snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Error getting during snort instal

Re: [Snort-users] Error getting during snort installation steps on windows (Not able to run snortstart.bat file)

From: Sadanand Ghagare <sadanandgh_at_nospam>
Date: Thu May 21 2009 - 14:12:18 GMT
To: Joel Esler <jesler@sourcefire.com>


Hi Joel,

I have entered following line in snort.conf : output alert_syslog: host=127.0.0.1:514, LOG_Local7 LOG_ALERT But still not getting output in kiwi syslog server. could you help me please.
I am using same Snort windows system for kiwi syslog server. Whether I should try any different syslog daemon. is yes, which one you recommend?

Regards,
sadanand
On Wed, May 20, 2009 at 6:49 PM, Joel Esler <jesler@sourcefire.com> wrote:

> I suggest you take a look in your snort.conf file, look for the word
> "syslog".
>
> You won't want to use the -v option.
>
> Joel
>
>
> On Wed, May 20, 2009 at 9:00 AM, Sadanand Ghagare <sadanandgh@gmail.com>wrote:
>
>> Hi Joel,
>>
>> After enabling verbose mode, I am getting some output. Following change I
>> made in snortstart.bat
>>
>> c:\snort\bin\snort -v -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
>>
>> but still I am not getting that out put in kiwi. I am new to snort. Can
>> you please to let me know the steps to enable syslog output.
>> I have installed kiwi syslog server v8.3.52 on the same machine on which I
>> have snort installed.
>>
>> Thanks,
>> Sadanand
>>
>> On Wed, May 20, 2009 at 6:10 PM, Joel Esler <jesler@sourcefire.com>wrote:
>>
>>> Sadanand,
>>>
>>> That's the successful completion start up lines. I see no errors there.
>>> I see nothing to indicate that you *should* be receiving alerts in Kiwi, as
>>> you don't have the syslog output enabled. Try configuring that, and
>>> restarting Snort.
>>>
>>> Joel
>>>
>>> On Wed, May 20, 2009 at 7:05 AM, Sadanand Ghagare <sadanandgh@gmail.com>wrote:
>>>
>>>> Hi
>>>>
>>>> I followed steps to install snort on windows 2003 standard edition. For
>>>> this, I used method of installing snort on win xp.
>>>> After installation, when I tried to run snortstart.bat file as per steps
>>>> 12, it got stuck on following prompt and I cant see snort piggy as well not
>>>> I am getting any output in Kiwi.
>>>>
>>>> --== Initialization Complete ==--
>>>>
>>>> ,,_ -*> Snort! <*-
>>>> o" )~ Version 2.8.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 26)
>>>> '''' By Martin Roesch & The Snort Team:
>>>> http://www.snort.org/team.html
>>>> Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>>>> Using PCRE version: 7.4 2007-09-21
>>>>
>>>> Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.10 <Build
>>>> 16>
>>>> Preprocessor Object: SF_SSLPP Version 1.1 <Build 2>
>>>> Preprocessor Object: SF_SSH Version 1.1 <Build 1>
>>>> Preprocessor Object: SF_SMTP Version 1.1 <Build 7>
>>>> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 11>
>>>> Preprocessor Object: SF_DNS Version 1.1 <Build 2>
>>>> Preprocessor Object: SF_DCERPC Version 1.1 <Build 4>
>>>> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 1>
>>>> Not Using PCAP_FRAMES
>>>>
>>>> ===================================
>>>>
>>>> Here is my snortstart.conf file:
>>>>
>>>> c:\snort\bin\snort -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
>>>>
>>>> ================================
>>>>
>>>> Here is my snort.conf file:
>>>>
>>>> #VERSION:284
>>>> #--------------------------------------------------
>>>> # http://www.snort.org Snort current Ruleset
>>>> # Contact: snort-sigs@lists.sourceforge.net
>>>> #--------------------------------------------------
>>>> # $Id: snort.conf,v 1.183.4.6 2009/04/08 21:40:16 mwatchinski Exp $
>>>> #
>>>> ###################################################
>>>> # This file contains a sample snort configuration.
>>>> # You can take the following steps to create your own custom
>>>> configuration:
>>>> #
>>>> # 1) Set the variables for your network
>>>> # 2) Configure dynamic loaded libraries
>>>> # 3) Configure preprocessors
>>>> # 4) Configure output plugins
>>>> # 5) Add any runtime config directives
>>>> # 6) Customize your rule set
>>>> #
>>>> ###################################################
>>>> # Step #1: Set the network variables:
>>>> #
>>>> # You must change the following variables to reflect your local network.
>>>> The
>>>> # variable is currently setup for an RFC 1918 address space.
>>>> #
>>>> # You can specify it explicitly as:
>>>> #
>>>> # var HOME_NET 10.1.1.0/24
>>>> #
>>>> # or use global variable $<interfacename>_ADDRESS which will be always
>>>> # initialized to IP address and netmask of the network interface which
>>>> you run
>>>> # snort at. Under Windows, this must be specified as
>>>> # $(<interfacename>_ADDRESS), such as:
>>>> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
>>>> #
>>>> # var HOME_NET $eth0_ADDRESS
>>>> #
>>>> # You can specify lists of IP addresses for HOME_NET
>>>> # by separating the IPs with commas like this:
>>>> #
>>>> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>>>> #
>>>> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>>>> #
>>>> # or you can specify the variable to be any IP address
>>>> # like this:
>>>>
>>>> # Set up network addresses you are protecting. A simple start might be
>>>> RFC1918
>>>> var HOME_NET any
>>>>
>>>> # Set up the external network addresses as well. A good start may be
>>>> "any"
>>>> var EXTERNAL_NET any
>>>>
>>>> # Configure your server lists. This allows snort to only look for
>>>> attacks to
>>>> # systems that have a service up. Why look for HTTP attacks if you are
>>>> not
>>>> # running a web server? This allows quick filtering based on IP
>>>> addresses
>>>> # These configurations MUST follow the same configuration scheme as
>>>> defined
>>>> # above for $HOME_NET.
