snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Error getting during snort instal

Re: [Snort-users] Error getting during snort installation steps on windows (Not able to run snortstart.bat file)

From: Joel Esler <jesler_at_nospam>
Date: Wed May 20 2009 - 13:19:50 GMT
To: Sadanand Ghagare <sadanandgh@gmail.com>


I suggest you take a look in your snort.conf file, look for the word "syslog".

You won't want to use the -v option.

Joel

On Wed, May 20, 2009 at 9:00 AM, Sadanand Ghagare <sadanandgh@gmail.com>wrote:

> Hi Joel,
>
> After enabling verbose mode, I am getting some output. Following change I
> made in snortstart.bat
>
> c:\snort\bin\snort -v -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
>
> but still I am not getting that out put in kiwi. I am new to snort. Can you
> please to let me know the steps to enable syslog output.
> I have installed kiwi syslog server v8.3.52 on the same machine on which I
> have snort installed.
>
> Thanks,
> Sadanand
>
> On Wed, May 20, 2009 at 6:10 PM, Joel Esler <jesler@sourcefire.com> wrote:
>
>> Sadanand,
>>
>> That's the successful completion start up lines. I see no errors there.
>> I see nothing to indicate that you *should* be receiving alerts in Kiwi, as
>> you don't have the syslog output enabled. Try configuring that, and
>> restarting Snort.
>>
>> Joel
>>
>> On Wed, May 20, 2009 at 7:05 AM, Sadanand Ghagare <sadanandgh@gmail.com>wrote:
>>
>>> Hi
>>>
>>> I followed steps to install snort on windows 2003 standard edition. For
>>> this, I used method of installing snort on win xp.
>>> After installation, when I tried to run snortstart.bat file as per steps
>>> 12, it got stuck on following prompt and I cant see snort piggy as well not
>>> I am getting any output in Kiwi.
>>>
>>> --== Initialization Complete ==--
>>>
>>> ,,_ -*> Snort! <*-
>>> o" )~ Version 2.8.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 26)
>>> '''' By Martin Roesch & The Snort Team:
>>> http://www.snort.org/team.html
>>> Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>>> Using PCRE version: 7.4 2007-09-21
>>>
>>> Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.10 <Build
>>> 16>
>>> Preprocessor Object: SF_SSLPP Version 1.1 <Build 2>
>>> Preprocessor Object: SF_SSH Version 1.1 <Build 1>
>>> Preprocessor Object: SF_SMTP Version 1.1 <Build 7>
>>> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 11>
>>> Preprocessor Object: SF_DNS Version 1.1 <Build 2>
>>> Preprocessor Object: SF_DCERPC Version 1.1 <Build 4>
>>> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 1>
>>> Not Using PCAP_FRAMES
>>>
>>> ===================================
>>>
>>> Here is my snortstart.conf file:
>>>
>>> c:\snort\bin\snort -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
>>>
>>> ================================
>>>
>>> Here is my snort.conf file:
>>>
>>> #VERSION:284
>>> #--------------------------------------------------
>>> # http://www.snort.org Snort current Ruleset
>>> # Contact: snort-sigs@lists.sourceforge.net
>>> #--------------------------------------------------
>>> # $Id: snort.conf,v 1.183.4.6 2009/04/08 21:40:16 mwatchinski Exp $
>>> #
>>> ###################################################
>>> # This file contains a sample snort configuration.
>>> # You can take the following steps to create your own custom
>>> configuration:
>>> #
>>> # 1) Set the variables for your network
>>> # 2) Configure dynamic loaded libraries
>>> # 3) Configure preprocessors
>>> # 4) Configure output plugins
>>> # 5) Add any runtime config directives
>>> # 6) Customize your rule set
>>> #
>>> ###################################################
>>> # Step #1: Set the network variables:
>>> #
>>> # You must change the following variables to reflect your local network.
>>> The
>>> # variable is currently setup for an RFC 1918 address space.
>>> #
>>> # You can specify it explicitly as:
>>> #
>>> # var HOME_NET 10.1.1.0/24
>>> #
>>> # or use global variable $<interfacename>_ADDRESS which will be always
>>> # initialized to IP address and netmask of the network interface which
>>> you run
>>> # snort at. Under Windows, this must be specified as
>>> # $(<interfacename>_ADDRESS), such as:
>>> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
>>> #
>>> # var HOME_NET $eth0_ADDRESS
>>> #
>>> # You can specify lists of IP addresses for HOME_NET
>>> # by separating the IPs with commas like this:
>>> #
>>> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>>> #
>>> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>>> #
>>> # or you can specify the variable to be any IP address
>>> # like this:
>>>
>>> # Set up network addresses you are protecting. A simple start might be
>>> RFC1918
>>> var HOME_NET any
>>>
>>> # Set up the external network addresses as well. A good start may be
>>> "any"
>>> var EXTERNAL_NET any
>>>
>>> # Configure your server lists. This allows snort to only look for
>>> attacks to
>>> # systems that have a service up. Why look for HTTP attacks if you are
>>> not
>>> # running a web server? This allows quick filtering based on IP
>>> addresses
>>> # These configurations MUST follow the same configuration scheme as
>>> defined
>>> # above for $HOME_NET.
