[Snort-openappid] Snort IPS with openappid not able to block webpages

Navneet Singh navneet.singh2012 at ...8...
Thu Oct 29 10:02:23 EDT 2015


I think i got what is the error but unable to solve it. I already pasted
all logs in first mail. In the snort logs you can see

*Snort logs:*
> navneet at ...103...:~$ sudo snort -d -A console -u snort -g snort -c
> /etc/snort/snort.conf -i eth0:wlan0 -Q
> Enabling inline operation
> Running in IDS mode


*It is running in IDS mode even after enabling inline operations*

I also pasted conf file there. I think it is now much simple for all of you
now. I am new in squid and following documentation to install snort. Also
giving link for those documentation

https://www.snort.org/documents/snort-ips-tutorial
https://www.snort.org/documents/snort-ips-using-daq-afpacket

Waiting for help

--
Regards
Navneet



On Thu, Oct 29, 2015 at 12:51 PM, Navneet Singh <navneet.singh2012 at ...8...
> wrote:

> Hi Costas/Y M
>
> Thanks for your quick response.
>
> Costas I tried to run snort with -k option, but it was not working so I
> think it is not related to checksum error.
> Y M I added snort.conf in previous mail. I think i have configured daq and
> afpacket as inline, and normalization support too. Also when I pasted the
> logs here I was trying with a long appid rule, i tried with a single filter
> for appid too, but was getting same result as i told in previous mail
>
> --
> Regards
> Navneet
>
> On Wed, Oct 28, 2015 at 11:11 PM, Y M <snort at ...46...> wrote:
>
>> What are your Snort policy mode and afpacket daq configurations? Try
>> settings these to support inline operations. Is normalization also
>> configured?
>>
>> You also have a warning about exceeding the max. number of allowed
>> appid's per rule. While this may be unrelated, it may be something to watch
>> for.
>>
>> Sent from Mobile
>>
>>
>>
>>
>> On Wed, Oct 28, 2015 at 7:19 AM -0700, "Navneet Singh" <
>> navneet.singh2012 at ...8...> wrote:
>>
>> Hi All,
>>
>> I am testing snort 2.9.7.6 with openappid on ubuntu 14.04 amd64 system as
>> IPS using daq afpacket inline mode. But when i add rule for dropping
>> packets as per appid filter, some filters do block webpages such as https
>> appid filter blocks all https, some don't block like nbc appid filter and
>> some just block for sometime till i refresh the webpage.
>>
>> Here i tested with linkedin site, the log shows drop but i was able to
>> browse it.
>>
>> Here are following logs:
>> *Snort version:*
>> navneet at ...103...:~/snort_src/snort-2.9.7.6$ snort -V
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.7.6 GRE (Build 285)
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/contact#team
>>            Copyright (C) 2014-2015 Cisco and/or its affiliates. All
>> rights reserved.
>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>            Using libpcap version 1.5.3
>>            Using PCRE version: 8.31 2012-07-06
>>            Using ZLIB version: 1.2.8
>>
>> navneet at ...103...:~$ snort --daq-list
>> Available DAQ modules:
>> pcap(v3): readback live multi unpriv
>> ipfw(v3): live inline multi unpriv
>> dump(v3): readback live inline multi unpriv
>> afpacket(v5): live inline multi unpriv
>>
>>
>> *Rule in use:*
>> navneet at ...103...:~/snort_src/snort-2.9.7.6$ cat
>> /etc/snort/rules/local.rules
>> drop tcp any any -> any any (msg:"No access"; appid: linkedin
>> linkedin_jobs linked_profile linked_inbox linkedin_upload linkedin_contac;
>> sid:1000006; rev:004;)
>>
>>
>> *Snort logs:*
>>
>> navneet at ...103...:~$ sudo snort -d -A console -u snort -g snort -c
>> /etc/snort/snort.conf -i eth0:wlan0 -Q
>> Enabling inline operation
>> Running in IDS mode
>>
>>         --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> Initializing Plug-ins!
>> Parsing Rules file "/etc/snort/snort.conf"
>> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414
>> 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001
>> 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123
>> 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999
>> 11371 34443:34444 41080 50002 55555 ]
>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>> PortVar 'SSH_PORTS' defined :  [ 22 ]
>> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
>> PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901
>> 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988
>> 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090
>> 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091
>> 9443 9999 11371 34443:34444 41080 50002 55555 ]
>> PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
>> Detection:
>>    Search-Method = AC-Full-Q
>>     Split Any/Any group = enabled
>>     Search-Method-Optimizations = enabled
>>     Maximum pattern length = 20
>> Tagged Packet Limit: 256
>> Loading dynamic engine
>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>> Loading all dynamic preprocessor libs from
>> /usr/local/lib/snort_dynamicpreprocessor/...