>>>>
>>>> # List of DNS servers on your network
>>>> var DNS_SERVERS $HOME_NET
>>>>
>>>> # List of SMTP servers on your network
>>>> var SMTP_SERVERS $HOME_NET
>>>>
>>>> # List of web servers on your network
>>>> var HTTP_SERVERS $HOME_NET
>>>>
>>>> # List of sql servers on your network
>>>> var SQL_SERVERS $HOME_NET
>>>>
>>>> # List of telnet servers on your network
>>>> var TELNET_SERVERS $HOME_NET
>>>>
>>>> # List of snmp servers on your network
>>>> var SNMP_SERVERS $HOME_NET
>>>>
>>>> # List of ftp servers on your network
>>>> var FTP_SERVERS $HOME_NET
>>>>
>>>> # List of ssh servers on your network
>>>> var SSH_SERVERS $HOME_NET
>>>>
>>>> # List of pop2/3 servers on your network
>>>> var POP_SERVERS $HOME_NET
>>>>
>>>> # List of imap servers on your network
>>>> var IMAP_SERVERS $HOME_NET
>>>>
>>>> # List of SunRPC servers on your network
>>>> var RPC_SERVERS $HOME_NET
>>>>
>>>> # List of web servers on your network
>>>> var WWW_SERVERS $HOME_NET
>>>>
>>>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>>>> # modifying the signatures when they do, we add them to this list of
>>>> servers.
>>>> var AIM_SERVERS [
>>>> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>>>> ]
>>>>
>>>>
>>>> # Configure your service ports. This allows snort to look for attacks
>>>> destined
>>>> # to a specific application only on the ports that application runs on.
>>>> For
>>>> # example, if you run a web server on port 8081, set your HTTP_PORTS
>>>> variable
>>>> # like this:
>>>> #
>>>> # var HTTP_PORTS 8081
>>>> #
>>>> # Port lists must either be continuous [eg 80:8080], or a single port
>>>> [eg 80].
>>>> # We will adding support for a real list of ports in the future.
>>>>
>>>> # Ports you run web servers on
>>>> #
>>>> # Please note: [80,8080] does not work.
>>>> # If you wish to define multiple HTTP ports, use the following
>>>> convention
>>>> # when customizing your rule set (as part of Step #6 below). This
>>>> should
>>>> # not be done here, as the rules files may depend on the classifications
>>>> # and/or references, which are included below.
>>>> #
>>>> ## var HTTP_PORTS 80
>>>> ## include somefile.rules
>>>> ## var HTTP_PORTS 8080
>>>> ## include somefile.rules
>>>>
>>>> # HTTP Ports on your network
>>>> portvar HTTP_PORTS [80,2301,3128,8000,8080,8180,8888]
>>>>
>>>> # Ports you want to look for SHELLCODE on.
>>>> portvar SHELLCODE_PORTS !80
>>>>
>>>> # Ports you do oracle attacks on
>>>> portvar ORACLE_PORTS 1521
>>>>
>>>> # Auth / ident
>>>> portvar AUTH_PORTS 113
>>>>
>>>> # DNS
>>>> portvar DNS_PORTS 53
>>>>
>>>> # Finger
>>>> portvar FINGER_PORTS 79
>>>>
>>>> # Ftp
>>>> portvar FTP_PORTS 21
>>>>
>>>> # Imap
>>>> portvar IMAP_PORTS 143
>>>>
>>>> # IRC
>>>> portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
>>>>
>>>> # MS-SQL
>>>> portvar MSSQL_PORTS 1433
>>>>
>>>> # NNTP
>>>> portvar NNTP_PORTS 119
>>>>
>>>> # POP2
>>>> portvar POP2_PORTS 109
>>>>
>>>> # POP3
>>>> portvar POP3_PORTS 110
>>>>
>>>> # PortMapper
>>>> portvar SUNRPC_PORTS
>>>> [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
>>>>
>>>> # rlogin
>>>> portvar RLOGIN_PORTS 513
>>>>
>>>> # rsh
>>>> portvar RSH_PORTS 514
>>>>
>>>> # smb
>>>> portvar SMB_PORTS [139,445]
>>>>
>>>> # smtp
>>>> portvar SMTP_PORTS 25
>>>>
>>>> # snmp
>>>> portvar SNMP_PORTS 161
>>>>
>>>> # ssh
>>>> portvar SSH_PORTS 22
>>>>
>>>> # telnet
>>>> portvar TELNET_PORTS 23
>>>>
>>>> # mail this for compatability with versions of snort that support port
>>>> lists
>>>> portvar MAIL_PORTS [25,143,465,691]
>>>>
>>>> # SSL Ports
>>>> portvar SSL_PORTS [25,443,465,636,993,995]
>>>>
>>>> # DCERPC NCACN-IP-TCP
>>>> portvar DCERPC_NCACN_IP_TCP [139,445]
>>>> portvar DCERPC_NCADG_IP_UDP [138,1024:]
>>>> portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
>>>> portvar DCERPC_NCACN_UDP_LONG [135,1024:]
>>>> portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
>>>> portvar DCERPC_NCACN_TCP [2103,2105,2107]
>>>> portvar DCERPC_BRIGHTSTORE [6503,6504]
>>>>
>>>> # Path to your rules files (this can be a relative path)
>>>> # Note for Windows users: You are advised to make this an absolute
>>>> path,
>>>> # such as: c:\snort\rules
>>>> var RULE_PATH C:\snort\rules
>>>>
>>>> # Configure the snort decoder
>>>> # ============================
>>>> #
>>>> # Snort's decoder will alert on lots of things such as header
>>>> # truncation or options of unusual length or infrequently used tcp
>>>> options
>>>> #
>>>> #
>>>> # Stop generic decode events:
>>>> #
>>>> # config disable_decode_alerts
>>>> #
>>>> # Stop Alerts on experimental TCP options
>>>> #
>>>> # config disable_tcpopt_experimental_alerts
>>>> #
>>>> # Stop Alerts on obsolete TCP options
>>>> #
>>>> # config disable_tcpopt_obsolete_alerts
>>>> #
>>>> # Stop Alerts on T/TCP alerts
>>>> #
>>>> # In snort 2.0.1 and above, this only alerts when a TCP option is
>>>> detected
>>>> # that shows T/TCP being actively used on the network. If this is
>>>> normal
>>>> # behavior for your network, disable the next option.
