RFC1918
>> var HOME_NET any
>>
>> # Set up the external network addresses as well. A good start may be
>> "any"
>> var EXTERNAL_NET any
>>
>> # Configure your server lists. This allows snort to only look for attacks
>> to
>> # systems that have a service up. Why look for HTTP attacks if you are
>> not
>> # running a web server? This allows quick filtering based on IP addresses
>> # These configurations MUST follow the same configuration scheme as
>> defined
>> # above for $HOME_NET.
>>
>> # List of DNS servers on your network
>> var DNS_SERVERS $HOME_NET
>>
>> # List of SMTP servers on your network
>> var SMTP_SERVERS $HOME_NET
>>
>> # List of web servers on your network
>> var HTTP_SERVERS $HOME_NET
>>
>> # List of sql servers on your network
>> var SQL_SERVERS $HOME_NET
>>
>> # List of telnet servers on your network
>> var TELNET_SERVERS $HOME_NET
>>
>> # List of snmp servers on your network
>> var SNMP_SERVERS $HOME_NET
>>
>> # List of ftp servers on your network
>> var FTP_SERVERS $HOME_NET
>>
>> # List of ssh servers on your network
>> var SSH_SERVERS $HOME_NET
>>
>> # List of pop2/3 servers on your network
>> var POP_SERVERS $HOME_NET
>>
>> # List of imap servers on your network
>> var IMAP_SERVERS $HOME_NET
>>
>> # List of SunRPC servers on your network
>> var RPC_SERVERS $HOME_NET
>>
>> # List of web servers on your network
>> var WWW_SERVERS $HOME_NET
>>
>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>> # modifying the signatures when they do, we add them to this list of
>> servers.
>> var AIM_SERVERS [
>> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>> ]
>>
>>
>> # Configure your service ports. This allows snort to look for attacks
>> destined
>> # to a specific application only on the ports that application runs on.
>> For
>> # example, if you run a web server on port 8081, set your HTTP_PORTS
>> variable
>> # like this:
>> #
>> # var HTTP_PORTS 8081
>> #
>> # Port lists must either be continuous [eg 80:8080], or a single port [eg
>> 80].
>> # We will adding support for a real list of ports in the future.
>>
>> # Ports you run web servers on
>> #
>> # Please note: [80,8080] does not work.
>> # If you wish to define multiple HTTP ports, use the following convention
>> # when customizing your rule set (as part of Step #6 below). This should
>> # not be done here, as the rules files may depend on the classifications
>> # and/or references, which are included below.
>> #
>> ## var HTTP_PORTS 80
>> ## include somefile.rules
>> ## var HTTP_PORTS 8080
>> ## include somefile.rules
>>
>> # HTTP Ports on your network
>> portvar HTTP_PORTS [80,2301,3128,8000,8080,8180,8888]
>>
>> # Ports you want to look for SHELLCODE on.
>> portvar SHELLCODE_PORTS !80
>>
>> # Ports you do oracle attacks on
>> portvar ORACLE_PORTS 1521
>>
>> # Auth / ident
>> portvar AUTH_PORTS 113
>>
>> # DNS
>> portvar DNS_PORTS 53
>>
>> # Finger
>> portvar FINGER_PORTS 79
>>
>> # Ftp
>> portvar FTP_PORTS 21
>>
>> # Imap
>> portvar IMAP_PORTS 143
>>
>> # IRC
>> portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
>>
>> # MS-SQL
>> portvar MSSQL_PORTS 1433
>>
>> # NNTP
>> portvar NNTP_PORTS 119
>>
>> # POP2
>> portvar POP2_PORTS 109
>>
>> # POP3
>> portvar POP3_PORTS 110
>>
>> # PortMapper
>> portvar SUNRPC_PORTS
>> [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
>>
>> # rlogin
>> portvar RLOGIN_PORTS 513
>>
>> # rsh
>> portvar RSH_PORTS 514
>>
>> # smb
>> portvar SMB_PORTS [139,445]
>>
>> # smtp
>> portvar SMTP_PORTS 25
>>
>> # snmp
>> portvar SNMP_PORTS 161
>>
>> # ssh
>> portvar SSH_PORTS 22
>>
>> # telnet
>> portvar TELNET_PORTS 23
>>
>> # mail this for compatability with versions of snort that support port
>> lists
>> portvar MAIL_PORTS [25,143,465,691]