>>>
>>> # List of DNS servers on your network
>>> var DNS_SERVERS $HOME_NET
>>>
>>> # List of SMTP servers on your network
>>> var SMTP_SERVERS $HOME_NET
>>>
>>> # List of web servers on your network
>>> var HTTP_SERVERS $HOME_NET
>>>
>>> # List of sql servers on your network
>>> var SQL_SERVERS $HOME_NET
>>>
>>> # List of telnet servers on your network
>>> var TELNET_SERVERS $HOME_NET
>>>
>>> # List of snmp servers on your network
>>> var SNMP_SERVERS $HOME_NET
>>>
>>> # List of ftp servers on your network
>>> var FTP_SERVERS $HOME_NET
>>>
>>> # List of ssh servers on your network
>>> var SSH_SERVERS $HOME_NET
>>>
>>> # List of pop2/3 servers on your network
>>> var POP_SERVERS $HOME_NET
>>>
>>> # List of imap servers on your network
>>> var IMAP_SERVERS $HOME_NET
>>>
>>> # List of SunRPC servers on your network
>>> var RPC_SERVERS $HOME_NET
>>>
>>> # List of web servers on your network
>>> var WWW_SERVERS $HOME_NET
>>>
>>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>>> # modifying the signatures when they do, we add them to this list of
>>> servers.
>>> var AIM_SERVERS [
>>> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>>> ]
>>>
>>>
>>> # Configure your service ports. This allows snort to look for attacks
>>> destined
>>> # to a specific application only on the ports that application runs on.
>>> For
>>> # example, if you run a web server on port 8081, set your HTTP_PORTS
>>> variable
>>> # like this:
>>> #
>>> # var HTTP_PORTS 8081
>>> #
>>> # Port lists must either be continuous [eg 80:8080], or a single port [eg
>>> 80].
>>> # We will adding support for a real list of ports in the future.
>>>
>>> # Ports you run web servers on
>>> #
>>> # Please note: [80,8080] does not work.
>>> # If you wish to define multiple HTTP ports, use the following convention
>>> # when customizing your rule set (as part of Step #6 below). This should
>>> # not be done here, as the rules files may depend on the classifications
>>> # and/or references, which are included below.
>>> #
>>> ## var HTTP_PORTS 80
>>> ## include somefile.rules
>>> ## var HTTP_PORTS 8080
>>> ## include somefile.rules
>>>
>>> # HTTP Ports on your network
>>> portvar HTTP_PORTS [80,2301,3128,8000,8080,8180,8888]
>>>
>>> # Ports you want to look for SHELLCODE on.
>>> portvar SHELLCODE_PORTS !80
>>>
>>> # Ports you do oracle attacks on
>>> portvar ORACLE_PORTS 1521
>>>
>>> # Auth / ident
>>> portvar AUTH_PORTS 113
>>>
>>> # DNS
>>> portvar DNS_PORTS 53
>>>
>>> # Finger
>>> portvar FINGER_PORTS 79
>>>
>>> # Ftp
>>> portvar FTP_PORTS 21
>>>
>>> # Imap
>>> portvar IMAP_PORTS 143
>>>
>>> # IRC
>>> portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
>>>
>>> # MS-SQL
>>> portvar MSSQL_PORTS 1433
>>>
>>> # NNTP
>>> portvar NNTP_PORTS 119
>>>
>>> # POP2
>>> portvar POP2_PORTS 109
>>>
>>> # POP3
>>> portvar POP3_PORTS 110
>>>
>>> # PortMapper
>>> portvar SUNRPC_PORTS
>>> [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
>>>
>>> # rlogin
>>> portvar RLOGIN_PORTS 513
>>>
>>> # rsh
>>> portvar RSH_PORTS 514
>>>
>>> # smb
>>> portvar SMB_PORTS [139,445]
>>>
>>> # smtp
>>> portvar SMTP_PORTS 25
>>>
>>> # snmp
>>> portvar SNMP_PORTS 161
>>>
>>> # ssh
>>> portvar SSH_PORTS 22
>>>
>>> # telnet
>>> portvar TELNET_PORTS 23
>>>
>>> # mail this for compatability with versions of snort that support port
>>> lists
>>> portvar MAIL_PORTS [25,143,465,691]
>>>
>>> # SSL Ports
>>> portvar SSL_PORTS [25,443,465,636,993,995]
>>>
>>> # DCERPC NCACN-IP-TCP
>>> portvar DCERPC_NCACN_IP_TCP [139,445]
>>> portvar DCERPC_NCADG_IP_UDP [138,1024:]
>>> portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
>>> portvar DCERPC_NCACN_UDP_LONG [135,1024:]
>>> portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
>>> portvar DCERPC_NCACN_TCP [2103,2105,2107]
>>> portvar DCERPC_BRIGHTSTORE [6503,6504]
>>>
>>> # Path to your rules files (this can be a relative path)
>>> # Note for Windows users: You are advised to make this an absolute path,
>>> # such as: c:\snort\rules
>>> var RULE_PATH C:\snort\rules
>>>
>>> # Configure the snort decoder
>>> # ============================
>>> #
>>> # Snort's decoder will alert on lots of things such as header
>>> # truncation or options of unusual length or infrequently used tcp
>>> options
>>> #
>>> #
>>> # Stop generic decode events:
>>> #
>>> # config disable_decode_alerts
>>> #
>>> # Stop Alerts on experimental TCP options
>>> #
>>> # config disable_tcpopt_experimental_alerts
>>> #
>>> # Stop Alerts on obsolete TCP options
>>> #
>>> # config disable_tcpopt_obsolete_alerts
>>> #
>>> # Stop Alerts on T/TCP alerts
>>> #
>>> # In snort 2.0.1 and above, this only alerts when a TCP option is
>>> detected
>>> # that shows T/TCP being actively used on the network. If this is normal
>>> # behavior for your network, disable the next option.