>>>> #
>>>> # config disable_tcpopt_ttcp_alerts
>>>> #
>>>> # Stop Alerts on all other TCPOption type events:
>>>> #
>>>> # config disable_tcpopt_alerts
>>>> #
>>>> # Stop Alerts on invalid ip options
>>>> #
>>>> # config disable_ipopt_alerts
>>>> #
>>>> # Alert if value in length field (IP, TCP, UDP) is greater than the
>>>> # actual length of the captured portion of the packet that the length
>>>> # is supposed to represent:
>>>> #
>>>> # config enable_decode_oversized_alerts
>>>> #
>>>> # Same as above, but drop packet if in Inline mode -
>>>> # enable_decode_oversized_alerts must be enabled for this to work:
>>>> #
>>>> # config enable_decode_oversized_drops
>>>> #
>>>> config checksum_mode: all
>>>> config disable_decode_alerts
>>>> config disable_tcpopt_experimental_alerts
>>>> config disable_tcpopt_obsolete_alerts
>>>> config disable_ttcp_alerts
>>>> config disable_tcpopt_alerts
>>>> config disable_ipopt_alerts
>>>> config disable_decode_drops
>>>>
>>>> # Configure the detection engine
>>>> # ===============================
>>>> #
>>>> # Use a different pattern matcher in case you have a machine with very
>>>> limited
>>>> # resources:
>>>> #
>>>> # config detection: search-method lowmem
>>>>
>>>> config detection: search-method ac-bnfa
>>>> config detection: max_queue_events 5
>>>> config event_queue: max_queue 8 log 3 order_events content_length
>>>>
>>>> # Configure Inline Resets
>>>> # ========================
>>>> #
>>>> # If running an iptables firewall with snort in InlineMode() we can now
>>>> # perform resets via a physical device. We grab the indev from iptables
>>>> # and use this for the interface on which to send resets. This config
>>>> # option takes an argument for the src mac address you want to use in
>>>> the
>>>> # reset packet. This way the bridge can remain stealthy. If the src mac
>>>> # option is not set we use the mac address of the indev device. If we
>>>> # don't set this option we will default to sending resets via raw
>>>> socket,
>>>> # which needs an ipaddress to be assigned to the int.
>>>> #
>>>> # config layer2resets: 00:06:76:DD:5F:E3
>>>>
>>>> ###################################################
>>>> # Step #2: Configure dynamic loaded libraries
>>>> #
>>>> # If snort was configured to use dynamically loaded libraries,
>>>> # those libraries can be loaded here.
>>>> #
>>>> # Each of the following configuration options can be done via
>>>> # the command line as well.
>>>> #
>>>> # Load all dynamic preprocessors from the install path
>>>> # (same as command line option --dynamic-preprocessor-lib-dir)
>>>> #
>>>> dynamicpreprocessor file
>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
>>>> dynamicpreprocessor file
>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
>>>> dynamicpreprocessor file
>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
>>>> dynamicpreprocessor file
>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
>>>> dynamicpreprocessor file
>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
>>>> dynamicpreprocessor file
>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
>>>> dynamicpreprocessor file
>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
>>>>
>>>> # Comment out above and uncomment this if running OSX
>>>> #
>>>> #dynamicpreprocessor file
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.dylib
>>>> #dynamicpreprocessor file
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.dylib
>>>> #dynamicpreprocessor file
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.dylib
>>>> #dynamicpreprocessor file
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.dylib
>>>> #dynamicpreprocessor file
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.dylib
>>>> #dynamicpreprocessor file
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.dylib
>>>>
>>>> #
>>>> # Load a specific dynamic preprocessor library from the install path
>>>> # (same as command line option --dynamic-preprocessor-lib)
>>>> #
>>>> # dynamicpreprocessor file
>>>> /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
>>>> #
>>>> # Load a dynamic engine from the install path
>>>> # (same as command line option --dynamic-engine-lib)
>>>> #
>>>> dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
>>>> #
>>>> # Load all dynamic rules libraries from the install path
>>>> # (same as command line option --dynamic-detection-lib-dir)
>>>> #
>>>> # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
>>>> #
>>>> # Load a specific dynamic rule library from the install path
>>>> # (same as command line option --dynamic-detection-lib)
>>>> #
>>>> # Rule packages from the VRT contain a so_rules directory that contains
>>>> these rules
>>>> # you need to compile them using the makefile in the rules package and
>>>> place
>>>> # them here and add them.
>>>> #
>>>>
>>>> # Uncomment if you are using the default VRT SO rules and have them in
>>>> this directory.
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/bad-traffic.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/chat.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/dos.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/exploit.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/imap.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/misc.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/multimedia.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/netbios.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/nntp.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/p2p.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/smtp.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/sql.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-client.so
>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-misc.so
>>>>
>>>>
>>>> ###################################################
>>>> # Step #3: Configure preprocessors
>>>> #
>>>> # General configuration for preprocessors is of
>>>> # the form
>>>> # preprocessor <name_of_processor>: <configuration_options>
>>>>
>>>> # frag3: Target-based IP defragmentation
>>>> # --------------------------------------
>>>> #
>>>> # Frag3 is a brand new IP defragmentation preprocessor that is capable
>>>> of
>>>> # performing "target-based" processing of IP fragments. Check out the
>>>> # README.frag3 file in the doc directory for more background and
>>>> configuration
>>>> # information.
>>>> #
>>>> # Frag3 configuration is a two step process, a global initialization
>>>> phase
>>>> # followed by the definition of a set of defragmentation engines.
>>>> #
>>>> # Global configuration defines the number of fragmented packets that
>>>> Snort can
>>>> # track at the same time and gives you options regarding the memory cap
>>>> for the
>>>> # subsystem or, optionally, allows you to preallocate all the memory for
>>>> the
>>>> # entire frag3 system.