>>
>> # SSL Ports
>> portvar SSL_PORTS [25,443,465,636,993,995]
>>
>> # DCERPC NCACN-IP-TCP
>> portvar DCERPC_NCACN_IP_TCP [139,445]
>> portvar DCERPC_NCADG_IP_UDP [138,1024:]
>> portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
>> portvar DCERPC_NCACN_UDP_LONG [135,1024:]
>> portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
>> portvar DCERPC_NCACN_TCP [2103,2105,2107]
>> portvar DCERPC_BRIGHTSTORE [6503,6504]
>>
>> # Path to your rules files (this can be a relative path)
>> # Note for Windows users: You are advised to make this an absolute path,
>> # such as: c:\snort\rules
>> var RULE_PATH C:\snort\rules
>>
>> # Configure the snort decoder
>> # ============================
>> #
>> # Snort's decoder will alert on lots of things such as header
>> # truncation or options of unusual length or infrequently used tcp options
>> #
>> #
>> # Stop generic decode events:
>> #
>> # config disable_decode_alerts
>> #
>> # Stop Alerts on experimental TCP options
>> #
>> # config disable_tcpopt_experimental_alerts
>> #
>> # Stop Alerts on obsolete TCP options
>> #
>> # config disable_tcpopt_obsolete_alerts
>> #
>> # Stop Alerts on T/TCP alerts
>> #
>> # In snort 2.0.1 and above, this only alerts when a TCP option is detected
>> # that shows T/TCP being actively used on the network. If this is normal
>> # behavior for your network, disable the next option.
>> #
>> # config disable_tcpopt_ttcp_alerts
>> #
>> # Stop Alerts on all other TCPOption type events:
>> #
>> # config disable_tcpopt_alerts
>> #
>> # Stop Alerts on invalid ip options
>> #
>> # config disable_ipopt_alerts
>> #
>> # Alert if value in length field (IP, TCP, UDP) is greater than the
>> # actual length of the captured portion of the packet that the length
>> # is supposed to represent:
>> #
>> # config enable_decode_oversized_alerts
>> #
>> # Same as above, but drop packet if in Inline mode -
>> # enable_decode_oversized_alerts must be enabled for this to work:
>> #
>> # config enable_decode_oversized_drops
>> #
>> config checksum_mode: all
>> config disable_decode_alerts
>> config disable_tcpopt_experimental_alerts
>> config disable_tcpopt_obsolete_alerts
>> config disable_ttcp_alerts
>> config disable_tcpopt_alerts
>> config disable_ipopt_alerts
>> config disable_decode_drops
>>
>> # Configure the detection engine
>> # ===============================
>> #
>> # Use a different pattern matcher in case you have a machine with very
>> limited
>> # resources:
>> #
>> # config detection: search-method lowmem
>>
>> config detection: search-method ac-bnfa
>> config detection: max_queue_events 5
>> config event_queue: max_queue 8 log 3 order_events content_length
>>
>> # Configure Inline Resets
>> # ========================
>> #
>> # If running an iptables firewall with snort in InlineMode() we can now
>> # perform resets via a physical device. We grab the indev from iptables
>> # and use this for the interface on which to send resets. This config
>> # option takes an argument for the src mac address you want to use in the
>> # reset packet. This way the bridge can remain stealthy. If the src mac
>> # option is not set we use the mac address of the indev device. If we
>> # don't set this option we will default to sending resets via raw socket,
>> # which needs an ipaddress to be assigned to the int.
>> #
>> # config layer2resets: 00:06:76:DD:5F:E3
>>
>> ###################################################
>> # Step #2: Configure dynamic loaded libraries
>> #
>> # If snort was configured to use dynamically loaded libraries,
>> # those libraries can be loaded here.
>> #
>> # Each of the following configuration options can be done via
>> # the command line as well.