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
>> done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>>   Finished Loading all dynamic preprocessor libs from
>> /usr/local/lib/snort_dynamicpreprocessor/
>> Log directory = /var/log/snort
>> Normalizer config:
>>          ip4: on
>>      ip4::df: off
>>      ip4::rf: off
>>     ip4::tos: off
>>    ip4::trim: off
>>     ip4::ttl: on (min=1, new=5)
>> Normalizer config:
>>          tcp: on
>>     tcp::ecn: stream
>>   tcp::block: off
>>     tcp::rsv: off
>>     tcp::pad: off
>> tcp::req_urg: off
>> tcp::req_pay: off
>> tcp::req_urp: off
>>     tcp::urp: off
>>     tcp::opt: off
>>     tcp::ips: on
>> tcp::trim_syn: off
>> tcp::trim_rst: off
>> tcp::trim_win: off
>> tcp::trim_mss: off
>> Normalizer config:
>>        icmp4: on
>> Normalizer config:
>>          ip6: on
>>    ip6::hops: on (min=1, new=5)
>> Normalizer config:
>>        icmp6: on
>> Frag3 global config:
>>     Max frags: 65536
>>     Fragment memory cap: 4194304 bytes
>> Frag3 engine config:
>>     Bound Address: default
>>     Target-based policy: WINDOWS
>>     Fragment timeout: 180 seconds
>>     Fragment min_ttl:   1
>>     Fragment Anomalies: Alert
>>     Overlap Limit:     10
>>     Min fragment Length:     100
>>       Max Expected Streams: 768
>> Stream global config:
>>     Track TCP sessions: ACTIVE
>>     Max TCP sessions: 262144
>>     TCP cache pruning timeout: 30 seconds
>>     TCP cache nominal timeout: 3600 seconds
>>     Memcap (for reassembly packet storage): 8388608
>>     Track UDP sessions: ACTIVE
>>     Max UDP sessions: 131072
>>     UDP cache pruning timeout: 30 seconds
>>     UDP cache nominal timeout: 180 seconds
>>     Track ICMP sessions: INACTIVE
>>     Track IP sessions: INACTIVE
>>     Log info if session memory consumption exceeds 1048576
>>     Send up to 2 active responses
>>     Wait at least 5 seconds between responses
>>     Protocol Aware Flushing: ACTIVE
>>         Maximum Flush Point: 16000
>> Stream TCP Policy config:
>>     Bound Address: default
>>     Reassembly Policy: WINDOWS
>>     Timeout: 180 seconds
>>     Limit on TCP Overlaps: 10
>>     Maximum number of bytes to queue per session: 1048576
>>     Maximum number of segs to queue per session: 2621
>>     Options:
>>         Require 3-Way Handshake: YES
>>         3-Way Handshake Timeout: 180
>>         Detect Anomalies: YES
>>     Reassembly Ports:
>>       21 client (Footprint-IPS)
>>       22 client (Footprint-IPS)
>>       23 client (Footprint-IPS)
>>       25 client (Footprint-IPS)
>>       42 client (Footprint-IPS)
>>       53 client (Footprint-IPS)
>>       79 client (Footprint-IPS)
>>       80 client (Footprint-IPS) server (Footprint-IPS)
>>       81 client (Footprint-IPS) server (Footprint-IPS)
>>       109 client (Footprint-IPS)
>>       110 client (Footprint-IPS)
>>       111 client (Footprint-IPS)
>>       113 client (Footprint-IPS)
>>       119 client (Footprint-IPS)
>>       135 client (Footprint-IPS)
>>       136 client (Footprint-IPS)
>>       137 client (Footprint-IPS)
>>       139 client (Footprint-IPS)
>>       143 client (Footprint-IPS)
>>       161 client (Footprint-IPS)
>>       additional ports configured but not printed.
>> Stream UDP Policy config:
>>     Timeout: 180 seconds
>> HttpInspect Config:
>>     GLOBAL CONFIG
>>       Detect Proxy Usage:       NO
>>       IIS Unicode Map Filename: /etc/snort/unicode.map
>>       IIS Unicode Map Codepage: 1252
>>       Memcap used for logging URI and Hostname: 150994944
>>       Max Gzip Memory: 104857600
>>       Max Gzip Sessions: 225986
>>       Gzip Compress Depth: 65535
>>       Gzip Decompress Depth: 65535
>>     DEFAULT SERVER CONFIG:
>>       Server profile: All
>>       Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301
>> 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777
>> 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280
>> 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444
>> 41080 50002 55555
>>       Server Flow Depth: 0
>>       Client Flow Depth: 0
>>       Max Chunk Length: 500000
>>       Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
>>       Max Header Field Length: 750
>>       Max Number Header Fields: 100
>>       Max Number of WhiteSpaces allowed with header folding: 200
>>       Inspect Pipeline Requests: YES
>>       URI Discovery Strict Mode: NO
>>       Allow Proxy Usage: NO
>>       Disable Alerting: NO
>>       Oversize Dir Length: 500
>>       Only inspect URI: NO
>>       Normalize HTTP Headers: NO
>>       Inspect HTTP Cookies: YES
>>       Inspect HTTP Responses: YES
>>       Extract Gzip from responses: YES
>>       Decompress response files:
>>       Unlimited decompression of gzip data from responses: YES
>>       Normalize Javascripts in HTTP Responses: YES
>>       Max Number of WhiteSpaces allowed with Javascript Obfuscation in
>> HTTP responses: 200
>>       Normalize HTTP Cookies: NO
>>       Enable XFF and True Client IP: NO
>>       Log HTTP URI data: NO
>>       Log HTTP Hostname data: NO
>>       Extended ASCII code support in URI: NO
>>       Ascii: YES alert: NO
>>       Double Decoding: YES alert: NO
>>       %U Encoding: YES alert: YES
>>       Bare Byte: YES alert: NO
>>       UTF 8: YES alert: NO
>>       IIS Unicode: YES alert: NO
>>       Multiple Slash: YES alert: NO
>>       IIS Backslash: YES alert: NO
>>       Directory Traversal: YES alert: NO
>>       Web Root Traversal: YES alert: NO
>>       Apache WhiteSpace: YES alert: NO
>>       IIS Delimiter: YES alert: NO
>>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>       Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06
>> 0x07
>>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>> rpc_decode arguments:
>>     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
>> 32777 32778 32779
>>     alert_fragments: INACTIVE
>>     alert_large_fragments: INACTIVE
>>     alert_incomplete: INACTIVE
>>     alert_multiple_requests: INACTIVE
>> FTPTelnet Config:
>>     GLOBAL CONFIG
>>       Inspection Type: stateful
>>       Check for Encrypted Traffic: YES alert: NO
>>       Continue to check encrypted data: YES
>>     TELNET CONFIG:
>>       Ports: 23