>>>> #
>>>> # frag3_global options:
>>>> # max_frags: Maximum number of frag trackers that may be active at
>>>> once.
>>>> # Default value is 8192.
>>>> # memcap: Maximum amount of memory that frag3 may access at any given
>>>> time.
>>>> # Default value is 4MB.
>>>> # prealloc_frags: Maximum number of individual fragments that may be
>>>> processed
>>>> # at once. This is instead of the memcap system, uses
>>>> static
>>>> # allocation to increase performance. No default
>>>> value. Each
>>>> # preallocated fragment eats ~1550 bytes.
>>>> #
>>>> # Target-based behavior is attached to an engine as a "policy" for
>>>> handling
>>>> # overlaps and retransmissions as enumerated in the Paxson paper. There
>>>> are
>>>> # currently five policy types available: "BSD", "BSD-right", "First",
>>>> "Linux"
>>>> # and "Last". Engines can be bound to standard Snort CIDR blocks or
>>>> # IP lists.
>>>> #
>>>> # frag3_engine options:
>>>> # timeout: Amount of time a fragmented packet may be active before
>>>> expiring.
>>>> # Default value is 60 seconds.
>>>> # ttl_limit: Limit of delta allowable for TTLs of packets in the
>>>> fragments.
>>>> # Based on the initial received fragment TTL.
>>>> # min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs
>>>> below this
>>>> # value will be discarded. Default value is 0.
>>>> # detect_anomalies: Activates frag3's anomaly detection mechanisms.
>>>> # policy: Target-based policy to assign to this engine. Default is
>>>> Windows.
>>>> # bind_to: IP address set to bind this engine to. Default is all
>>>> hosts.
>>>> #
>>>> # Frag3 configuration example:
>>>> #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
>>>> #preprocessor frag3_engine: policy linux \
>>>> # bind_to [10.1.1.12/32,10.1.1.13/32] \
>>>> # detect_anomalies
>>>> #preprocessor frag3_engine: policy first \
>>>> # bind_to 10.2.1.0/24 \
>>>> # detect_anomalies
>>>> #preprocessor frag3_engine: policy last \
>>>> # bind_to 10.3.1.0/24
>>>> #preprocessor frag3_engine: policy bsd
>>>>
>>>> preprocessor frag3_global: max_frags 65536
>>>> preprocessor frag3_engine: policy windows timeout 180
>>>>
>>>> # stream5: Target Based stateful inspection/stream reassembly for Snort
>>>> # ---------------------------------------------------------------------
>>>> # Stream5 is a target-based stream engine for Snort. Its functionality
>>>> # replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
>>>> # cannot be used simultaneously. Comment out the stream4 configurations
>>>> # above to use Stream5.
>>>> #
>>>> # See README.stream5 for details on the configuration options.
>>>> #
>>>> # Example config (that emulates Stream4 with UDP support compiled in)
>>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>>>> track_udp yes
>>>> preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \
>>>> ports client 21 23 25 42 53 80 135 136 137 139
>>>> 143 110 111 445 465 513 691 1433 1521 2100 2301 3128 3306 8000 8080 8180
>>>> 8888, \
>>>> ports both 443 465 563 636 989 992 993 994 995
>>>> preprocessor stream5_udp: ignore_any_rules
>>>>
>>>>
>>>> # Performance Statistics
>>>> # ----------------------
>>>> # Documentation for this is provided in the Snort Manual. You should
>>>> read it.
>>>> # It is included in the release distribution as doc/snort_manual.pdf
>>>> #
>>>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
>>>> 10000
>>>>
>>>> # http_inspect: normalize and detect HTTP traffic and protocol anomalies
>>>> #
>>>> # lots of options available here. See doc/README.http_inspect.
>>>> # unicode.map should be wherever your snort.conf lives, or given
>>>> # a full path to where snort can find it.
>>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>>> preprocessor http_inspect_server: \
>>>> server default \
>>>> apache_whitespace no \
>>>> ascii no \
>>>> bare_byte no \
>>>> chunk_length 500000 \
>>>> flow_depth 1460 \
>>>> directory no \
>>>> double_decode no \
>>>> iis_backslash no \
>>>> iis_delimiter no \
>>>> iis_unicode no \
>>>> multi_slash no \
>>>> non_strict \
>>>> oversize_dir_length 500 \
>>>> ports { 80 2301 3128 8000 8080 8180 8888 } \
>>>> u_encode yes \
>>>> non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>> webroot no
>>>>
>>>> #
>>>> # Example unique server configuration
>>>> #
>>>> #preprocessor http_inspect_server: server 1.1.1.1 \
>>>> # ports { 80 3128 8080 } \
>>>> # flow_depth 0 \
>>>> # ascii no \
>>>> # double_decode yes \
>>>> # non_rfc_char { 0x00 } \
>>>> # chunk_length 500000 \
>>>> # non_strict \
>>>> # oversize_dir_length 300 \
>>>> # no_alerts
>>>>
>>>>
>>>> # rpc_decode: normalize RPC traffic
>>>> # ---------------------------------
>>>> # RPC may be sent in alternate encodings besides the usual 4-byte
>>>> encoding
>>>> # that is used by default. This plugin takes the port numbers that RPC
>>>> # services are running on as arguments - it is assumed that the given
>>>> ports
>>>> # are actually running this type of service. If not, change the ports or
>>>> turn
>>>> # it off.
>>>> # The RPC decode preprocessor uses generator ID 106
>>>> #
>>>> # arguments: space separated list
>>>> # alert_fragments - alert on any rpc fragmented TCP data
>>>> # no_alert_multiple_requests - don't alert when >1 rpc query is in a
>>>> packet
>>>> # no_alert_large_fragments - don't alert when the fragmented
>>>> # sizes exceed the current packet size
>>>> # no_alert_incomplete - don't alert when a single segment
>>>> # exceeds the current packet size
>>>>
>>>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
>>>> 32777 32778 32779
>>>>
>>>> # bo: Back Orifice detector
>>>> # -------------------------
>>>> # Detects Back Orifice traffic on the network.