>> #
>> # Load all dynamic preprocessors from the install path
>> # (same as command line option --dynamic-preprocessor-lib-dir)
>> #
>> dynamicpreprocessor file
>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
>> dynamicpreprocessor file
>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
>> dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
>> dynamicpreprocessor file
>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
>> dynamicpreprocessor file
>> C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
>> dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
>> dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
>>
>> # Comment out above and uncomment this if running OSX
>> #
>> #dynamicpreprocessor file
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.dylib
>> #dynamicpreprocessor file
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.dylib
>> #dynamicpreprocessor file
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.dylib
>> #dynamicpreprocessor file
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.dylib
>> #dynamicpreprocessor file
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.dylib
>> #dynamicpreprocessor file
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.dylib
>>
>> #
>> # Load a specific dynamic preprocessor library from the install path
>> # (same as command line option --dynamic-preprocessor-lib)
>> #
>> # dynamicpreprocessor file
>> /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
>> #
>> # Load a dynamic engine from the install path
>> # (same as command line option --dynamic-engine-lib)
>> #
>> dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
>> #
>> # Load all dynamic rules libraries from the install path
>> # (same as command line option --dynamic-detection-lib-dir)
>> #
>> # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
>> #
>> # Load a specific dynamic rule library from the install path
>> # (same as command line option --dynamic-detection-lib)
>> #
>> # Rule packages from the VRT contain a so_rules directory that contains
>> these rules
>> # you need to compile them using the makefile in the rules package and
>> place
>> # them here and add them.
>> #
>>
>> # Uncomment if you are using the default VRT SO rules and have them in
>> this directory.
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/bad-traffic.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/chat.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/dos.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/exploit.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/imap.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/misc.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/multimedia.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/netbios.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/nntp.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/p2p.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/smtp.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/sql.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-client.so
>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-misc.so
>>
>>
>> ###################################################
>> # Step #3: Configure preprocessors
>> #
>> # General configuration for preprocessors is of
>> # the form
>> # preprocessor <name_of_processor>: <configuration_options>
>>
>> # frag3: Target-based IP defragmentation
>> # --------------------------------------
>> #
>> # Frag3 is a brand new IP defragmentation preprocessor that is capable of
>> # performing "target-based" processing of IP fragments. Check out the
>> # README.frag3 file in the doc directory for more background and
>> configuration
>> # information.
>> #
>> # Frag3 configuration is a two step process, a global initialization phase
>>
>> # followed by the definition of a set of defragmentation engines.
>> #
>> # Global configuration defines the number of fragmented packets that Snort
>> can
>> # track at the same time and gives you options regarding the memory cap
>> for the
>> # subsystem or, optionally, allows you to preallocate all the memory for
>> the
>> # entire frag3 system.
>> #
>> # frag3_global options:
>> # max_frags: Maximum number of frag trackers that may be active at
>> once.
>> # Default value is 8192.
>> # memcap: Maximum amount of memory that frag3 may access at any given
>> time.
>> # Default value is 4MB.
>> # prealloc_frags: Maximum number of individual fragments that may be
>> processed
>> # at once. This is instead of the memcap system, uses
>> static
>> # allocation to increase performance. No default
>> value. Each
>> # preallocated fragment eats ~1550 bytes.
>> #
>> # Target-based behavior is attached to an engine as a "policy" for
>> handling
>> # overlaps and retransmissions as enumerated in the Paxson paper. There
>> are
>> # currently five policy types available: "BSD", "BSD-right", "First",
>> "Linux"
>> # and "Last". Engines can be bound to standard Snort CIDR blocks or
>> # IP lists.
>> #
>> # frag3_engine options:
>> # timeout: Amount of time a fragmented packet may be active before
>> expiring.
>> # Default value is 60 seconds.
>> # ttl_limit: Limit of delta allowable for TTLs of packets in the
>> fragments.
>> # Based on the initial received fragment TTL.
>> # min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below
>> this
>> # value will be discarded. Default value is 0.
>> # detect_anomalies: Activates frag3's anomaly detection mechanisms.
>> # policy: Target-based policy to assign to this engine. Default is
>> Windows.
>> # bind_to: IP address set to bind this engine to. Default is all hosts.
>> #
>> # Frag3 configuration example:
>> #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
>> #preprocessor frag3_engine: policy linux \
>> # bind_to [10.1.1.12/32,10.1.1.13/32] \
>> # detect_anomalies
>> #preprocessor frag3_engine: policy first \
>> # bind_to 10.2.1.0/24 \
>> # detect_anomalies
>> #preprocessor frag3_engine: policy last \
>> # bind_to 10.3.1.0/24
>> #preprocessor frag3_engine: policy bsd
>>
>> preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy windows timeout 180
>>
>> # stream5: Target Based stateful inspection/stream reassembly for Snort
>> # ---------------------------------------------------------------------
>> # Stream5 is a target-based stream engine for Snort. Its functionality
>> # replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
>> # cannot be used simultaneously. Comment out the stream4 configurations
>> # above to use Stream5.
>> #
>> # See README.stream5 for details on the configuration options.