>>> #
>>> # config disable_tcpopt_ttcp_alerts
>>> #
>>> # Stop Alerts on all other TCPOption type events:
>>> #
>>> # config disable_tcpopt_alerts
>>> #
>>> # Stop Alerts on invalid ip options
>>> #
>>> # config disable_ipopt_alerts
>>> #
>>> # Alert if value in length field (IP, TCP, UDP) is greater than the
>>> # actual length of the captured portion of the packet that the length
>>> # is supposed to represent:
>>> #
>>> # config enable_decode_oversized_alerts
>>> #
>>> # Same as above, but drop packet if in Inline mode -
>>> # enable_decode_oversized_alerts must be enabled for this to work:
>>> #
>>> # config enable_decode_oversized_drops
>>> #
>>> config checksum_mode: all
>>> config disable_decode_alerts
>>> config disable_tcpopt_experimental_alerts
>>> config disable_tcpopt_obsolete_alerts
>>> config disable_ttcp_alerts
>>> config disable_tcpopt_alerts
>>> config disable_ipopt_alerts
>>> config disable_decode_drops
>>>
>>> # Configure the detection engine
>>> # ===============================
>>> #
>>> # Use a different pattern matcher in case you have a machine with very
>>> limited
>>> # resources:
>>> #
>>> # config detection: search-method lowmem
>>>
>>> config detection: search-method ac-bnfa
>>> config detection: max_queue_events 5
>>> config event_queue: max_queue 8 log 3 order_events content_length
>>>
>>> # Configure Inline Resets
>>> # ========================
>>> #
>>> # If running an iptables firewall with snort in InlineMode() we can now
>>> # perform resets via a physical device. We grab the indev from iptables
>>> # and use this for the interface on which to send resets. This config
>>> # option takes an argument for the src mac address you want to use in the
>>> # reset packet. This way the bridge can remain stealthy. If the src mac
>>> # option is not set we use the mac address of the indev device. If we
>>> # don't set this option we will default to sending resets via raw socket,
>>> # which needs an ipaddress to be assigned to the int.
>>> #
>>> # config layer2resets: 00:06:76:DD:5F:E3
>>>
>>> ###################################################
>>> # Step #2: Configure dynamic loaded libraries
>>> #
>>> # If snort was configured to use dynamically loaded libraries,
>>> # those libraries can be loaded here.
>>> #
>>> # Each of the following configuration options can be done via
>>> # the command line as well.
>>> #
>>> # Load all dynamic preprocessors from the install path
>>> # (same as command line option --dynamic-preprocessor-lib-dir)
>>> #
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
>>>
>>> # Comment out above and uncomment this if running OSX
>>> #
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.dylib
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.dylib
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.dylib
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.dylib
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.dylib
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.dylib
>>>
>>> #
>>> # Load a specific dynamic preprocessor library from the install path
>>> # (same as command line option --dynamic-preprocessor-lib)
>>> #
>>> # dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
>>> #
>>> # Load a dynamic engine from the install path
>>> # (same as command line option --dynamic-engine-lib)
>>> #
>>> dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
>>> #
>>> # Load all dynamic rules libraries from the install path
>>> # (same as command line option --dynamic-detection-lib-dir)
>>> #
>>> # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
>>> #
>>> # Load a specific dynamic rule library from the install path
>>> # (same as command line option --dynamic-detection-lib)
>>> #
>>> # Rule packages from the VRT contain a so_rules directory that contains
>>> these rules
>>> # you need to compile them using the makefile in the rules package and
>>> place
>>> # them here and add them.
>>> #
>>>
>>> # Uncomment if you are using the default VRT SO rules and have them in
>>> this directory.
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/bad-traffic.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/chat.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/dos.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/exploit.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/imap.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/misc.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/multimedia.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/netbios.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/nntp.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/p2p.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/smtp.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/sql.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-client.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-misc.so
>>>
>>>
>>> ###################################################
>>> # Step #3: Configure preprocessors
>>> #
>>> # General configuration for preprocessors is of
>>> # the form
>>> # preprocessor <name_of_processor>: <configuration_options>
>>>
>>> # frag3: Target-based IP defragmentation
>>> # --------------------------------------
>>> #
>>> # Frag3 is a brand new IP defragmentation preprocessor that is capable of
>>> # performing "target-based" processing of IP fragments. Check out the
>>> # README.frag3 file in the doc directory for more background and
>>> configuration
>>> # information.
>>> #
>>> # Frag3 configuration is a two step process, a global initialization
>>> phase
>>> # followed by the definition of a set of defragmentation engines.
>>> #
>>> # Global configuration defines the number of fragmented packets that
>>> Snort can
>>> # track at the same time and gives you options regarding the memory cap
>>> for the
>>> # subsystem or, optionally, allows you to preallocate all the memory for
>>> the
>>> # entire frag3 system.
>>> #
>>> # frag3_global options:
>>> # max_frags: Maximum number of frag trackers that may be active at
>>> once.
>>> # Default value is 8192.
>>> # memcap: Maximum amount of memory that frag3 may access at any given
>>> time.
>>> # Default value is 4MB.
>>> # prealloc_frags: Maximum number of individual fragments that may be
>>> processed
>>> # at once. This is instead of the memcap system, uses
>>> static
>>> # allocation to increase performance. No default
>>> value. Each
>>> # preallocated fragment eats ~1550 bytes.