>>>> #
>>>> # arguments:
>>>> # syntax:
>>>> # preprocessor bo: noalert { client | server | general |
>>>> snort_attack } \
>>>> # drop { client | server | general |
>>>> snort_attack }
>>>> # example:
>>>> # preprocessor bo: noalert { general server } drop { snort_attack }
>>>>
>>>> #
>>>> # The Back Orifice detector uses Generator ID 105 and uses the
>>>> # following SIDS for that GID:
>>>> # SID Event description
>>>> # ----- -------------------
>>>> # 1 Back Orifice traffic detected
>>>> # 2 Back Orifice Client Traffic Detected
>>>> # 3 Back Orifice Server Traffic Detected
>>>> # 4 Back Orifice Snort Buffer Attack
>>>>
>>>> preprocessor bo
>>>>
>>>> # telnet_decode: Telnet negotiation string normalizer
>>>> # ---------------------------------------------------
>>>> # This preprocessor "normalizes" telnet negotiation strings from telnet
>>>> and ftp
>>>> # traffic. It works in much the same way as the http_decode
>>>> preprocessor,
>>>> # searching for traffic that breaks up the normal data stream of a
>>>> protocol and
>>>> # replacing it with a normalized representation of that traffic so that
>>>> the
>>>> # "content" pattern matching keyword can work without requiring
>>>> modifications.
>>>> # This preprocessor requires no arguments.
>>>> #
>>>> # DEPRECATED in favor of ftp_telnet dynamic preprocessor
>>>> #preprocessor telnet_decode
>>>> #
>>>> # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff
>>>> overflow
>>>> #
>>>> ---------------------------------------------------------------------------
>>>> # This preprocessor normalizes telnet negotiation strings from telnet
>>>> and
>>>> # ftp traffic. It looks for traffic that breaks the normal data stream
>>>> # of the protocol, replacing it with a normalized representation of that
>>>> # traffic so that the "content" pattern matching keyword can work
>>>> without
>>>> # requiring modifications.
>>>> #
>>>> # It also performs protocol correctness checks for the FTP command
>>>> channel,
>>>> # and identifies open FTP data transfers.
>>>> #
>>>> # FTPTelnet has numerous options available, please read
>>>> # README.ftptelnet for help configuring the options for the global
>>>> # telnet, ftp server, and ftp client sections for the protocol.
>>>>
>>>> #####
>>>> # Per Step #2, set the following to load the ftptelnet preprocessor
>>>> # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
>>>> # or use commandline option
>>>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>>> preprocessor ftp_telnet: \
>>>> global \
>>>> encrypted_traffic yes \
>>>> check_encrypted \
>>>> inspection_type stateful
>>>>
>>>> preprocessor ftp_telnet_protocol: \
>>>> telnet \
>>>> ayt_attack_thresh 20 \
>>>> normalize ports { 23 } \
>>>> detect_anomalies
>>>>
>>>> preprocessor ftp_telnet_protocol: \
>>>> ftp server default \
>>>> def_max_param_len 100 \
>>>> ports { 21 2100 } \
>>>> ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE
>>>> STRU MODE } \
>>>> ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD
>>>> PWD } \
>>>> ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
>>>> ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
>>>> ftp_cmds { FEAT OPTS CEL CMD MACB } \
>>>> ftp_cmds { MDTM REST SIZE MLST MLSD } \
>>>> ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>>>> alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP }
>>>> \
>>>> alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD
>>>> SYST TEST STAT MACB EPSV CLNT LPRT } \
>>>> alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR
>>>> HELP } \
>>>> alt_max_param_len 256 { RNTO CWD } \
>>>> alt_max_param_len 400 { PORT } \
>>>> alt_max_param_len 512 { SIZE } \
>>>> chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
>>>> chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD }
>>>> \
>>>> chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
>>>> chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
>>>> chk_str_fmt { FEAT OPTS CEL CMD } \
>>>> chk_str_fmt { MDTM REST SIZE MLST MLSD } \
>>>> chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>>>> cmd_validity MODE < char ASBCZ > \
>>>> cmd_validity STRU < char FRP > \
>>>> cmd_validity ALLO < int [ char R int ] > \
>>>> cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [
>>>> number ] } > \
>>>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>>> cmd_validity PORT < host_port >
>>>>
>>>> preprocessor ftp_telnet_protocol: \
>>>> ftp client default \
>>>> max_resp_len 200 \
>>>> bounce yes \
>>>> telnet_cmds no
>>>>
>>>> # smtp: SMTP normalizer, protocol enforcement and buffer overflow
>>>> #
>>>> ---------------------------------------------------------------------------
>>>> # This preprocessor normalizes SMTP commands by removing extraneous
>>>> spaces.
>>>> # It looks for overly long command lines, response lines, and data
>>>> header lines.
>>>> # It can alert on invalid commands, or specific valid commands. It can
>>>> optionally
>>>> # ignore mail data, and can ignore TLS encrypted data.
>>>> #
>>>> # SMTP has numerous options available, please read README.SMTP for help
>>>> # configuring options.
>>>>
>>>> #####
>>>> # Per Step #2, set the following to load the smtp preprocessor
>>>> # dynamicpreprocessor <full path to libsf_smtp_preproc.so>
>>>> # or use commandline option
>>>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>>>
>>>> preprocessor SMTP: \
>>>> ports { 25 465 691 } \
>>>> inspection_type stateful \
>>>> normalize cmds \
>>>> valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT
>>>> DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN
>>>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME
>>>> VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA
>>>> XTRN XUSR } \
>>>> normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE
>>>> BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN
>>>> ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME
>>>> TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU
>>>> XSTA XTRN XUSR } \
>>>> max_header_line_len 1000 \
>>>> max_response_line_len 512 \
>>>> alt_max_command_line_len 260 { MAIL } \
>>>> alt_max_command_line_len 300 { RCPT } \
>>>> alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>>>> alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
>>>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>>>> alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN
>>>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
>>>> alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB
>>>> X-EXPS X-LINK2STATE XADR } \
>>>> alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE
>>>> XQUEU XSTA XTRN XUSR } \
>>>> xlink2state { enable }
>>>>
>>>> # sfPortscan
>>>> # ----------
>>>> # Portscan detection module. Detects various types of portscans and
>>>> # portsweeps. For more information on detection philosophy, alert
>>>> types,
>>>> # and detailed portscan information, please refer to the
>>>> README.sfportscan.