>>       Are You There Threshold: 20
>>       Normalize: YES
>>       Detect Anomalies: YES
>>     FTP CONFIG:
>>       FTP Server: default
>>         Ports (PAF): 21 2100 3535
>>         Check for Telnet Cmds: YES alert: YES
>>         Ignore Telnet Cmd Operations: YES alert: YES
>>         Ignore open data channels: NO
>>       FTP Client: default
>>         Check for Bounce Attacks: YES alert: YES
>>         Check for Telnet Cmds: YES alert: YES
>>         Ignore Telnet Cmd Operations: YES alert: YES
>>         Max Response Length: 256
>> SMTP Config:
>>     Ports: 25 465 587 691
>>     Inspection Type: Stateful
>>     Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN
>> EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND
>> STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR
>> XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT
>> X-DRCP X-ERCP X-EXCH50
>>     Ignore Data: No
>>     Ignore TLS Data: No
>>     Ignore SMTP Alerts: No
>>     Max Command Line Length: 512
>>     Max Specific Command Line Length:
>>        ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
>>        EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
>>        ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
>>        IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
>>        QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
>>        SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
>>        TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
>>        XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
>>        XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
>>        XUSR:246
>>     Max Header Line Length: 1000
>>     Max Response Line Length: 512
>>     X-Link2State Alert: Yes
>>     Drop on X-Link2State Alert: No
>>     Alert on commands: None
>>     Alert on unknown commands: No
>>     SMTP Memcap: 838860
>>     MIME Max Mem: 838860
>>     Base64 Decoding: Enabled
>>     Base64 Decoding Depth: Unlimited
>>     Quoted-Printable Decoding: Enabled
>>     Quoted-Printable Decoding Depth: Unlimited
>>     Unix-to-Unix Decoding: Enabled
>>     Unix-to-Unix Decoding Depth: Unlimited
>>     Non-Encoded MIME attachment Extraction: Enabled
>>     Non-Encoded MIME attachment Extraction Depth: Unlimited
>>     Log Attachment filename: Enabled
>>     Log MAIL FROM Address: Enabled
>>     Log RCPT TO Addresses: Enabled
>>     Log Email Headers: Enabled
>>     Email Hdrs Log Depth: 1464
>> SSH config:
>>     Autodetection: ENABLED
>>     Challenge-Response Overflow Alert: ENABLED
>>     SSH1 CRC32 Alert: ENABLED
>>     Server Version String Overflow Alert: ENABLED
>>     Protocol Mismatch Alert: ENABLED
>>     Bad Message Direction Alert: DISABLED
>>     Bad Payload Size Alert: DISABLED
>>     Unrecognized Version Alert: DISABLED
>>     Max Encrypted Packets: 20
>>     Max Server Version String Length: 100
>>     MaxClientBytes: 19600 (Default)
>>     Ports:
>> 22
>> DCE/RPC 2 Preprocessor Configuration
>>   Global Configuration
>>     DCE/RPC Defragmentation: Enabled
>>     Memcap: 102400 KB
>>     Events: co
>>     SMB Fingerprint policy: Disabled
>>   Server Default Configuration
>>     Policy: WinXP
>>     Detect ports (PAF)
>>       SMB: 139 445
>>       TCP: 135
>>       UDP: 135
>>       RPC over HTTP server: 593
>>       RPC over HTTP proxy: None
>>     Autodetect ports (PAF)
>>       SMB: None
>>       TCP: 1025-65535
>>       UDP: 1025-65535
>>       RPC over HTTP server: 1025-65535
>>       RPC over HTTP proxy: None
>>     Invalid SMB shares: C$ D$ ADMIN$
>>     Maximum SMB command chaining: 3 commands
>>     SMB file inspection: Disabled
>> DNS config:
>>     DNS Client rdata txt Overflow Alert: ACTIVE
>>     Obsolete DNS RR Types Alert: INACTIVE
>>     Experimental DNS RR Types Alert: INACTIVE
>>     Ports: 53
>> SSLPP config:
>>     Encrypted packets: not inspected
>>     Ports:
>>       443      465      563      636      989
>>       992      993      994      995     7801
>>      7802     7900     7901     7902     7903
>>      7904     7905     7906     7907     7908
>>      7909     7910     7911     7912     7913
>>      7914     7915     7916     7917     7918
>>      7919     7920
>>     Server side data is trusted
>>     Maximum SSL Heartbeat length: 0
>> Sensitive Data preprocessor config:
>>     Global Alert Threshold: 25
>>     Masked Output: DISABLED
>> SIP config:
>>     Max number of sessions: 40000
>>     Max number of dialogs in a session: 4 (Default)
>>     Status: ENABLED
>>     Ignore media channel: DISABLED
>>     Max URI length: 512
>>     Max Call ID length: 80
>>     Max Request name length: 20 (Default)
>>     Max From length: 256 (Default)
>>     Max To length: 256 (Default)
>>     Max Via length: 1024 (Default)
>>     Max Contact length: 512
>>     Max Content length: 2048
>>     Ports:
>> 5060 5061 5600
>>     Methods:
>>  invite cancel ack bye register options refer subscribe update join info
>> message notify benotify do qauth sprack publish service unsubscribe prack
>> IMAP Config:
>>     Ports: 143
>>     IMAP Memcap: 838860
>>     MIME Max Mem: 838860
>>     Base64 Decoding: Enabled
>>     Base64 Decoding Depth: Unlimited
>>     Quoted-Printable Decoding: Enabled
>>     Quoted-Printable Decoding Depth: Unlimited
>>     Unix-to-Unix Decoding: Enabled
>>     Unix-to-Unix Decoding Depth: Unlimited
>>     Non-Encoded MIME attachment Extraction: Enabled
>>     Non-Encoded MIME attachment Extraction Depth: Unlimited
>> POP Config:
>>     Ports: 110
>>     POP Memcap: 838860
>>     MIME Max Mem: 838860
>>     Base64 Decoding: Enabled
>>     Base64 Decoding Depth: Unlimited
>>     Quoted-Printable Decoding: Enabled
>>     Quoted-Printable Decoding Depth: Unlimited
>>     Unix-to-Unix Decoding: Enabled
>>     Unix-to-Unix Decoding Depth: Unlimited
>>     Non-Encoded MIME attachment Extraction: Enabled
>>     Non-Encoded MIME attachment Extraction Depth: Unlimited
>> Modbus config:
>>     Ports:
>> 502
>> DNP3 config:
>>     Memcap: 262144
>>     Check Link-Layer CRCs: ENABLED
>>     Ports:
>> 20000
>> Reputation config:
>> WARNING: Can't find any whitelist/blacklist entries. Reputation
>> Preprocessor disabled.