>>> #
>>> # Target-based behavior is attached to an engine as a "policy" for
>>> handling
>>> # overlaps and retransmissions as enumerated in the Paxson paper. There
>>> are
>>> # currently five policy types available: "BSD", "BSD-right", "First",
>>> "Linux"
>>> # and "Last". Engines can be bound to standard Snort CIDR blocks or
>>> # IP lists.
>>> #
>>> # frag3_engine options:
>>> # timeout: Amount of time a fragmented packet may be active before
>>> expiring.
>>> # Default value is 60 seconds.
>>> # ttl_limit: Limit of delta allowable for TTLs of packets in the
>>> fragments.
>>> # Based on the initial received fragment TTL.
>>> # min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below
>>> this
>>> # value will be discarded. Default value is 0.
>>> # detect_anomalies: Activates frag3's anomaly detection mechanisms.
>>> # policy: Target-based policy to assign to this engine. Default is
>>> Windows.
>>> # bind_to: IP address set to bind this engine to. Default is all
>>> hosts.
>>> #
>>> # Frag3 configuration example:
>>> #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
>>> #preprocessor frag3_engine: policy linux \
>>> # bind_to [10.1.1.12/32,10.1.1.13/32] \
>>> # detect_anomalies
>>> #preprocessor frag3_engine: policy first \
>>> # bind_to 10.2.1.0/24 \
>>> # detect_anomalies
>>> #preprocessor frag3_engine: policy last \
>>> # bind_to 10.3.1.0/24
>>> #preprocessor frag3_engine: policy bsd
>>>
>>> preprocessor frag3_global: max_frags 65536
>>> preprocessor frag3_engine: policy windows timeout 180
>>>
>>> # stream5: Target Based stateful inspection/stream reassembly for Snort
>>> # ---------------------------------------------------------------------
>>> # Stream5 is a target-based stream engine for Snort. Its functionality
>>> # replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
>>> # cannot be used simultaneously. Comment out the stream4 configurations
>>> # above to use Stream5.
>>> #
>>> # See README.stream5 for details on the configuration options.
>>> #
>>> # Example config (that emulates Stream4 with UDP support compiled in)
>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>>> track_udp yes
>>> preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \
>>> ports client 21 23 25 42 53 80 135 136 137 139
>>> 143 110 111 445 465 513 691 1433 1521 2100 2301 3128 3306 8000 8080 8180
>>> 8888, \
>>> ports both 443 465 563 636 989 992 993 994 995
>>> preprocessor stream5_udp: ignore_any_rules
>>>
>>>
>>> # Performance Statistics
>>> # ----------------------
>>> # Documentation for this is provided in the Snort Manual. You should
>>> read it.
>>> # It is included in the release distribution as doc/snort_manual.pdf
>>> #
>>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
>>> 10000
>>>
>>> # http_inspect: normalize and detect HTTP traffic and protocol anomalies
>>> #
>>> # lots of options available here. See doc/README.http_inspect.
>>> # unicode.map should be wherever your snort.conf lives, or given
>>> # a full path to where snort can find it.
>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>> preprocessor http_inspect_server: \
>>> server default \
>>> apache_whitespace no \
>>> ascii no \
>>> bare_byte no \
>>> chunk_length 500000 \
>>> flow_depth 1460 \
>>> directory no \
>>> double_decode no \
>>> iis_backslash no \
>>> iis_delimiter no \
>>> iis_unicode no \
>>> multi_slash no \
>>> non_strict \
>>> oversize_dir_length 500 \
>>> ports { 80 2301 3128 8000 8080 8180 8888 } \
>>> u_encode yes \
>>> non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>> webroot no
>>>
>>> #
>>> # Example unique server configuration
>>> #
>>> #preprocessor http_inspect_server: server 1.1.1.1 \
>>> # ports { 80 3128 8080 } \
>>> # flow_depth 0 \
>>> # ascii no \
>>> # double_decode yes \
>>> # non_rfc_char { 0x00 } \
>>> # chunk_length 500000 \
>>> # non_strict \
>>> # oversize_dir_length 300 \
>>> # no_alerts
>>>
>>>
>>> # rpc_decode: normalize RPC traffic
>>> # ---------------------------------
>>> # RPC may be sent in alternate encodings besides the usual 4-byte
>>> encoding
>>> # that is used by default. This plugin takes the port numbers that RPC
>>> # services are running on as arguments - it is assumed that the given
>>> ports
>>> # are actually running this type of service. If not, change the ports or
>>> turn
>>> # it off.
>>> # The RPC decode preprocessor uses generator ID 106
>>> #
>>> # arguments: space separated list
>>> # alert_fragments - alert on any rpc fragmented TCP data
>>> # no_alert_multiple_requests - don't alert when >1 rpc query is in a
>>> packet
>>> # no_alert_large_fragments - don't alert when the fragmented
>>> # sizes exceed the current packet size
>>> # no_alert_incomplete - don't alert when a single segment
>>> # exceeds the current packet size
>>>
>>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
>>> 32777 32778 32779
>>>
>>> # bo: Back Orifice detector
>>> # -------------------------
>>> # Detects Back Orifice traffic on the network.