>>>> #
>>>> # -configuration options-
>>>> # proto { tcp udp icmp ip all }
>>>> # The arguments to the proto option are the types of protocol
>>>> scans that
>>>> # the user wants to detect. Arguments should be separated by
>>>> spaces and
>>>> # not commas.
>>>> # scan_type { portscan portsweep decoy_portscan distributed_portscan
>>>> all }
>>>> # The arguments to the scan_type option are the scan types that
>>>> the
>>>> # user wants to detect. Arguments should be separated by spaces
>>>> and not
>>>> # commas.
>>>> # sense_level { low|medium|high }
>>>> # There is only one argument to this option and it is the level of
>>>> # sensitivity in which to detect portscans. The 'low' sensitivity
>>>> # detects scans by the common method of looking for response
>>>> errors, such
>>>> # as TCP RSTs or ICMP unreachables. This level requires the least
>>>> # tuning. The 'medium' sensitivity level detects portscans and
>>>> # filtered portscans (portscans that receive no response). This
>>>> # sensitivity level usually requires tuning out scan events from
>>>> NATed
>>>> # IPs, DNS cache servers, etc. The 'high' sensitivity level has
>>>> # lower thresholds for portscan detection and a longer time window
>>>> than
>>>> # the 'medium' sensitivity level. Requires more tuning and may be
>>>> noisy
>>>> # on very active networks. However, this sensitivity levels
>>>> catches the
>>>> # most scans.
>>>> # memcap { positive integer }
>>>> # The maximum number of bytes to allocate for portscan detection.
>>>> The
>>>> # higher this number the more nodes that can be tracked.
>>>> # logfile { filename }
>>>> # This option specifies the file to log portscan and detailed
>>>> portscan
>>>> # values to. If there is not a leading /, then snort logs to the
>>>> # configured log directory. Refer to README.sfportscan for
>>>> details on
>>>> # the logged values in the logfile.
>>>> # watch_ip { Snort IP List }
>>>> # ignore_scanners { Snort IP List }
>>>> # ignore_scanned { Snort IP List }
>>>> # These options take a snort IP list as the argument. The
>>>> 'watch_ip'
>>>> # option specifies the IP(s) to watch for portscan. The
>>>> # 'ignore_scanners' option specifies the IP(s) to ignore as
>>>> scanners.
>>>> # Note that these hosts are still watched as scanned hosts. The
>>>> # 'ignore_scanners' option is used to tune alerts from very active
>>>> # hosts such as NAT, nessus hosts, etc. The 'ignore_scanned'
>>>> option
>>>> # specifies the IP(s) to ignore as scanned hosts. Note that these
>>>> hosts
>>>> # are still watched as scanner hosts. The 'ignore_scanned' option
>>>> is
>>>> # used to tune alerts from very active hosts such as syslog
>>>> servers, etc.
>>>> # detect_ack_scans
>>>> # This option will include sessions picked up in midstream by the
>>>> stream
>>>> # module, which is necessary to detect ACK scans. However, this
>>>> can lead to
>>>> # false alerts, especially under heavy load with dropped packets;
>>>> which is why
>>>> # the option is off by default.
>>>> #
>>>> # Disabled by default
>>>> #
>>>> # preprocessor sfportscan: proto { all } \
>>>> # memcap { 10000000 } \
>>>> # sense_level { low }
>>>>
>>>> # arpspoof
>>>> #----------------------------------------
>>>> # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
>>>> # unicast ARP requests, and specific ARP mapping monitoring. To make
>>>> use of
>>>> # this preprocessor you must specify the IP and hardware address of
>>>> hosts on
>>>> # the same layer 2 segment as you. Specify one host IP MAC combo per
>>>> line.
>>>> # Also takes a "-unicast" option to turn on unicast ARP request
>>>> detection.
>>>> # Arpspoof uses Generator ID 112 and uses the following SIDS for that
>>>> GID:
>>>>
>>>> # SID Event description
>>>> # ----- -------------------
>>>> # 1 Unicast ARP request
>>>> # 2 Etherframe ARP mismatch (src)
>>>> # 3 Etherframe ARP mismatch (dst)
>>>> # 4 ARP cache overwrite attack
>>>>
>>>> #preprocessor arpspoof
>>>> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>>>>
>>>> # ssh
>>>> #----------------------------------------
>>>> # EXPERIMENTAL CODE!!!
>>>> #
>>>> # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
>>>> # USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS.
>>>> # YOU HAVE BEEN WARNED.
>>>> #
>>>> # The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
>>>> # Secure CRT, and the Protocol Mismatch exploit.
>>>> #
>>>> # Both Gobbles and CRC 32 attacks occur after the key exchange, and are
>>>> # therefore encrypted. Both attacks involve sending a large payload
>>>> # (20kb+) to the server immediately after the authentication challenge.
>>>> # To detect the attacks, the SSH preprocessor counts the number of bytes
>>>> # transmitted to the server. If those bytes exceed a pre-defined limit
>>>> # within a pre-define number of packets, an alert is generated. Since
>>>> # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
>>>> # version string exchange is used to distinguish the attacks.
>>>> #
>>>> # The Secure CRT and protocol mismatch exploits are observable before
>>>> # the key exchange.
>>>> #
>>>> # SSH has numerous options available, please read README.ssh for help
>>>> # configuring options.