>> AppId Configuration
>>     Detector Path:          /etc/snort/rules
>>     appStats Files:         appstats-u2.log
>>     appStats Period:        60 secs
>>     appStats Rollover Size: 20971520 bytes
>>     appStats Rollover time: 86400 secs
>>
>>     AppInfo read from /etc/snort/rules/odp/appMapping.data
>> Loading configuration file /etc/snort/rules/odp/appid.conf
>> AppId: adding appIds to list of referred web apps: 2032 1520 1306 1307
>> 1308 1310 1311 1312 1313 1314 1315 1316 137 1318 1319 1336 1337 1362 1372
>> 1373 1424 1425 1457 1491 1619 1656 1659 1720 1721 1722 1723 1724 1725 1726
>> 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743
>> 1744 1745 1746 1747 1748 1750 1751 1752 1776 1778 1804 1850 1851 1852 1853
>> 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1869
>> 1873 1874 1875 1876 1877 1878 1879 1881 1882 1883 1884 1885 1886 1888 1889
>> 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1903 1904 1905 1906
>> 1907 1908 1909 1910 1912 1913 1919 1920 1921 1923 1924 1925 1926 1928 1929
>> 1930 1931 1933 1934 1935 1936 1937 1938 1940 1941 1942 1943 1944 1945 1946
>> 1947 1948 1949 1950 1951 1953 1955 1956 1957 1958 1959 1960
>> AppId: adding appIds to list of referred web apps: 1963 1963 1964 1966
>> 1969 1970 1972 1973 1975 1976 1977 1978 1979 1980 1981 1983 1984 1985 1986
>> 1987 629 882 711 1393 1727 1728 1821 1992 1993 1806 1822 2022 2021 2129
>> 2131 1460 1369 1392 2057 2062 1560 665 1458 929 761 2151 2157 2158 2159
>> 2162 2019 2072 1508 1063 2261 2664 2690 3873 3867
>> Could not read configuration file /etc/snort/rules/custom/userappid.conf
>> LuaJIT: Version LuaJIT 2.0.2
>>     Setting tracker size to 207
>> AppInfo: AppId 151 is UNKNOWN
>> AppInfo: AppId 3861 is UNKNOWN
>> AppInfo: AppId 3970 is UNKNOWN
>> AppInfo: AppId 939 is UNKNOWN
>> AppInfo: AppId 939 is UNKNOWN
>> AppInfo: AppId 1697 is UNKNOWN
>> AppInfo: AppId 3971 is UNKNOWN
>> AppInfo: AppId 3971 is UNKNOWN
>>     TCP Port-Only Services
>>             1 - 466
>>             2 - 3208
>>             3 - 97
>>             5 - 397
>>             7 - 954
>>             9 - 614
>>            11 - 463
>>            13 - 955
>>            17 - 385
>>            19 - 586
>>            27 - 3263
>>            29 - 3231
>>            31 - 305
>>            33 - 128
>>            37 - 470
>>            38 - 388
>>            39 - 399
>>            41 - 3137
>>            42 - 505
>>            43 - 953
>>            44 - 3229
>>            45 - 300
>>            47 - 332
>>            48 - 41
>>            50 - 3317
>>            51 - 3167
>>            52 - 519
>>            54 - 517
>>            55 - 244
>>            56 - 516
>>            58 - 518
>>            61 - 333
>>            62 - 5
>>            64 - 3059
>>            66 - 355
>>            70 - 667
>>            71 - 391
>>            76 - 115
>>            78 - 492
>>            79 - 637
>>            82 - 514
>>            83 - 3224
>>            84 - 3058
>>            85 - 293
>>            86 - 290
>>            89 - 451
>>            90 - 123
>>            91 - 294
>>            92 - 337
>>            93 - 111
>>            95 - 453
>>            96 - 120
>>            97 - 3384
>>            98 - 715
>>            99 - 289
>>           101 - 671
>>           102 - 3186
>>           104 - 7
>>           105 - 3075
>>           106 - 2
>>           107 - 392
>>           108 - 438
>>           109 - 370
>>           112 - 282
>>           113 - 956
>>           116 - 26
>>           118 - 3314
>>           120 - 3055
>>           121 - 142
>>           122 - 433
>>           124 - 27
>>           125 - 269
>>           126 - 342
>>           127 - 3202
>>           128 - 3133
>>           129 - 381
>>           130 - 77
>>           131 - 81
>>           132 - 80
>>           133 - 449
>>           134 - 232
>>           135 - 3085
>>           136 - 377
>>           140 - 139
>>           142 - 65
>>           145 - 476
>>           146 - 3188
>>           147 - 3843
>>           148 - 247
>>           149 - 19
>>           151 - 199
>>           152 - 52
>>           153 - 422
>>           154 - 327
>>           157 - 253
>>           158 - 362
>>           163 - 3054
>>           164 - 94
>>           165 - 520
>>           166 - 439
>>           167 - 318
>>           168 - 404
>>           169 - 418
>>           170 - 3006
>>           171 - 3247
>>           172 - 91
>>           173 - 521
>>           174 - 275
>>           175 - 493
>>           176 - 174
>>           177 - 513
>>           178 - 343
>>           180 - 396
>>           181 - 485
>>           182 - 42
>>           183 - 344
>>           184 - 345
>>           185 - 3320
>>           186 - 252
>>           187 - 6
>>           188 - 3297
>>           189 - 383
>>           190 - 170
>>           191 - 378
>>           192 - 358
>>           193 - 445
>>           197 - 121
>>           199 - 437
>>           200 - 444
>>           201 - 3016
>>           202 - 3015
>>           203 - 3017
>>           204 - 3014
>>           205 - 3018
>>           206 - 3022
>>           207 - 3019
>>           208 - 3020
>>           209 - 384
>>           210 - 525
>>           211 - 4
>>           212 - 3607
>>           213 - 3178
>>           214 - 494
>>           215 - 441
>>           216 - 3062
>>           217 - 108
>>           218 - 3241
>>           219 - 477
>>           222 - 3038
>>           223 - 71
>>           224 - 278
>>           242 - 119
>>           243 - 3383
>>           244 - 228
>>           245 - 263
>>           246 - 127
>>           247 - 3380
>>           248 - 56
>>           257 - 419
>>           259 - 145
>>           260 - 352
>>           261 - 338
>>           262 - 33
>>           263 - 198
>>           264 - 53
>>           265 - 511
>>           266 - 3345
>>           267 - 472
>>           268 - 3401
>>           280 - 209
>>           281 - 3290
>>           282 - 67
>>           283 - 393
>>           284 - 3067
>>           286 - 169
>>           287 - 249
>>           308 - 336
>>           309 - 140
>>           310 - 57
>>           311 - 30
>>           312 - 496
>>           313 - 273
>>           314 - 351
>>           315 - 124
>>           316 - 112