>>> #
>>> # arguments:
>>> # syntax:
>>> # preprocessor bo: noalert { client | server | general | snort_attack
>>> } \
>>> # drop { client | server | general | snort_attack
>>> }
>>> # example:
>>> # preprocessor bo: noalert { general server } drop { snort_attack }
>>>
>>> #
>>> # The Back Orifice detector uses Generator ID 105 and uses the
>>> # following SIDS for that GID:
>>> # SID Event description
>>> # ----- -------------------
>>> # 1 Back Orifice traffic detected
>>> # 2 Back Orifice Client Traffic Detected
>>> # 3 Back Orifice Server Traffic Detected
>>> # 4 Back Orifice Snort Buffer Attack
>>>
>>> preprocessor bo
>>>
>>> # telnet_decode: Telnet negotiation string normalizer
>>> # ---------------------------------------------------
>>> # This preprocessor "normalizes" telnet negotiation strings from telnet
>>> and ftp
>>> # traffic. It works in much the same way as the http_decode
>>> preprocessor,
>>> # searching for traffic that breaks up the normal data stream of a
>>> protocol and
>>> # replacing it with a normalized representation of that traffic so that
>>> the
>>> # "content" pattern matching keyword can work without requiring
>>> modifications.
>>> # This preprocessor requires no arguments.
>>> #
>>> # DEPRECATED in favor of ftp_telnet dynamic preprocessor
>>> #preprocessor telnet_decode
>>> #
>>> # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff
>>> overflow
>>> #
>>> ---------------------------------------------------------------------------
>>> # This preprocessor normalizes telnet negotiation strings from telnet and
>>> # ftp traffic. It looks for traffic that breaks the normal data stream
>>> # of the protocol, replacing it with a normalized representation of that
>>> # traffic so that the "content" pattern matching keyword can work without
>>> # requiring modifications.
>>> #
>>> # It also performs protocol correctness checks for the FTP command
>>> channel,
>>> # and identifies open FTP data transfers.
>>> #
>>> # FTPTelnet has numerous options available, please read
>>> # README.ftptelnet for help configuring the options for the global
>>> # telnet, ftp server, and ftp client sections for the protocol.
>>>
>>> #####
>>> # Per Step #2, set the following to load the ftptelnet preprocessor
>>> # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
>>> # or use commandline option
>>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>> preprocessor ftp_telnet: \
>>> global \
>>> encrypted_traffic yes \
>>> check_encrypted \
>>> inspection_type stateful
>>>
>>> preprocessor ftp_telnet_protocol: \
>>> telnet \
>>> ayt_attack_thresh 20 \
>>> normalize ports { 23 } \
>>> detect_anomalies
>>>
>>> preprocessor ftp_telnet_protocol: \
>>> ftp server default \
>>> def_max_param_len 100 \
>>> ports { 21 2100 } \
>>> ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU
>>> MODE } \
>>> ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD
>>> PWD } \
>>> ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
>>> ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
>>> ftp_cmds { FEAT OPTS CEL CMD MACB } \
>>> ftp_cmds { MDTM REST SIZE MLST MLSD } \
>>> ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>>> alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
>>> alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD
>>> SYST TEST STAT MACB EPSV CLNT LPRT } \
>>> alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR
>>> HELP } \
>>> alt_max_param_len 256 { RNTO CWD } \
>>> alt_max_param_len 400 { PORT } \
>>> alt_max_param_len 512 { SIZE } \
>>> chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
>>> chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD }
>>> \
>>> chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
>>> chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
>>> chk_str_fmt { FEAT OPTS CEL CMD } \
>>> chk_str_fmt { MDTM REST SIZE MLST MLSD } \
>>> chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>>> cmd_validity MODE < char ASBCZ > \
>>> cmd_validity STRU < char FRP > \
>>> cmd_validity ALLO < int [ char R int ] > \
>>> cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number
>>> ] } > \
>>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>> cmd_validity PORT < host_port >
>>>
>>> preprocessor ftp_telnet_protocol: \
>>> ftp client default \
>>> max_resp_len 200 \
>>> bounce yes \
>>> telnet_cmds no
>>>
>>> # smtp: SMTP normalizer, protocol enforcement and buffer overflow
>>> #
>>> ---------------------------------------------------------------------------
>>> # This preprocessor normalizes SMTP commands by removing extraneous
>>> spaces.
>>> # It looks for overly long command lines, response lines, and data header
>>> lines.
>>> # It can alert on invalid commands, or specific valid commands. It can
>>> optionally
>>> # ignore mail data, and can ignore TLS encrypted data.
>>> #
>>> # SMTP has numerous options available, please read README.SMTP for help
>>> # configuring options.
>>>
>>> #####
>>> # Per Step #2, set the following to load the smtp preprocessor
>>> # dynamicpreprocessor <full path to libsf_smtp_preproc.so>
>>> # or use commandline option
>>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>>
>>> preprocessor SMTP: \
>>> ports { 25 465 691 } \
>>> inspection_type stateful \
>>> normalize cmds \
>>> valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT
>>> DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN
>>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME
>>> VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA
>>> XTRN XUSR } \
>>> normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE
>>> BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN
>>> ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME
>>> TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU
>>> XSTA XTRN XUSR } \
>>> max_header_line_len 1000 \
>>> max_response_line_len 512 \
>>> alt_max_command_line_len 260 { MAIL } \
>>> alt_max_command_line_len 300 { RCPT } \
>>> alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>>> alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
>>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>>> alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN
>>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
>>> alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB
>>> X-EXPS X-LINK2STATE XADR } \
>>> alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU
>>> XSTA XTRN XUSR } \
>>> xlink2state { enable }
>>>
>>> # sfPortscan
>>> # ----------
>>> # Portscan detection module. Detects various types of portscans and
>>> # portsweeps. For more information on detection philosophy, alert types,
>>> # and detailed portscan information, please refer to the
>>> README.sfportscan.