>> #
>> # Example config (that emulates Stream4 with UDP support compiled in)
>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>> track_udp yes
>> preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \
>> ports client 21 23 25 42 53 80 135 136 137 139
>> 143 110 111 445 465 513 691 1433 1521 2100 2301 3128 3306 8000 8080 8180
>> 8888, \
>> ports both 443 465 563 636 989 992 993 994 995
>> preprocessor stream5_udp: ignore_any_rules
>>
>>
>> # Performance Statistics
>> # ----------------------
>> # Documentation for this is provided in the Snort Manual. You should read
>> it.
>> # It is included in the release distribution as doc/snort_manual.pdf
>> #
>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
>> 10000
>>
>> # http_inspect: normalize and detect HTTP traffic and protocol anomalies
>> #
>> # lots of options available here. See doc/README.http_inspect.
>> # unicode.map should be wherever your snort.conf lives, or given
>> # a full path to where snort can find it.
>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> preprocessor http_inspect_server: \
>> server default \
>> apache_whitespace no \
>> ascii no \
>> bare_byte no \
>> chunk_length 500000 \
>> flow_depth 1460 \
>> directory no \
>> double_decode no \
>> iis_backslash no \
>> iis_delimiter no \
>> iis_unicode no \
>> multi_slash no \
>> non_strict \
>> oversize_dir_length 500 \
>> ports { 80 2301 3128 8000 8080 8180 8888 } \
>> u_encode yes \
>> non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>> webroot no
>>
>> #
>> # Example unique server configuration
>> #
>> #preprocessor http_inspect_server: server 1.1.1.1 \
>> # ports { 80 3128 8080 } \
>> # flow_depth 0 \
>> # ascii no \
>> # double_decode yes \
>> # non_rfc_char { 0x00 } \
>> # chunk_length 500000 \
>> # non_strict \
>> # oversize_dir_length 300 \
>> # no_alerts
>>
>>
>> # rpc_decode: normalize RPC traffic
>> # ---------------------------------
>> # RPC may be sent in alternate encodings besides the usual 4-byte encoding
>> # that is used by default. This plugin takes the port numbers that RPC
>> # services are running on as arguments - it is assumed that the given
>> ports
>> # are actually running this type of service. If not, change the ports or
>> turn
>> # it off.
>> # The RPC decode preprocessor uses generator ID 106
>> #
>> # arguments: space separated list
>> # alert_fragments - alert on any rpc fragmented TCP data
>> # no_alert_multiple_requests - don't alert when >1 rpc query is in a
>> packet
>> # no_alert_large_fragments - don't alert when the fragmented
>> # sizes exceed the current packet size
>> # no_alert_incomplete - don't alert when a single segment
>> # exceeds the current packet size
>>
>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
>> 32777 32778 32779
>>
>> # bo: Back Orifice detector
>> # -------------------------
>> # Detects Back Orifice traffic on the network.
>> #
>> # arguments:
>> # syntax:
>> # preprocessor bo: noalert { client | server | general | snort_attack
>> } \
>> # drop { client | server | general | snort_attack
>> }
>> # example:
>> # preprocessor bo: noalert { general server } drop { snort_attack }
>>
>> #
>> # The Back Orifice detector uses Generator ID 105 and uses the
>> # following SIDS for that GID:
>> # SID Event description
>> # ----- -------------------
>> # 1 Back Orifice traffic detected
>> # 2 Back Orifice Client Traffic Detected
>> # 3 Back Orifice Server Traffic Detected
>> # 4 Back Orifice Snort Buffer Attack
>>
>> preprocessor bo
>>
>> # telnet_decode: Telnet negotiation string normalizer
>> # ---------------------------------------------------
>> # This preprocessor "normalizes" telnet negotiation strings from telnet
>> and ftp
>> # traffic. It works in much the same way as the http_decode preprocessor,
>> # searching for traffic that breaks up the normal data stream of a
>> protocol and
>> # replacing it with a normalized representation of that traffic so that
>> the
>> # "content" pattern matching keyword can work without requiring
>> modifications.
>> # This preprocessor requires no arguments.
>> #
>> # DEPRECATED in favor of ftp_telnet dynamic preprocessor
>> #preprocessor telnet_decode
>> #
>> # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff
>> overflow
>> #
>> ---------------------------------------------------------------------------
>> # This preprocessor normalizes telnet negotiation strings from telnet and
>> # ftp traffic. It looks for traffic that breaks the normal data stream
>> # of the protocol, replacing it with a normalized representation of that
>> # traffic so that the "content" pattern matching keyword can work without
>> # requiring modifications.