>>           317 - 526
>>           318 - 368
>>           319 - 3298
>>           320 - 3303
>>           321 - 367
>>           322 - 408
>>           333 - 468
>>           344 - 363
>>           345 - 361
>>           346 - 527
>>           347 - 154
>>           348 - 3045
>>           349 - 291
>>           350 - 279
>>           352 - 130
>>           353 - 322
>>           354 - 54
>>           355 - 107
>>           356 - 93
>>           357 - 55
>>           358 - 424
>>           359 - 339
>>           360 - 412
>>           361 - 417
>>           362 - 446
>>           363 - 3332
>>           364 - 3032
>>           365 - 131
>>           366 - 347
>>           367 - 297
>>           368 - 382
>>           369 - 401
>>           370 - 95
>>           371 - 92
>>           372 - 481
>>           373 - 262
>>           375 - 197
>>           376 - 334
>>           377 - 147
>>           378 - 147
>>           379 - 3396
>>           380 - 3397
>>           381 - 206
>>           383 - 3151
>>           384 - 35
>>           385 - 678
>>           386 - 37
>>           387 - 3021
>>           388 - 484
>>           390 - 480
>>           391 - 3385
>>           393 - 288
>>           394 - 138
>>           395 - 328
>>           396 - 3259
>>           397 - 302
>>           398 - 254
>>           399 - 3185
>>           401 - 486
>>           402 - 173
>>           403 - 3090
>>           404 - 320
>>           405 - 321
>>           406 - 227
>>           408 - 3301
>>           409 - 3300
>>           410 - 113
>>           411 - 400
>>           413 - 436
>>           414 - 230
>>           416 - 425
>>           417 - 350
>>           418 - 211
>>           419 - 34
>>           420 - 435
>>           421 - 3026
>>           422 - 3027
>>           423 - 1098
>>           424 - 1098
>>           425 - 215
>>           426 - 434
>>           427 - 3355
>>           428 - 3265
>>           429 - 346
>>           430 - 3410
>>           431 - 3409
>>           432 - 212
>>           433 - 335
>>           434 - 296
>>           435 - 3225
>>           436 - 122
>>           437 - 98
>>           438 - 126
>>           439 - 106
>>           440 - 421
>>           441 - 114
>>           442 - 3077
>>           444 - 440
>>           446 - 3088
>>           447 - 3087
>>           448 - 3109
>>           449 - 3028
>>           450 - 3064
>>           451 - 3069
>>           452 - 3070
>>           453 - 3073
>>           455 - 3072
>>           457 - 3344
>>           460 - 3364
>>           461 - 3083
>>           462 - 3084
>>           463 - 3005
>>           464 - 3195
>>           466 - 3100
>>           467 - 3237
>>           468 - 3294
>>           469 - 3312
>>           470 - 3346
>>           471 - 3227
>>           472 - 3201
>>           473 - 3154
>>           476 - 3694
>>           477 - 3374
>>           478 - 3373
>>           479 - 3157
>>           480 - 3156
>>           482 - 3039
>>           483 - 3406
>>           484 - 3169
>>           485 - 3676
>>           486 - 3035
>>           487 - 3358
>>           488 - 3677
>>           489 - 3239
>>           490 - 3215
>>           491 - 3138
>>           492 - 3404
>>           493 - 3404
>>           494 - 3289
>>           495 - 3168
>>           496 - 3295
>>           497 - 3082
>>           498 - 3357
>>           499 - 3184
>>           501 - 3375
>>           502 - 3029
>>           503 - 3179
>>           505 - 3206
>>           506 - 3266
>>           507 - 303
>>           508 - 3443
>>           509 - 3387
>>           510 - 3124
>>           511 - 3285
>>           516 - 3417
>>           517 - 857
>>           518 - 766
>>           519 - 3407
>>           521 - 3836
>>           522 - 3408
>>           525 - 3398
>>           526 - 1795
>>           527 - 3376
>>           528 - 3076
>>           529 - 3183
>>           530 - 3068
>>           531 - 3049
>>           532 - 3242
>>           533 - 3678
>>           535 - 176
>>           536 - 3269
>>           537 - 3253
>>           538 - 3128
>>           539 - 3012
>>           540 - 490
>>           542 - 3057
>>           543 - 3193
>>           544 - 3196
>>           545 - 3013
>>           546 - 3098
>>           548 - 20
>>           549 - 3164
>>           550 - 3254
>>           551 - 3079
>>           553 - 3296
>>           556 - 3321
>>           557 - 3270
>>           558 - 3347
>>           559 - 3392
>>           560 - 3329
>>           561 - 3228
>>           562 - 3050
>>           563 - 3353
>>           565 - 3437
>>           566 - 3377
>>           567 - 3037
>>           568 - 3221
>>           569 - 3220
>>           570 - 3214
>>           572 - 3370
>>           573 - 3036
>>           574 - 3126
>>           575 - 3415
>>           576 - 3180
>>           577 - 3420
>>           578 - 3181
>>           579 - 3091
>>           580 - 3359
>>           581 - 3232
>>           582 - 3339
>>           583 - 3292
>>           584 - 3192
>>           586 - 3286
>>           590 - 3400
>>           592 - 3679
>>           593 - 3153
>>           594 - 3402
>>           595 - 3044
>>           596 - 3367
>>           597 - 3302
>>           598 - 3342
>>           599 - 3007
>>           600 - 3381
>>           606 - 3071
>>           607 - 3250
>>           608 - 3354
>>           609 - 3260
>>           610 - 3262
>>           611 - 3261
>>           612 - 3148
>>           613 - 3149
>>           615 - 3173
>>           616 - 3341
>>           617 - 3340
>>           618 - 3093
>>           620 - 3343
>>           621 - 3121
>>           622 - 3056
>>           624 - 3074
>>           625 - 3089
>>           627 - 3285
>>           628 - 3308
>>           629 - 3000
>>           630 - 3316
>>           631 - 1095
>>           632 - 3040
>>           633 - 3680
>>           634 - 3130
>>           635 - 3327
>>           637 - 3198
>>           638 - 3209
>>           640 - 3117
>>           641 - 3322
>>           642 - 3681
>>           643 - 3337
>>           644 - 3111
>>           646 - 3197
>>           647 - 3096
>>           648 - 402
>>           650 - 3264
>>           651 - 2313
>>           652 - 3143
>>           653 - 3323
