<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 10">
<meta name=Originator content="Microsoft Word 10">
<link rel=File-List href="cid:filelist.xml@...964...">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="place"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="time"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="date"/>
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]--><!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-style-parent:"";
        margin:0in;
        margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:12.0pt;
        font-family:"Times New Roman";
        mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;
        text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;
        text-underline:single;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        mso-style-noshow:yes;
        mso-ansi-font-size:10.0pt;
        mso-bidi-font-size:10.0pt;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:windowtext;}
span.SpellE
        {mso-style-name:"";
        mso-spl-e:yes;}
span.GramE
        {mso-style-name:"";
        mso-gram-e:yes;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;
        mso-header-margin:.5in;
        mso-footer-margin:.5in;
        mso-paper-source:0;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */ 
 table.MsoNormalTable
        {mso-style-name:"Table Normal";
        mso-tstyle-rowband-size:0;
        mso-tstyle-colband-size:0;
        mso-style-noshow:yes;
        mso-style-parent:"";
        mso-padding-alt:0in 5.4pt 0in 5.4pt;
        mso-para-margin:0in;
        mso-para-margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:10.0pt;
        font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'>

<div class=Section1>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Snort is running on a <span class=SpellE>RedHat</span> 7.1
box that is patched up to </span></font><st1:date Month="11" Day="9" Year="2001"><font
 size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>11/9/01</span></font></st1:date><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>, running
kernel version<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Linux version 2.4.9-12
(bhcompile@...963...) (<span class=SpellE>gcc</span> version
2.96 20000731 (Red Hat Linux 7.1 2.96-85)) #1 Tue Oct 30 </span></font><st1:time
Hour="18" Minute="41"><font size=2 face=Arial><span style='font-size:10.0pt;
 font-family:Arial'>18:41:57 EST</span></font></st1:time><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'> 2001<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Systems specs –<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>processor</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>       </span>: 0<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>vendor_id</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>       </span>: <span
class=SpellE>GenuineIntel</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>cpu</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> family<span
style='mso-spacerun:yes'>      </span>: 6<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>model</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>          
</span>: 8<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>model</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> name<span
style='mso-spacerun:yes'>      </span>: Pentium III (</span></font><st1:place><span
 class=SpellE><font size=2 face=Arial><span style='font-size:10.0pt;font-family:
 Arial'>Coppermine</span></font></span></st1:place><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>)<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>stepping</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>        </span>: 1<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>cpu</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> MHz<span
style='mso-spacerun:yes'>        
</span>: 531.622<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>cache</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> size<span
style='mso-spacerun:yes'>      </span>: 256 KB<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>fdiv_bug</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>       </span><span
style='mso-spacerun:yes'> </span>: no<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>hlt_bug</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>        
</span>: no<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>f00f_bug<span
style='mso-spacerun:yes'>        </span>: no<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>coma_bug</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>        </span>: no<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>fpu</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>            
</span>: yes<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>fpu_exception</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>   </span>: yes<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>cpuid</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> level<span
style='mso-spacerun:yes'>     </span>: 2<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>wp</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>             
</span>: yes<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>flags</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>          
</span>: <span class=SpellE>fpu</span> <span class=SpellE>vme</span> de <span
class=SpellE>pse</span> <span class=SpellE>tsc</span> <span class=SpellE>msr</span>
<span class=SpellE>pae</span> <span class=SpellE>mce</span> cx8 sep <span
class=SpellE>mtrr</span> <span class=SpellE>pge</span> <span class=SpellE>mca</span>
<span class=SpellE>cmov</span> pat pse36 <span class=SpellE>mmx</span> <span
class=SpellE>fxsr</span> <span class=SpellE>sse</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>bogomips</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><span
style='mso-spacerun:yes'>        </span>:
1061.68<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><span
style='mso-spacerun:yes'>            
</span><span class=GramE>total</span><span
style='mso-spacerun:yes'>       </span>used<span
style='mso-spacerun:yes'>       </span>free<span
style='mso-spacerun:yes'>     </span>shared<span
style='mso-spacerun:yes'>    </span>buffers<span
style='mso-spacerun:yes'>     </span>cached<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Mem</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>:<span
style='mso-spacerun:yes'>       
</span>253756<span style='mso-spacerun:yes'>     
</span>99164<span style='mso-spacerun:yes'>    
</span>154592<span
style='mso-spacerun:yes'>       
</span>672<span style='mso-spacerun:yes'>      
</span>6660<span style='mso-spacerun:yes'>     
</span>38148<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>-/+ buffers/cache:<span
style='mso-spacerun:yes'>      </span>54356<span
style='mso-spacerun:yes'>     </span>199400<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Swap:<span
style='mso-spacerun:yes'>      
</span>393552<span
style='mso-spacerun:yes'>         
</span>0<span style='mso-spacerun:yes'>     </span>393552<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Is running against <span class=SpellE>PostgreSQL</span> <span
class=GramE>version :</span> postgresql-7.1.3-1PGDG.rpm<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Was built <span class=GramE>with :</span> libnet-1.0.2a-1snort.rpm<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Snort version <span class=GramE>is :</span> snort-1.8.2-1snort.rpm<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>All was built from Source <span class=SpellE>RPM’s</span>
after OS was patched.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Snort Command Line <span class=GramE>Options :</span> <o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>/<span class=SpellE>usr/sbin/snort</span> -D -z <span
class=SpellE><span class=GramE>est</span></span> -<span class=SpellE>i</span>
eth0 -c /etc/snort/<span class=SpellE>snort.conf</span><span
style='mso-spacerun:yes'>    </span># please note snort falls
over with or without –z <span class=SpellE>est</span><o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Snort.Conf</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>var</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> HOME_NET
208.188.232.0/24<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>var</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>