>>> #
>>> # -configuration options-
>>> # proto { tcp udp icmp ip all }
>>> # The arguments to the proto option are the types of protocol scans
>>> that
>>> # the user wants to detect. Arguments should be separated by
>>> spaces and
>>> # not commas.
>>> # scan_type { portscan portsweep decoy_portscan distributed_portscan
>>> all }
>>> # The arguments to the scan_type option are the scan types that the
>>> # user wants to detect. Arguments should be separated by spaces
>>> and not
>>> # commas.
>>> # sense_level { low|medium|high }
>>> # There is only one argument to this option and it is the level of
>>> # sensitivity in which to detect portscans. The 'low' sensitivity
>>> # detects scans by the common method of looking for response
>>> errors, such
>>> # as TCP RSTs or ICMP unreachables. This level requires the least
>>> # tuning. The 'medium' sensitivity level detects portscans and
>>> # filtered portscans (portscans that receive no response). This
>>> # sensitivity level usually requires tuning out scan events from
>>> NATed
>>> # IPs, DNS cache servers, etc. The 'high' sensitivity level has
>>> # lower thresholds for portscan detection and a longer time window
>>> than
>>> # the 'medium' sensitivity level. Requires more tuning and may be
>>> noisy
>>> # on very active networks. However, this sensitivity levels
>>> catches the
>>> # most scans.
>>> # memcap { positive integer }
>>> # The maximum number of bytes to allocate for portscan detection.
>>> The
>>> # higher this number the more nodes that can be tracked.
>>> # logfile { filename }
>>> # This option specifies the file to log portscan and detailed
>>> portscan
>>> # values to. If there is not a leading /, then snort logs to the
>>> # configured log directory. Refer to README.sfportscan for details
>>> on
>>> # the logged values in the logfile.
>>> # watch_ip { Snort IP List }
>>> # ignore_scanners { Snort IP List }
>>> # ignore_scanned { Snort IP List }
>>> # These options take a snort IP list as the argument. The
>>> 'watch_ip'
>>> # option specifies the IP(s) to watch for portscan. The
>>> # 'ignore_scanners' option specifies the IP(s) to ignore as
>>> scanners.
>>> # Note that these hosts are still watched as scanned hosts. The
>>> # 'ignore_scanners' option is used to tune alerts from very active
>>> # hosts such as NAT, nessus hosts, etc. The 'ignore_scanned'
>>> option
>>> # specifies the IP(s) to ignore as scanned hosts. Note that these
>>> hosts
>>> # are still watched as scanner hosts. The 'ignore_scanned' option
>>> is
>>> # used to tune alerts from very active hosts such as syslog
>>> servers, etc.
>>> # detect_ack_scans
>>> # This option will include sessions picked up in midstream by the
>>> stream
>>> # module, which is necessary to detect ACK scans. However, this
>>> can lead to
>>> # false alerts, especially under heavy load with dropped packets;
>>> which is why
>>> # the option is off by default.
>>> #
>>> # Disabled by default
>>> #
>>> # preprocessor sfportscan: proto { all } \
>>> # memcap { 10000000 } \
>>> # sense_level { low }
>>>
>>> # arpspoof
>>> #----------------------------------------
>>> # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
>>> # unicast ARP requests, and specific ARP mapping monitoring. To make use
>>> of
>>> # this preprocessor you must specify the IP and hardware address of hosts
>>> on
>>> # the same layer 2 segment as you. Specify one host IP MAC combo per
>>> line.
>>> # Also takes a "-unicast" option to turn on unicast ARP request
>>> detection.
>>> # Arpspoof uses Generator ID 112 and uses the following SIDS for that
>>> GID:
>>>
>>> # SID Event description
>>> # ----- -------------------
>>> # 1 Unicast ARP request
>>> # 2 Etherframe ARP mismatch (src)
>>> # 3 Etherframe ARP mismatch (dst)
>>> # 4 ARP cache overwrite attack
>>>
>>> #preprocessor arpspoof
>>> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>>>
>>> # ssh
>>> #----------------------------------------
>>> # EXPERIMENTAL CODE!!!
>>> #
>>> # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
>>> # USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS.
>>> # YOU HAVE BEEN WARNED.
>>> #
>>> # The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
>>> # Secure CRT, and the Protocol Mismatch exploit.
>>> #
>>> # Both Gobbles and CRC 32 attacks occur after the key exchange, and are
>>> # therefore encrypted. Both attacks involve sending a large payload
>>> # (20kb+) to the server immediately after the authentication challenge.
>>> # To detect the attacks, the SSH preprocessor counts the number of bytes
>>> # transmitted to the server. If those bytes exceed a pre-defined limit
>>> # within a pre-define number of packets, an alert is generated. Since
>>> # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
>>> # version string exchange is used to distinguish the attacks.
>>> #
>>> # The Secure CRT and protocol mismatch exploits are observable before
>>> # the key exchange.
>>> #
>>> # SSH has numerous options available, please read README.ssh for help
>>> # configuring options.
>>>
>>> #####
>>> # Per Step #2, set the following to load the ssh preprocessor
>>> # dynamicpreprocessor <full path to libsf_ssh_preproc.so>
>>> # or use commandline option
>>> # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
>>> #
>>> #preprocessor ssh: server_ports { 22 } \
>>> # max_client_bytes 19600 \
>>> # max_encrypted_packets 20 \
>>> # disable_srvoverflow \
>>> # disable_protomismatch \
>>> # disable_badmsgdir
>>>
>>> #UPDATE HERE MEW#
>>> #----------------------------------------
>>> # SSL Preprocessor configuration
>>> #
>>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 },
>>> trustservers, noinspect_encrypted
>>>
>>> # DCE/RPC
>>> #----------------------------------------
>>> #
>>> # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
>>> # It is primarily interested in DCE/RPC data, and only decodes SMB
>>> # to get at the DCE/RPC data carried by the SMB layer.