>> #
>> # It also performs protocol correctness checks for the FTP command
>> channel,
>> # and identifies open FTP data transfers.
>> #
>> # FTPTelnet has numerous options available, please read
>> # README.ftptelnet for help configuring the options for the global
>> # telnet, ftp server, and ftp client sections for the protocol.
>>
>> #####
>> # Per Step #2, set the following to load the ftptelnet preprocessor
>> # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
>> # or use commandline option
>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>> preprocessor ftp_telnet: \
>> global \
>> encrypted_traffic yes \
>> check_encrypted \
>> inspection_type stateful
>>
>> preprocessor ftp_telnet_protocol: \
>> telnet \
>> ayt_attack_thresh 20 \
>> normalize ports { 23 } \
>> detect_anomalies
>>
>> preprocessor ftp_telnet_protocol: \
>> ftp server default \
>> def_max_param_len 100 \
>> ports { 21 2100 } \
>> ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU
>> MODE } \
>> ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD
>> PWD } \
>> ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
>> ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
>> ftp_cmds { FEAT OPTS CEL CMD MACB } \
>> ftp_cmds { MDTM REST SIZE MLST MLSD } \
>> ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>> alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
>> alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD
>> SYST TEST STAT MACB EPSV CLNT LPRT } \
>> alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR
>> HELP } \
>> alt_max_param_len 256 { RNTO CWD } \
>> alt_max_param_len 400 { PORT } \
>> alt_max_param_len 512 { SIZE } \
>> chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
>> chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
>> chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
>> chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
>> chk_str_fmt { FEAT OPTS CEL CMD } \
>> chk_str_fmt { MDTM REST SIZE MLST MLSD } \
>> chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>> cmd_validity MODE < char ASBCZ > \
>> cmd_validity STRU < char FRP > \
>> cmd_validity ALLO < int [ char R int ] > \
>> cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number
>> ] } > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>> cmd_validity PORT < host_port >
>>
>> preprocessor ftp_telnet_protocol: \
>> ftp client default \
>> max_resp_len 200 \
>> bounce yes \
>> telnet_cmds no
>>
>> # smtp: SMTP normalizer, protocol enforcement and buffer overflow
>> #
>> ---------------------------------------------------------------------------
>> # This preprocessor normalizes SMTP commands by removing extraneous
>> spaces.
>> # It looks for overly long command lines, response lines, and data header
>> lines.
>> # It can alert on invalid commands, or specific valid commands. It can
>> optionally
>> # ignore mail data, and can ignore TLS encrypted data.
>> #
>> # SMTP has numerous options available, please read README.SMTP for help
>> # configuring options.
>>
>> #####
>> # Per Step #2, set the following to load the smtp preprocessor
>> # dynamicpreprocessor <full path to libsf_smtp_preproc.so>
>> # or use commandline option
>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>
>> preprocessor SMTP: \
>> ports { 25 465 691 } \
>> inspection_type stateful \
>> normalize cmds \
>> valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT
>> DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN
>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME
>> VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA
>> XTRN XUSR } \
>> normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE
>> BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN
>> ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME
>> TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU
>> XSTA XTRN XUSR } \
>> max_header_line_len 1000 \
>> max_response_line_len 512 \
>> alt_max_command_line_len 260 { MAIL } \
>> alt_max_command_line_len 300 { RCPT } \
>> alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>> alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>> alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN
>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
>> alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB
>> X-EXPS X-LINK2STATE XADR } \
>> alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU
>> XSTA XTRN XUSR } \
>> xlink2state { enable }
>>
>> # sfPortscan
>> # ----------
>> # Portscan detection module. Detects various types of portscans and
>> # portsweeps. For more information on detection philosophy, alert types,
>> # and detailed portscan information, please refer to the
>> README.sfportscan.
>> #
>> # -configuration options-
>> # proto { tcp udp icmp ip all }
>> # The arguments to the proto option are the types of protocol scans
>> that
>> # the user wants to detect. Arguments should be separated by spaces
>> and
>> # not commas.
>> # scan_type { portscan portsweep decoy_portscan distributed_portscan
>> all }
>> # The arguments to the scan_type option are the scan types that the
>> # user wants to detect. Arguments should be separated by spaces and
>> not
>> # commas.