EXTERNAL_NET any<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>var</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> SMTP
$HOME_NET<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>var</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>
HTTP_SERVERS $HOME_NET<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>var</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> SQL_SERVERS
$HOME_NET<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>var</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> DNS_SERVERS
$HOME_NET<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>preprocessor</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> frag2<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>preprocessor</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> stream4: <span
class=SpellE>detect_scans</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>preprocessor</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>
stream4_reassemble<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>preprocessor</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>http_decode</span>: 80 -<span class=SpellE>unicode</span> –<span
class=SpellE>cginull</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>preprocessor</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>rpc_decode</span>: 111<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>preprocessor</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>bo</span>: -<span class=SpellE>nobrute</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>preprocessor</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>telnet_decode</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>preprocessor</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>portscan</span>: $HOME_NET 4 3 <span class=SpellE>portscan.log</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>output</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> database:
log, <span class=SpellE>postgresql</span>, user=apache <span class=SpellE>dbname</span>=snort
encoding=<span class=SpellE>ascii</span> detail=fast<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>classification.config</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> bad-<span
class=SpellE>traffic.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>exploit.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>scan.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>finger.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>ftp.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>telnet.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>smtp.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>rpc.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>rservices.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>dos.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>ddos.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>dns.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>tftp.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> web-<span
class=SpellE>cgi.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> web-<span
class=SpellE>coldfusion.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> web-<span
class=SpellE>frontpage.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> web-<span
class=SpellE>iis.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> web-<span
class=SpellE>misc.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> web-<span
class=SpellE>attacks.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>sql.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> x11.rules<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>icmp.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>netbios.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>misc.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> attack-<span
class=SpellE>responses.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>backdoor.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>shellcode.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>policy.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>porn.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>info.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>icmp-info.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>virus.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>include</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>local.rules</span><o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Please note that we are not getting a lot of traffic and or
alerts or logs, the box has only log 8 alerts in 72 Hours so I think it is not
a traffic volume problem. I have a simple <span class=SpellE>Cron</span> job in
/etc/<span class=SpellE>cron.hourly</span> that contains a script that runs
this<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>#!/</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>bin/<span
class=SpellE>sh</span><o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>cd</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> /<span
class=SpellE>tmp</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>mkdir</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> .<span
class=SpellE>snort_updates</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>cd</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> .<span
class=SpellE>snort_updates</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>echo</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>
"Getting Update File"<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>wget</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>
http://www.snort.org/downloads/snortrules.tar.gz<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>echo</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>
"Extracting Rules"<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>tar</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>zxvf</span> <span class=SpellE>snortrules.tar.gz</span> *.rules<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>cd</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> rules<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>echo</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>
"Updating Rules Files"<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>mv</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> -f *.rules
/etc/snort<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>cd</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> /<span
class=SpellE>tmp</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>echo</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> "Clean
Up"<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=SpellE><span class=GramE><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'>rm</span></font></span></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> -<span
class=SpellE>rf</span> /<span class=SpellE>tmp/.snort_updates</span><o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>echo</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> "<span
class=SpellE>HUPing</span> <span class=SpellE>snortd</span>"<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>/etc/<span class=SpellE>rc.d/init.d/snortd</span> restart<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>The results of the <span class=SpellE>cron</span> job are
mail to me every hour and I notice from the restart that 2 – 3 times a
day that snort has died.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Any help greatly appreciated, please let me know if you need
any more details, please note that no core file was produced this was verified
with <o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>find</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> / -name “core”
–print<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>as</span></font></span><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'> a final note snort
almost never starts via the <span class=SpellE>rc</span> file upon a reboot.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Thanks for taking the time to look at this, again all help
greatly appreciated!<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Thanks,<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>JJH<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><a href="mailto:jeff.hunt@...962...">jeff.hunt@...967.....</a><o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

</div>

</body>

</html>