>>> #
>>> # Currently, the preprocessor only handles reassembly of fragmentation
>>> # at both the SMB and DCE/RPC layer. Snort rules can be evaded by
>>> # using both types of fragmentation; with the preprocessor enabled
>>> # the rules are given a buffer with a reassembled SMB or DCE/RPC
>>> # packet to examine.
>>> #
>>> # At the SMB layer, only fragmentation using WriteAndX is currently
>>> # reassembled. Other methods will be handled in future versions of
>>> # the preprocessor.
>>> #
>>> # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
>>> # the SMB data, as well as checking the NetBIOS header (which is always
>>> # present for SMB) for the type "SMB Session".
>>> #
>>> # Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
>>> # checked in the packet. Assuming that the data is a DCE/RPC header,
>>> # one byte is checked for DCE/RPC version (5) and another for the type
>>> # "DCE/RPC Request". If both match, the preprocessor proceeds with that
>>> # assumption that it is looking at DCE/RPC data. If subsequent checks
>>> # are nonsensical, it ends processing.
>>> #
>>> # DCERPC has numerous options available, please read README.dcerpc for
>>> help
>>> # configuring options.
>>>
>>> #####
>>> # Per Step #2, set the following to load the dcerpc preprocessor
>>> # dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>
>>> # or use commandline option
>>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>>
>>> preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
>>> preprocessor dcerpc2_server: default, policy WinXP, \
>>> detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
>>> autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>>> smb_max_chain 3
>>>
>>> # DNS
>>> #----------------------------------------
>>> # The dns preprocessor (currently) decodes DNS Response traffic
>>> # and detects a few vulnerabilities.
>>> #
>>> # DNS has a few options available, please read README.dns for
>>> # help configuring options.
>>>
>>> #####
>>> # Per Step #2, set the following to load the dns preprocessor
>>> # dynamicpreprocessor <full path to libsf_dns_preproc.so>
>>> # or use commandline option
>>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>>
>>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>>
>>> ####################################################################
>>> # Step #4: Configure output plugins
>>> #
>>> # Uncomment and configure the output plugins you decide to use. General
>>> # configuration for output plugins is of the form:
>>> #
>>> # output <name_of_plugin>: <configuration_options>
>>> #
>>> # alert_syslog: log alerts to syslog
>>> # ----------------------------------
>>> # Use one or more syslog facilities as arguments. Win32 can also
>>> optionally
>>> # specify a particular hostname/port. Under Win32, the default hostname
>>> is
>>> # '127.0.0.1', and the default port is 514.
>>> #
>>> # [Unix flavours should use this format...]
>>> # output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT
>>> #
>>> # [Win32 can use any of these formats...]
>>> # output alert_syslog: LOG_AUTH LOG_ALERT
>>> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
>>> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>>>
>>> # log_tcpdump: log packets in binary tcpdump format
>>> # -------------------------------------------------
>>> # The only argument is the output file name.
>>> #
>>> # output log_tcpdump: tcpdump.log
>>>
>>> # database: log to a variety of databases
>>> # ---------------------------------------
>>> # See the README.database file for more information about configuring
>>> # and using this plugin.
>>> #
>>> # output database: log, mysql, user=root password=test dbname=db
>>> host=localhost
>>> # output database: alert, postgresql, user=snort dbname=snort
>>> # output database: log, odbc, user=snort dbname=snort
>>> # output database: log, mssql, dbname=snort user=snort password=test
>>> # output database: log, oracle, dbname=snort user=snort password=test
>>>
>>> # unified: Snort unified binary format alerting and logging
>>> # -------------------------------------------------------------
>>> # The unified output plugin provides two new formats for logging and
>>> generating
>>> # alerts from Snort, the "unified" format. The unified format is a
>>> straight
>>> # binary format for logging data out of Snort that is designed to be fast
>>> and
>>> # efficient. Used with barnyard (the new alert/log processor), most of
>>> the
>>> # overhead for logging and alerting to various slow storage mechanisms
>>> such as
>>> # databases or the network can now be avoided.
>>> #
>>> # Check out the spo_unified.h file for the data formats.
>>> #
>>> # Two arguments are supported.
>>> # filename - base filename to write to (current time_t is appended)
>>> # limit - maximum size of spool file in MB (default: 128)
>>> #
>>> # output alert_unified: filename snort.alert, limit 128
>>> # output log_unified: filename snort.log, limit 128
>>>
>>>
>>> # prelude: log to the Prelude Hybrid IDS system
>>> # ---------------------------------------------
>>> #
>>> # profile = Name of the Prelude profile to use (default is snort).