>> # sense_level { low|medium|high }
>> # There is only one argument to this option and it is the level of
>> # sensitivity in which to detect portscans. The 'low' sensitivity
>> # detects scans by the common method of looking for response errors,
>> such
>> # as TCP RSTs or ICMP unreachables. This level requires the least
>> # tuning. The 'medium' sensitivity level detects portscans and
>> # filtered portscans (portscans that receive no response). This
>> # sensitivity level usually requires tuning out scan events from
>> NATed
>> # IPs, DNS cache servers, etc. The 'high' sensitivity level has
>> # lower thresholds for portscan detection and a longer time window
>> than
>> # the 'medium' sensitivity level. Requires more tuning and may be
>> noisy
>> # on very active networks. However, this sensitivity levels catches
>> the
>> # most scans.
>> # memcap { positive integer }
>> # The maximum number of bytes to allocate for portscan detection.
>> The
>> # higher this number the more nodes that can be tracked.
>> # logfile { filename }
>> # This option specifies the file to log portscan and detailed
>> portscan
>> # values to. If there is not a leading /, then snort logs to the
>> # configured log directory. Refer to README.sfportscan for details
>> on
>> # the logged values in the logfile.
>> # watch_ip { Snort IP List }
>> # ignore_scanners { Snort IP List }
>> # ignore_scanned { Snort IP List }
>> # These options take a snort IP list as the argument. The
>> 'watch_ip'
>> # option specifies the IP(s) to watch for portscan. The
>> # 'ignore_scanners' option specifies the IP(s) to ignore as
>> scanners.
>> # Note that these hosts are still watched as scanned hosts. The
>> # 'ignore_scanners' option is used to tune alerts from very active
>> # hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
>>
>> # specifies the IP(s) to ignore as scanned hosts. Note that these
>> hosts
>> # are still watched as scanner hosts. The 'ignore_scanned' option
>> is
>> # used to tune alerts from very active hosts such as syslog servers,
>> etc.
>> # detect_ack_scans
>> # This option will include sessions picked up in midstream by the
>> stream
>> # module, which is necessary to detect ACK scans. However, this can
>> lead to
>> # false alerts, especially under heavy load with dropped packets;
>> which is why
>> # the option is off by default.
>> #
>> # Disabled by default
>> #
>> # preprocessor sfportscan: proto { all } \
>> # memcap { 10000000 } \
>> # sense_level { low }
>>
>> # arpspoof
>> #----------------------------------------
>> # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
>> # unicast ARP requests, and specific ARP mapping monitoring. To make use
>> of
>> # this preprocessor you must specify the IP and hardware address of hosts
>> on
>> # the same layer 2 segment as you. Specify one host IP MAC combo per
>> line.
>> # Also takes a "-unicast" option to turn on unicast ARP request detection.
>>
>> # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
>>
>> # SID Event description
>> # ----- -------------------
>> # 1 Unicast ARP request
>> # 2 Etherframe ARP mismatch (src)
>> # 3 Etherframe ARP mismatch (dst)
>> # 4 ARP cache overwrite attack
>>
>> #preprocessor arpspoof
>> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>>
>> # ssh
>> #----------------------------------------
>> # EXPERIMENTAL CODE!!!
>> #
>> # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
>> # USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS.
>> # YOU HAVE BEEN WARNED.
>> #
>> # The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
>> # Secure CRT, and the Protocol Mismatch exploit.
>> #
>> # Both Gobbles and CRC 32 attacks occur after the key exchange, and are
>> # therefore encrypted. Both attacks involve sending a large payload
>> # (20kb+) to the server immediately after the authentication challenge.
>> # To detect the attacks, the SSH preprocessor counts the number of bytes
>> # transmitted to the server. If those bytes exceed a pre-defined limit
>> # within a pre-define number of packets, an alert is generated. Since
>> # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
>> # version string exchange is used to distinguish the attacks.
>> #
>> # The Secure CRT and protocol mismatch exploits are observable before
>> # the key exchange.
>> #
>> # SSH has numerous options available, please read README.ssh for help
>> # configuring options.
>>
>> #####
>> # Per Step #2, set the following to load the ssh preprocessor
>> # dynamicpreprocessor <full path to libsf_ssh_preproc.so>
>> # or use commandline option
>> # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
>> #
>> #preprocessor ssh: server_ports { 22 } \
>> # max_client_bytes 19600 \
>> # max_encrypted_packets 20 \
>> # disable_srvoverflow \
>> # disable_protomismatch \
>> # disable_badmsgdir
>>
>> #UPDATE HERE MEW#
>> #----------------------------------------
>> # SSL Preprocessor configuration
>> #
>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 },
>> trustservers, noinspect_encrypted
>>
>> # DCE/RPC
>> #----------------------------------------
>> #
>> # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
>> # It is primarily interested in DCE/RPC data, and only decodes SMB
>> # to get at the DCE/RPC data carried by the SMB layer.