>>>>
>>>> #####
>>>> # Per Step #2, set the following to load the ssh preprocessor
>>>> # dynamicpreprocessor <full path to libsf_ssh_preproc.so>
>>>> # or use commandline option
>>>> # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
>>>> #
>>>> #preprocessor ssh: server_ports { 22 } \
>>>> # max_client_bytes 19600 \
>>>> # max_encrypted_packets 20 \
>>>> # disable_srvoverflow \
>>>> # disable_protomismatch \
>>>> # disable_badmsgdir
>>>>
>>>> #UPDATE HERE MEW#
>>>> #----------------------------------------
>>>> # SSL Preprocessor configuration
>>>> #
>>>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 },
>>>> trustservers, noinspect_encrypted
>>>>
>>>> # DCE/RPC
>>>> #----------------------------------------
>>>> #
>>>> # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
>>>> # It is primarily interested in DCE/RPC data, and only decodes SMB
>>>> # to get at the DCE/RPC data carried by the SMB layer.
>>>> #
>>>> # Currently, the preprocessor only handles reassembly of fragmentation
>>>> # at both the SMB and DCE/RPC layer. Snort rules can be evaded by
>>>> # using both types of fragmentation; with the preprocessor enabled
>>>> # the rules are given a buffer with a reassembled SMB or DCE/RPC
>>>> # packet to examine.
>>>> #
>>>> # At the SMB layer, only fragmentation using WriteAndX is currently
>>>> # reassembled. Other methods will be handled in future versions of
>>>> # the preprocessor.
>>>> #
>>>> # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
>>>> # the SMB data, as well as checking the NetBIOS header (which is always
>>>> # present for SMB) for the type "SMB Session".
>>>> #
>>>> # Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
>>>> # checked in the packet. Assuming that the data is a DCE/RPC header,
>>>> # one byte is checked for DCE/RPC version (5) and another for the type
>>>> # "DCE/RPC Request". If both match, the preprocessor proceeds with that
>>>> # assumption that it is looking at DCE/RPC data. If subsequent checks
>>>> # are nonsensical, it ends processing.
>>>> #
>>>> # DCERPC has numerous options available, please read README.dcerpc for
>>>> help
>>>> # configuring options.
>>>>
>>>> #####
>>>> # Per Step #2, set the following to load the dcerpc preprocessor
>>>> # dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>
>>>> # or use commandline option
>>>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>>>
>>>> preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
>>>> preprocessor dcerpc2_server: default, policy WinXP, \
>>>> detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593],
>>>> \
>>>> autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>>>> smb_max_chain 3
>>>>
>>>> # DNS
>>>> #----------------------------------------
>>>> # The dns preprocessor (currently) decodes DNS Response traffic
>>>> # and detects a few vulnerabilities.
>>>> #
>>>> # DNS has a few options available, please read README.dns for
>>>> # help configuring options.
>>>>
>>>> #####
>>>> # Per Step #2, set the following to load the dns preprocessor
>>>> # dynamicpreprocessor <full path to libsf_dns_preproc.so>
>>>> # or use commandline option
>>>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>>>
>>>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>>>
>>>> ####################################################################
>>>> # Step #4: Configure output plugins
>>>> #
>>>> # Uncomment and configure the output plugins you decide to use. General
>>>> # configuration for output plugins is of the form:
>>>> #
>>>> # output <name_of_plugin>: <configuration_options>
>>>> #
>>>> # alert_syslog: log alerts to syslog
>>>> # ----------------------------------
>>>> # Use one or more syslog facilities as arguments. Win32 can also
>>>> optionally
>>>> # specify a particular hostname/port. Under Win32, the default hostname
>>>> is
>>>> # '127.0.0.1', and the default port is 514.
>>>> #
>>>> # [Unix flavours should use this format...]
>>>> # output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT
>>>> #
>>>> # [Win32 can use any of these formats...]
>>>> # output alert_syslog: LOG_AUTH LOG_ALERT
>>>> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
>>>> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>>>>
>>>> # log_tcpdump: log packets in binary tcpdump format
>>>> # -------------------------------------------------
>>>> # The only argument is the output file name.
>>>> #
>>>> # output log_tcpdump: tcpdump.log
>>>>
>>>> # database: log to a variety of databases
>>>> # ---------------------------------------
>>>> # See the README.database file for more information about configuring
>>>> # and using this plugin.
>>>> #
>>>> # output database: log, mysql, user=root password=test dbname=db
>>>> host=localhost
>>>> # output database: alert, postgresql, user=snort dbname=snort
>>>> # output database: log, odbc, user=snort dbname=snort
>>>> # output database: log, mssql, dbname=snort user=snort password=test
>>>> # output database: log, oracle, dbname=snort user=snort password=test
>>>>
>>>> # unified: Snort unified binary format alerting and logging
>>>> # -------------------------------------------------------------
>>>> # The unified output plugin provides two new formats for logging and
>>>> generating
>>>> # alerts from Snort, the "unified" format. The unified format is a
>>>> straight
>>>> # binary format for logging data out of Snort that is designed to be
>>>> fast and
>>>> # efficient. Used with barnyard (the new alert/log processor), most of
>>>> the
>>>> # overhead for logging and alerting to various slow storage mechanisms
>>>> such as
>>>> # databases or the network can now be avoided.
>>>> #
>>>> # Check out the spo_unified.h file for the data formats.
>>>> #
>>>> # Two arguments are supported.
>>>> # filename - base filename to write to (current time_t is appended)
>>>> # limit - maximum size of spool file in MB (default: 128)
>>>> #
>>>> # output alert_unified: filename snort.alert, limit 128
>>>> # output log_unified: filename snort.log, limit 128
>>>>
>>>>
>>>> # prelude: log to the Prelude Hybrid IDS system
>>>> # ---------------------------------------------
>>>> #
>>>> # profile = Name of the Prelude profile to use (default is snort).