>>> #
>>> # Snort priority to IDMEF severity mappings:
>>> # high < medium < low < info
>>> #
>>> # These are the default mapped from classification.config:
>>> # info = 4
>>> # low = 3
>>> # medium = 2
>>> # high = anything below medium
>>> #
>>> # output alert_prelude
>>> # output alert_prelude: profile=snort-profile-name
>>>
>>>
>>> #
>>> # Include classification & priority settings
>>> # Note for Windows users: You are advised to make this an absolute path,
>>> # such as: c:\snort\etc\classification.config
>>> #
>>>
>>> include classification.config
>>>
>>> #
>>> # Include reference systems
>>> # Note for Windows users: You are advised to make this an absolute path,
>>> # such as: c:\snort\etc\reference.config
>>> #
>>>
>>> include reference.config
>>>
>>> ####################################################################
>>> # Step #5: Configure snort with config statements
>>> #
>>> # See the snort manual for a full set of configuration references
>>> #
>>> # config flowbits_size: 64
>>> #
>>> # New global ignore_ports config option from Andy Mullican
>>> #
>>> # config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
>>> # config ignore_ports: tcp 21 6667:6671 1356
>>> # config ignore_ports: udp 1:17 53
>>>
>>>
>>> ####################################################################
>>> # Step #6: Customize your rule set
>>> #
>>> # Up to date snort rules are available at http://www.snort.org
>>> #
>>> # The snort web site has documentation about how to write your own custom
>>> snort
>>> # rules.
>>>
>>> #=========================================
>>> # Include all relevant rulesets here
>>> #
>>> # The following rulesets are disabled by default:
>>> #
>>> # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
>>> virus,
>>> # chat, multimedia, and p2p
>>> #
>>> # These rules are either site policy specific or require tuning in order
>>> to not
>>> # generate false positive alerts in most enviornments.
>>> #
>>> # Please read the specific include file for more information and
>>> # README.alert_order for how rule ordering affects how alerts are
>>> triggered.
>>> #=========================================
>>>
>>> include $RULE_PATH/local.rules
>>> # include $RULE_PATH/bad-traffic.rules
>>> include $RULE_PATH/exploit.rules
>>> # include $RULE_PATH/scan.rules
>>> # include $RULE_PATH/finger.rules
>>> include $RULE_PATH/ftp.rules
>>> include $RULE_PATH/telnet.rules
>>> include $RULE_PATH/rpc.rules
>>> include $RULE_PATH/rservices.rules
>>> include $RULE_PATH/dos.rules
>>> include $RULE_PATH/ddos.rules
>>> include $RULE_PATH/dns.rules
>>> # include $RULE_PATH/tftp.rules
>>>
>>> include $RULE_PATH/web-cgi.rules
>>> include $RULE_PATH/web-coldfusion.rules
>>> include $RULE_PATH/web-iis.rules
>>> include $RULE_PATH/web-frontpage.rules
>>> include $RULE_PATH/web-misc.rules
>>> include $RULE_PATH/web-client.rules
>>> include $RULE_PATH/web-php.rules
>>>
>>> include $RULE_PATH/sql.rules
>>> include $RULE_PATH/x11.rules
>>> # include $RULE_PATH/icmp.rules
>>> include $RULE_PATH/netbios.rules
>>> include $RULE_PATH/misc.rules
>>> include $RULE_PATH/attack-responses.rules
>>> include $RULE_PATH/oracle.rules
>>> include $RULE_PATH/mysql.rules
>>> # include $RULE_PATH/snmp.rules
>>>
>>> include $RULE_PATH/smtp.rules
>>> include $RULE_PATH/imap.rules
>>> include $RULE_PATH/pop2.rules
>>> include $RULE_PATH/pop3.rules
>>>
>>> include $RULE_PATH/nntp.rules
>>> # include $RULE_PATH/other-ids.rules
>>> # include $RULE_PATH/web-attacks.rules
>>> include $RULE_PATH/backdoor.rules
>>> # include $RULE_PATH/shellcode.rules
>>> # include $RULE_PATH/policy.rules
>>> # include $RULE_PATH/porn.rules
>>> # include $RULE_PATH/info.rules
>>> # include $RULE_PATH/icmp-info.rules
>>> # include $RULE_PATH/virus.rules
>>> # include $RULE_PATH/chat.rules
>>> # include $RULE_PATH/multimedia.rules
>>> # include $RULE_PATH/p2p.rules
>>> include $RULE_PATH/spyware-put.rules
>>> include $RULE_PATH/specific-threats.rules
>>> # include $RULE_PATH/experimental.rules
>>> # include $RULE_PATH/content-replace.rules
>>> include $RULE_PATH/voip.rules
>>>
>>> # If your using the so rules you need to do something like the following
>>> # cd into the so_rules directory where you built the so rules
>>> # cat *.rules >> so-rules.rules
>>> # cp to $RULE_PATH/so-rules.rules
>>> # uncomment this line
>>> # include $RULE_PATH/so-rules.rules
>>>
>>> # Include any thresholding or suppression commands. See threshold.conf in
>>> the
>>> # <snort src>/etc directory for details. Commands don't necessarily need
>>> to be
>>> # contained in this conf, but a separate conf makes it easier to maintain
>>> them.
>>> # Note for Windows users: You are advised to make this an absolute path,
>>> # such as: c:\snort\etc\threshold.conf
>>> # Uncomment if needed.
>>> # include threshold.conf
>>>
>>> =================================================
>>>
>>>
>>> --
>>>
>>>
>>> Thanks & Regards
>>>
>>> Sadanand G.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Crystal Reports - New Free Runtime and 30 Day Trial
>>> Check out the new simplified licensing option that enables
>>> unlimited royalty-free distribution of the report engine
>>> for externally facing server and web deployment.
>>> http://p.sf.net/sfu/businessobjects
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>> --
>> joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974
>>
>
>
>
> --
>
>
> Thanks & Regards
>
> Sadanand G.
>
-- joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974

------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users