>>           654 - 3003
>>           655 - 3399
>>           656 - 3372
>>           657 - 3313
>>           658 - 3394
>>           660 - 3204
>>           661 - 3150
>>           662 - 365
>>           663 - 3305
>>           665 - 3382
>>           666 - 3110
>>           667 - 3048
>>           668 - 3211
>>           669 - 3212
>>           670 - 3413
>>           671 - 3412
>>           672 - 3423
>>           673 - 3051
>>           674 - 3024
>>           675 - 3086
>>           676 - 3421
>>           677 - 3418
>>           678 - 3132
>>           679 - 3233
>>           680 - 3118
>>           681 - 3119
>>           683 - 99
>>           685 - 3210
>>           686 - 3142
>>           687 - 3030
>>           688 - 3023
>>           689 - 3248
>>           690 - 3414
>>           691 - 3230
>>           692 - 3155
>>           693 - 3009
>>           694 - 3141
>>           695 - 3165
>>           696 - 3334
>>           697 - 3411
>>           698 - 3682
>>           699 - 3001
>>           704 - 3120
>>           705 - 3008
>>           706 - 3349
>>           707 - 3041
>>           709 - 3116
>>           710 - 3115
>>           711 - 3389
>>           729 - 3161
>>           730 - 3160
>>           731 - 3160
>>           741 - 3240
>>           742 - 3245
>>           744 - 3125
>>           747 - 3127
>>           748 - 3335
>>           749 - 3191
>>           751 - 3304
>>           752 - 3306
>>           753 - 3326
>>           754 - 3393
>>           758 - 3257
>>           759 - 3065
>>           760 - 3252
>>           761 - 3336
>>           762 - 3310
>>           763 - 3080
>>           764 - 3268
>>           765 - 3693
>>           767 - 3293
>>           769 - 3416
>>           770 - 3046
>>           771 - 3333
>>           772 - 3081
>>           773 - 3379
>>           775 - 3114
>>           777 - 3234
>>           780 - 3440
>>           801 - 3095
>>           828 - 3189
>>           829 - 3683
>>           847 - 3097
>>           886 - 3162
>>           887 - 3163
>>           888 - 3002
>>           900 - 3267
>>           901 - 3366
>>           911 - 3442
>>           991 - 3243
>>           994 - 3350
>>           996 - 3422
>>           997 - 3207
>>           999 - 3025
>>          1010 - 3371
>>          1025 - 63
>>          1026 - 70
>>          1033 - 324
>>          1034 - 9
>>          1036 - 341
>>          1046 - 499
>>          1077 - 226
>>          1078 - 46
>>          1080 - 839
>>          1098 - 3318
>>          1099 - 3328
>>          1112 - 221
>>          1114 - 292
>>          1124 - 207
>>          1127 - 258
>>          1132 - 257
>>          1150 - 64
>>          1155 - 330
>>          1167 - 79
>>          1168 - 491
>>          1169 - 474
>>          1187 - 23
>>          1191 - 188
>>          1194 - 353
>>          1241 - 752
>>          1270 - 3222
>>          1321 - 367
>>          1352 - 720
>>          1366 - 329
>>          1498 - 458
>>          1512 - 505
>>          1521 - 3238
>>          1525 - 3277
>>          1527 - 3272
>>          1529 - 3273
>>          1534 - 3217
>>          1571 - 3684
>>          1575 - 3274
>>          1604 - 3053
>>          1626 - 824
>>          1630 - 3275
>>          1677 - 190
>>          1698 - 3938
>>          1699 - 3948
>>          1701 - 259
>>          1755 - 735
>>          1797 - 482
>>          1801 - 306
>>          1830 - 3276
>>          1863 - 307
>>          1970 - 3244
>>          1971 - 3244
>>          1974 - 76
>>          1984 - 3388
>>          1997 - 78
>>          2000 - 2940
>>          2048 - 498
>>          2070 - 3886
>>          2152 - 3140
>>          2160 - 3010
>>          2161 - 3010
>>          2189 - 3122
>>          2194 - 3122
>>          2196 - 3122
>>          2213 - 3182
>>          2217 - 3136
>>          2234 - 3103
>>          2260 - 3010
>>          2272 - 287
>>          2282 - 309
>>          2301 - 3061
>>          2351 - 3291
>>          2401 - 3078
>>          2438 - 311
>>          2478 - 416
>>          2492 - 3139
>>          2512 - 3053
>>          2513 - 3053
>>          2595 - 3439
>>          2598 - 84
>>          2629 - 3363
>>          2630 - 3362
>>          2631 - 3361
>>          2639 - 3011
>>          2698 - 283
>>          2797 - 3886
>>          2811 - 3131
>>          2887 - 3438
>>          2897 - 88
>>          2948 - 3425
>>          2949 - 3428
>>          3050 - 3129
>>          3052 - 3010
>>          3075 - 3279
>>          3076 - 3278
>>          3077 - 3280
>>          3088 - 3123
>>          3200 - 3338
>>          3211 - 3351
>>          3218 - 3113
>>          3260 - 3685
>>          3268 - 3218
>>          3300 - 3338
>>          3305 - 348
>>          3334 - 3106
>>          3335 - 3101
>>          3336 - 3102
>>          3337 - 3105
>>          3365 - 3066
>>          3397 - 93
>>          3460 - 3258
>>          3461 - 3258
>>          3462 - 3258
>>          3463 - 3258
>>          3464 - 3258
>>          3465 - 3258
>>          3502 - 3351
>>          3506 - 3010
>>          3600 - 3338
>>          3632 - 3107
>>          3690 - 2887
>>          3817 - 3686
>>          3868 - 3839
>>          3871 - 3351
>>          4035 - 3426
>>          4036 - 3427
>>          4045 - 3255
>>          4159 - 340
>>          4172 - 1189
>>          4490 - 3158
>>          4491 - 3158
>>          4514 - 3203
>>          4569 - 3687
>>          4661 - 3112
>>          4662 - 3112
>>          4663 - 3112
>>          4664 - 3112
>>          4665 - 3112
>>          4672 - 3112
>>          4673 - 3112
>>          4711 - 3112
>>          4840 - 2042
>>          4884 - 200
>>          4899 - 3315
>>          5013 - 155
>>          5325 - 3135
>>          5330 - 3436
>>          5340 - 3436
>>          5349 - 3378
>>          5355 - 267
>>          5454 - 3010
>>          5455 - 3010
>>          5456 - 3010
>>          5662 - 3112
>>          5723 - 3271
>>          5773 - 3112
>>          5783 - 3112
>>          5999 - 3688
>>          6073 - 3104
>>          6085 - 3194
>>          6090 - 3158
>>          6305 - 3034
>>          6343 - 3356
>>          6499 - 3176
>>          6502 - 3244
>>          6547 - 3010
>>          6548 - 3010
