[Snort-devel] snort

OutBack Dingo dingo at ...1549...
Mon Aug 19 19:46:02 EDT 2002


here also is the output of script



>
> Whats your snort.conf?
-------------- next part --------------
Script started on Mon Aug 19 22:39:38 2002
You have mail.
vaio# snort -c /usr/local/etc/snort.conf -i wi0 
Initializing Output Plugins!
Log directory = /var/log/snort

Initializing Network Interface wi0

        --== Initializing Snort ==--
Decoding Ethernet on interface wi0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /usr/local/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
ERROR: Can't initialize mempool for Targets
Fatal Error, Quitting..
vaio# ^Dexit

Script done on Mon Aug 19 22:40:33 2002


More information about the Snort-devel mailing list