>> #
>> # Currently, the preprocessor only handles reassembly of fragmentation
>> # at both the SMB and DCE/RPC layer. Snort rules can be evaded by
>> # using both types of fragmentation; with the preprocessor enabled
>> # the rules are given a buffer with a reassembled SMB or DCE/RPC
>> # packet to examine.
>> #
>> # At the SMB layer, only fragmentation using WriteAndX is currently
>> # reassembled. Other methods will be handled in future versions of
>> # the preprocessor.
>> #
>> # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
>> # the SMB data, as well as checking the NetBIOS header (which is always
>> # present for SMB) for the type "SMB Session".
>> #
>> # Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
>> # checked in the packet. Assuming that the data is a DCE/RPC header,
>> # one byte is checked for DCE/RPC version (5) and another for the type
>> # "DCE/RPC Request". If both match, the preprocessor proceeds with that
>> # assumption that it is looking at DCE/RPC data. If subsequent checks
>> # are nonsensical, it ends processing.
>> #
>> # DCERPC has numerous options available, please read README.dcerpc for
>> help
>> # configuring options.
>>
>> #####
>> # Per Step #2, set the following to load the dcerpc preprocessor
>> # dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>
>> # or use commandline option
>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>
>> preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
>> preprocessor dcerpc2_server: default, policy WinXP, \
>> detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
>> autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>> smb_max_chain 3
>>
>> # DNS
>> #----------------------------------------
>> # The dns preprocessor (currently) decodes DNS Response traffic
>> # and detects a few vulnerabilities.
>> #
>> # DNS has a few options available, please read README.dns for
>> # help configuring options.
>>
>> #####
>> # Per Step #2, set the following to load the dns preprocessor
>> # dynamicpreprocessor <full path to libsf_dns_preproc.so>
>> # or use commandline option
>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>
>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>
>> ####################################################################
>> # Step #4: Configure output plugins
>> #
>> # Uncomment and configure the output plugins you decide to use. General
>> # configuration for output plugins is of the form:
>> #
>> # output <name_of_plugin>: <configuration_options>
>> #
>> # alert_syslog: log alerts to syslog
>> # ----------------------------------
>> # Use one or more syslog facilities as arguments. Win32 can also
>> optionally
>> # specify a particular hostname/port. Under Win32, the default hostname
>> is
>> # '127.0.0.1', and the default port is 514.
>> #
>> # [Unix flavours should use this format...]
>> # output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT
>> #
>> # [Win32 can use any of these formats...]
>> # output alert_syslog: LOG_AUTH LOG_ALERT
>> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
>> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>>
>> # log_tcpdump: log packets in binary tcpdump format
>> # -------------------------------------------------
>> # The only argument is the output file name.
>> #
>> # output log_tcpdump: tcpdump.log
>>
>> # database: log to a variety of databases
>> # ---------------------------------------
>> # See the README.database file for more information about configuring
>> # and using this plugin.
>> #
>> # output database: log, mysql, user=root password=test dbname=db
>> host=localhost
>> # output database: alert, postgresql, user=snort dbname=snort
>> # output database: log, odbc, user=snort dbname=snort
>> # output database: log, mssql, dbname=snort user=snort password=test
>> # output database: log, oracle, dbname=snort user=snort password=test
>>
>> # unified: Snort unified binary format alerting and logging
>> # -------------------------------------------------------------
>> # The unified output plugin provides two new formats for logging and
>> generating
>> # alerts from Snort, the "unified" format. The unified format is a
>> straight
>> # binary format for logging data out of Snort that is designed to be fast
>> and
>> # efficient. Used with barnyard (the new alert/log processor), most of
>> the
>> # overhead for logging and alerting to various slow storage mechanisms
>> such as
>> # databases or the network can now be avoided.
>> #
>> # Check out the spo_unified.h file for the data formats.
>> #
>> # Two arguments are supported.
>> # filename - base filename to write to (current time_t is appended)
>> # limit - maximum size of spool file in MB (default: 128)
>> #
>> # output alert_unified: filename snort.alert, limit 128
>> # output log_unified: filename snort.log, limit 128
>>
>>
>> # prelude: log to the Prelude Hybrid IDS system
>> # ---------------------------------------------
>> #
>> # profile = Name of the Prelude profile to use (default is snort).