>>          6549 - 3010
>>          6582 - 3283
>>          6619 - 349
>>          6620 - 250
>>          6621 - 251
>>          6622 - 281
>>          6665 - 3282
>>          6666 - 3282
>>          6667 - 3282
>>          6668 - 3282
>>          6669 - 3282
>>          6714 - 3172
>>          6800 - 3034
>>          6891 - 3689
>>          6997 - 3226
>>          7100 - 919
>>          7210 - 2327
>>          7220 - 3144
>>          7223 - 3144
>>          7279 - 86
>>          7631 - 3395
>>          7648 - 3177
>>          7649 - 3177
>>          7845 - 3010
>>          7846 - 3010
>>          8182 - 3419
>>          8801 - 3690
>>          8880 - 3060
>>          9022 - 29
>>          9084 - 3837
>>          9100 - 3287
>>          9200 - 3424
>>          9201 - 3431
>>          9202 - 3429
>>          9203 - 3430
>>          9204 - 3434
>>          9205 - 3432
>>          9206 - 3435
>>          9207 - 3433
>>          9318 - 368
>>          9703 - 3692
>>          9704 - 3692
>>          9950 - 3010
>>          9951 - 3010
>>          9952 - 3010
>>         10000 - 1096
>>         10080 - 3691
>>         11010 - 3391
>>         11020 - 3391
>>         11965 - 3203
>>         12975 - 1156
>>         14247 - 3158
>>         14248 - 3158
>>         14249 - 3158
>>         15868 - 2790
>>         15988 - 3158
>>         15989 - 3158
>>         19150 - 3134
>>         19880 - 3369
>>         20016 - 3147
>>         20500 - 3047
>>         20510 - 3047
>>         22125 - 109
>>         24754 - 89
>>         24800 - 3063
>>         25999 - 2794
>>         27665 - 3405
>>         28960 - 3047
>>         34572 - 3158
>>         40001 - 3390
>>         40002 - 3390
>>         40003 - 3390
>>         40004 - 3390
>>         40011 - 3390
>>         47808 - 3043
>>         52300 - 3094
>>     UDP Port-Only Services
>>             1 - 466
>>             2 - 3208
>>             3 - 97
>>             5 - 397
>>             7 - 954
>>             9 - 614
>>            11 - 463
>>            13 - 955
>>            17 - 385
>>            19 - 586
>>            27 - 3263
>>            29 - 3231
>>            31 - 305
>>            33 - 128
>>            37 - 470
>>            38 - 388
>>            39 - 399
>>            41 - 3137
>>            42 - 505
>>            44 - 3229
>>            45 - 300
>>            47 - 332
>>            48 - 41
>>            50 - 3317
>>            51 - 3167
>>            52 - 519
>>            54 - 517
>>            55 - 244
>>            56 - 516
>>            58 - 518
>>            61 - 333
>>            62 - 5
>>            64 - 3059
>>            66 - 355
>>            70 - 667
>>            71 - 391
>>            76 - 115
>>            78 - 492
>>            79 - 637
>>            82 - 514
>>            83 - 3224
>>            84 - 3058
>>            85 - 293
>>            86 - 290
>>            89 - 451
>>            90 - 123
>>            91 - 294
>>            92 - 337
>>            93 - 111
>>            95 - 453
>>            96 - 120
>>            97 - 3384
>>            98 - 715
>>            99 - 289
>>           101 - 671
>>           102 - 3186
>>           104 - 7
>>           105 - 3075
>>           106 - 2
>>           107 - 392
>>           108 - 438
>>           109 - 370
>>           112 - 282
>>           113 - 956
>>           116 - 26
>>           118 - 3314
>>           120 - 3055
>>           121 - 142
>>           122 - 433
>>           124 - 27
>>           125 - 269
>>           126 - 342
>>           127 - 3202
>>           128 - 3133
>>           129 - 381
>>           130 - 77
>>           131 - 81
>>           132 - 80
>>           133 - 449
>>           134 - 232
>>           135 - 3085
>>           136 - 377
>>           140 - 139
>>           142 - 65
>>           145 - 476
>>           146 - 3188
>>           147 - 3843
>>           148 - 247
>>           149 - 19
>>           151 - 199
>>           152 - 52
>>           153 - 422
>>           154 - 327
>>           157 - 253
>>           158 - 362
>>           163 - 3054
>>           164 - 94
>>           165 - 520
>>           166 - 439
>>           167 - 318
>>           168 - 404
>>           169 - 418
>>           170 - 3006
>>           171 - 3247
>>           172 - 91
>>           173 - 521
>>           174 - 275
>>           175 - 493
>>           176 - 174
>>           177 - 513
>>           178 - 343
>>           180 - 396
>>           181 - 485
>>           182 - 42
>>           183 - 344
>>           184 - 345
>>           185 - 3320
>>           186 - 252
>>           187 - 6
>>           188 - 3297
>>           189 - 383
>>           190 - 170
>>           191 - 378
>>           192 - 358
>>           193 - 445
>>           197 - 121
>>           199 - 437
>>           200 - 444
>>           201 - 3016
>>           202 - 3015
>>           203 - 3017
>>           204 - 3014
>>           205 - 3018
>>           206 - 3022
>>           207 - 3019
>>           208 - 3020
>>           209 - 384
>>           210 - 525
>>           211 - 4
>>           212 - 3607
>>           213 - 3178
>>           214 - 494
>>           215 - 441
>>           216 - 3062
>>           217 - 108
>>           218 - 3241
>>           219 - 477
>>           222 - 3038
>>           223 - 71
>>           224 - 278
>>           242 - 119
>>           243 - 3383
>>           244 - 228
>>           245 - 263
>>           246 - 127
>>           247 - 3380
>>           248 - 56
>>           257 - 419
>>           259 - 145
>>           260 - 352
>>           261 - 338
>>           262 - 33
>>           263 - 198
>>           264 - 53
>>           265 - 511
>>           266 - 3345
>>           267 - 472
>>           268 - 3401
>>           270 - 177
>>           280 - 209
>>           281 - 3290
>>           282 - 67
>>           283 - 393
>>           284 - 3067
>>           286 - 169
>>           287 - 249
>>           308 - 336
>>           309 - 140
>>           310 - 57
>>           311 - 30
>>           312 - 496
>>           313 - 273
>>           314 - 351
>>           315 - 124
>>           316 - 112
>>           317 - 526
>>           318 - 368
>>           319 - 3298
>>           320 - 3303
>>           321 - 367