>>>> #
>>>> # Snort priority to IDMEF severity mappings:
>>>> # high < medium < low < info
>>>> #
>>>> # These are the default mapped from classification.config:
>>>> # info = 4
>>>> # low = 3
>>>> # medium = 2
>>>> # high = anything below medium
>>>> #
>>>> # output alert_prelude
>>>> # output alert_prelude: profile=snort-profile-name
>>>>
>>>>
>>>> #
>>>> # Include classification & priority settings
>>>> # Note for Windows users: You are advised to make this an absolute
>>>> path,
>>>> # such as: c:\snort\etc\classification.config
>>>> #
>>>>
>>>> include classification.config
>>>>
>>>> #
>>>> # Include reference systems
>>>> # Note for Windows users: You are advised to make this an absolute
>>>> path,
>>>> # such as: c:\snort\etc\reference.config
>>>> #
>>>>
>>>> include reference.config
>>>>
>>>> ####################################################################
>>>> # Step #5: Configure snort with config statements
>>>> #
>>>> # See the snort manual for a full set of configuration references
>>>> #
>>>> # config flowbits_size: 64
>>>> #
>>>> # New global ignore_ports config option from Andy Mullican
>>>> #
>>>> # config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
>>>> # config ignore_ports: tcp 21 6667:6671 1356
>>>> # config ignore_ports: udp 1:17 53
>>>>
>>>>
>>>> ####################################################################
>>>> # Step #6: Customize your rule set
>>>> #
>>>> # Up to date snort rules are available at http://www.snort.org
>>>> #
>>>> # The snort web site has documentation about how to write your own
>>>> custom snort
>>>> # rules.
>>>>
>>>> #=========================================
>>>> # Include all relevant rulesets here
>>>> #
>>>> # The following rulesets are disabled by default:
>>>> #
>>>> # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
>>>> virus,
>>>> # chat, multimedia, and p2p
>>>> #
>>>> # These rules are either site policy specific or require tuning in order
>>>> to not
>>>> # generate false positive alerts in most enviornments.
>>>> #
>>>> # Please read the specific include file for more information and
>>>> # README.alert_order for how rule ordering affects how alerts are
>>>> triggered.
>>>> #=========================================
>>>>
>>>> include $RULE_PATH/local.rules
>>>> # include $RULE_PATH/bad-traffic.rules
>>>> include $RULE_PATH/exploit.rules
>>>> # include $RULE_PATH/scan.rules
>>>> # include $RULE_PATH/finger.rules
>>>> include $RULE_PATH/ftp.rules
>>>> include $RULE_PATH/telnet.rules
>>>> include $RULE_PATH/rpc.rules
>>>> include $RULE_PATH/rservices.rules
>>>> include $RULE_PATH/dos.rules
>>>> include $RULE_PATH/ddos.rules
>>>> include $RULE_PATH/dns.rules
>>>> # include $RULE_PATH/tftp.rules
>>>>
>>>> include $RULE_PATH/web-cgi.rules
>>>> include $RULE_PATH/web-coldfusion.rules
>>>> include $RULE_PATH/web-iis.rules
>>>> include $RULE_PATH/web-frontpage.rules
>>>> include $RULE_PATH/web-misc.rules
>>>> include $RULE_PATH/web-client.rules
>>>> include $RULE_PATH/web-php.rules
>>>>
>>>> include $RULE_PATH/sql.rules
>>>> include $RULE_PATH/x11.rules
>>>> # include $RULE_PATH/icmp.rules
>>>> include $RULE_PATH/netbios.rules
>>>> include $RULE_PATH/misc.rules
>>>> include $RULE_PATH/attack-responses.rules
>>>> include $RULE_PATH/oracle.rules
>>>> include $RULE_PATH/mysql.rules
>>>> # include $RULE_PATH/snmp.rules
>>>>
>>>> include $RULE_PATH/smtp.rules
>>>> include $RULE_PATH/imap.rules
>>>> include $RULE_PATH/pop2.rules
>>>> include $RULE_PATH/pop3.rules
>>>>
>>>> include $RULE_PATH/nntp.rules
>>>> # include $RULE_PATH/other-ids.rules
>>>> # include $RULE_PATH/web-attacks.rules
>>>> include $RULE_PATH/backdoor.rules
>>>> # include $RULE_PATH/shellcode.rules
>>>> # include $RULE_PATH/policy.rules
>>>> # include $RULE_PATH/porn.rules
>>>> # include $RULE_PATH/info.rules
>>>> # include $RULE_PATH/icmp-info.rules
>>>> # include $RULE_PATH/virus.rules
>>>> # include $RULE_PATH/chat.rules
>>>> # include $RULE_PATH/multimedia.rules
>>>> # include $RULE_PATH/p2p.rules
>>>> include $RULE_PATH/spyware-put.rules
>>>> include $RULE_PATH/specific-threats.rules
>>>> # include $RULE_PATH/experimental.rules
>>>> # include $RULE_PATH/content-replace.rules
>>>> include $RULE_PATH/voip.rules
>>>>
>>>> # If your using the so rules you need to do something like the following
>>>> # cd into the so_rules directory where you built the so rules
>>>> # cat *.rules >> so-rules.rules
>>>> # cp to $RULE_PATH/so-rules.rules
>>>> # uncomment this line
>>>> # include $RULE_PATH/so-rules.rules
>>>>
>>>> # Include any thresholding or suppression commands. See threshold.conf
>>>> in the
>>>> # <snort src>/etc directory for details. Commands don't necessarily need
>>>> to be
>>>> # contained in this conf, but a separate conf makes it easier to
>>>> maintain them.
>>>> # Note for Windows users: You are advised to make this an absolute
>>>> path,
>>>> # such as: c:\snort\etc\threshold.conf
>>>> # Uncomment if needed.
>>>> # include threshold.conf
>>>>
>>>> =================================================
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>> Thanks & Regards
>>>>
>>>> Sadanand G.
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Crystal Reports - New Free Runtime and 30 Day Trial
>>>> Check out the new simplified licensing option that enables
>>>> unlimited royalty-free distribution of the report engine
>>>> for externally facing server and web deployment.
>>>> http://p.sf.net/sfu/businessobjects
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users@lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>>>
>>>
>>> --
>>> joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974
>>>
>>
>>
>>
>> --
>>
>>
>> Thanks & Regards
>>
>> Sadanand G.
>>
>
>
>
> --
> joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974
>
-- Thanks & Regards Sadanand G.

------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users