>> #
>> # Snort priority to IDMEF severity mappings:
>> # high < medium < low < info
>> #
>> # These are the default mapped from classification.config:
>> # info = 4
>> # low = 3
>> # medium = 2
>> # high = anything below medium
>> #
>> # output alert_prelude
>> # output alert_prelude: profile=snort-profile-name
>>
>>
>> #
>> # Include classification & priority settings
>> # Note for Windows users: You are advised to make this an absolute path,
>> # such as: c:\snort\etc\classification.config
>> #
>>
>> include classification.config
>>
>> #
>> # Include reference systems
>> # Note for Windows users: You are advised to make this an absolute path,
>> # such as: c:\snort\etc\reference.config
>> #
>>
>> include reference.config
>>
>> ####################################################################
>> # Step #5: Configure snort with config statements
>> #
>> # See the snort manual for a full set of configuration references
>> #
>> # config flowbits_size: 64
>> #
>> # New global ignore_ports config option from Andy Mullican
>> #
>> # config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
>> # config ignore_ports: tcp 21 6667:6671 1356
>> # config ignore_ports: udp 1:17 53
>>
>>
>> ####################################################################
>> # Step #6: Customize your rule set
>> #
>> # Up to date snort rules are available at http://www.snort.org
>> #
>> # The snort web site has documentation about how to write your own custom
>> snort
>> # rules.
>>
>> #=========================================
>> # Include all relevant rulesets here
>> #
>> # The following rulesets are disabled by default:
>> #
>> # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
>> virus,
>> # chat, multimedia, and p2p
>> #
>> # These rules are either site policy specific or require tuning in order
>> to not
>> # generate false positive alerts in most enviornments.
>> #
>> # Please read the specific include file for more information and
>> # README.alert_order for how rule ordering affects how alerts are
>> triggered.
>> #=========================================
>>
>> include $RULE_PATH/local.rules
>> # include $RULE_PATH/bad-traffic.rules
>> include $RULE_PATH/exploit.rules
>> # include $RULE_PATH/scan.rules
>> # include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> # include $RULE_PATH/tftp.rules
>>
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>>
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> # include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/misc.rules
>> include $RULE_PATH/attack-responses.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> # include $RULE_PATH/snmp.rules
>>
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/pop3.rules
>>
>> include $RULE_PATH/nntp.rules
>> # include $RULE_PATH/other-ids.rules
>> # include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/backdoor.rules
>> # include $RULE_PATH/shellcode.rules
>> # include $RULE_PATH/policy.rules
>> # include $RULE_PATH/porn.rules
>> # include $RULE_PATH/info.rules
>> # include $RULE_PATH/icmp-info.rules
>> # include $RULE_PATH/virus.rules
>> # include $RULE_PATH/chat.rules
>> # include $RULE_PATH/multimedia.rules
>> # include $RULE_PATH/p2p.rules
>> include $RULE_PATH/spyware-put.rules
>> include $RULE_PATH/specific-threats.rules
>> # include $RULE_PATH/experimental.rules
>> # include $RULE_PATH/content-replace.rules
>> include $RULE_PATH/voip.rules
>>
>> # If your using the so rules you need to do something like the following
>> # cd into the so_rules directory where you built the so rules
>> # cat *.rules >> so-rules.rules
>> # cp to $RULE_PATH/so-rules.rules
>> # uncomment this line
>> # include $RULE_PATH/so-rules.rules
>>
>> # Include any thresholding or suppression commands. See threshold.conf in
>> the
>> # <snort src>/etc directory for details. Commands don't necessarily need
>> to be
>> # contained in this conf, but a separate conf makes it easier to maintain
>> them.
>> # Note for Windows users: You are advised to make this an absolute path,
>> # such as: c:\snort\etc\threshold.conf
>> # Uncomment if needed.
>> # include threshold.conf
>>
>> =================================================
>>
>>
>> --
>>
>>
>> Thanks & Regards
>>
>> Sadanand G.
>>
>>
>> ------------------------------------------------------------------------------
>> Crystal Reports - New Free Runtime and 30 Day Trial
>> Check out the new simplified licensing option that enables
>> unlimited royalty-free distribution of the report engine
>> for externally facing server and web deployment.
>> http://p.sf.net/sfu/businessobjects
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> --
> joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974
>
-- Thanks & Regards Sadanand G.

------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users