>>           322 - 408
>>           333 - 468
>>           344 - 363
>>           345 - 361
>>           346 - 527
>>           347 - 154
>>           348 - 3045
>>           349 - 291
>>           350 - 279
>>           352 - 130
>>           353 - 322
>>           354 - 54
>>           355 - 107
>>           356 - 93
>>           357 - 55
>>           358 - 424
>>           359 - 339
>>           360 - 412
>>           361 - 417
>>           362 - 446
>>           363 - 3332
>>           364 - 3032
>>           365 - 131
>>           366 - 347
>>           367 - 297
>>           368 - 382
>>           369 - 401
>>           370 - 95
>>           371 - 92
>>           372 - 481
>>           373 - 262
>>           375 - 197
>>           376 - 334
>>           377 - 147
>>           378 - 147
>>           379 - 3396
>>           380 - 3397
>>           381 - 206
>>           383 - 3151
>>           384 - 35
>>           385 - 678
>>           386 - 37
>>           387 - 3021
>>           388 - 484
>>           390 - 480
>>           391 - 3385
>>           393 - 288
>>           394 - 138
>>           395 - 328
>>           396 - 3259
>>           397 - 302
>>           398 - 254
>>           399 - 3185
>>           401 - 486
>>           402 - 173
>>           403 - 3090
>>           404 - 320
>>           405 - 321
>>           406 - 227
>>           408 - 3301
>>           409 - 3300
>>           410 - 113
>>           411 - 3319
>>           412 - 3386
>>           413 - 436
>>           414 - 230
>>           415 - 66
>>           416 - 425
>>           417 - 350
>>           418 - 211
>>           419 - 34
>>           420 - 435
>>           421 - 3026
>>           422 - 3027
>>           423 - 1098
>>           424 - 1098
>>           425 - 215
>>           426 - 434
>>           427 - 3355
>>           428 - 3265
>>           429 - 346
>>           430 - 3410
>>           431 - 3409
>>           432 - 212
>>           433 - 335
>>           434 - 296
>>           435 - 3225
>>           436 - 122
>>           437 - 98
>>           438 - 126
>>           439 - 106
>>           440 - 421
>>           441 - 114
>>           442 - 3077
>>           444 - 440
>>           446 - 3088
>>           447 - 3087
>>           448 - 3109
>>           449 - 3028
>>           450 - 3064
>>           451 - 3069
>>           452 - 3070
>>           453 - 3073
>>           455 - 3072
>>           457 - 3344
>>           460 - 3364
>>           461 - 3083
>>           462 - 3084
>>           463 - 3005
>>           464 - 3195
>>           466 - 3100
>>           467 - 3237
>>           468 - 3294
>>           469 - 3312
>>           470 - 3346
>>           471 - 3227
>>           472 - 3201
>>           473 - 3154
>>           476 - 3694
>>           477 - 3374
>>           478 - 3373
>>           479 - 3157
>>           480 - 3156
>>           482 - 3039
>>           483 - 3406
>>           484 - 3169
>>           485 - 3676
>>           486 - 3035
>>           487 - 3358
>>           488 - 3677
>>           489 - 3239
>>           490 - 3215
>>           491 - 3138
>>           492 - 3404
>>           493 - 3404
>>           494 - 3289
>>           495 - 3168
>>           496 - 3295
>>           497 - 3082
>>           498 - 3357
>>           499 - 3184
>>           501 - 3375
>>           502 - 3029
>>           503 - 3179
>>           505 - 3206
>>           506 - 3266
>>           507 - 303
>>           508 - 3443
>>           509 - 3387
>>           510 - 3124
>>           511 - 3285
>>           514 - 462
>>           516 - 3417
>>           517 - 857
>>           518 - 766
>>           519 - 3407
>>           520 - 395
>>           521 - 3836
>>           522 - 3408
>>           525 - 3398
>>           526 - 1795
>>           527 - 3376
>>           528 - 3076
>>           529 - 3183
>>           530 - 3068
>>           531 - 3049
>>           532 - 3242
>>           533 - 3678
>>           535 - 176
>>           536 - 3269
>>           537 - 3253
>>           538 - 3128
>>           539 - 3012
>>           540 - 490
>>           542 - 3057
>>           543 - 3193
>>           544 - 3196
>>           545 - 3013
>>           546 - 3098
>>           548 - 20
>>           549 - 3164
>>           550 - 3254
>>           551 - 3079
>>           553 - 3296
>>           556 - 3321
>>           557 - 3270
>>           558 - 3347
>>           559 - 3392
>>           560 - 3329
>>           561 - 3228
>>           562 - 3050
>>           563 - 3353
>>           565 - 3437
>>           566 - 3377
>>           567 - 3037
>>           568 - 3221
>>           569 - 3220
>>           570 - 3214
>>           572 - 3370
>>           573 - 3036
>>           574 - 3126
>>           575 - 3415
>>           576 - 3180
>>           577 - 3420
>>           578 - 3181
>>           579 - 3091
>>           580 - 3359
>>           581 - 3232
>>           582 - 3339
>>           583 - 3292
>>           584 - 3192
>>           586 - 3286
>>           587 - 3205
>>           590 - 3400
>>           592 - 3679
>>           593 - 3153
>>           594 - 3402
>>           595 - 3044
>>           596 - 3367
>>           597 - 3302
>>           598 - 3342
>>           599 - 3007
>>           600 - 3381
>>           606 - 3071
>>           607 - 3250
>>           608 - 3354
>>           609 - 3260
>>           610 - 3262
>>           611 - 3261
>>           612 - 3148
>>           613 - 3149
>>           615 - 3173
>>           616 - 3341
>>           617 - 3340
>>           618 - 3093
>>           620 - 3343
>>           621 - 3121
>>           622 - 3056
>>           624 - 3074
>>           625 - 3089
>>           627 - 3285
>>           628 - 3308
>>           629 - 3000
>>           630 - 3316
>>           631 - 1095
>>           632 - 3040
>>           633 - 3680
>>           634 - 3130
>>           635 - 3327
>>           637 - 3198
>>           638 - 3209
>>           640 - 3117
>>           641 - 3322
>>           642 - 3681
>>           643 - 3337
>>           644 - 3111
>>           646 - 3197
>>           647 - 3096
>>           648 - 402
>>           650 - 3264
>>           651 - 2313
>>           652 - 3143
>>           653 - 3323
>>           654 - 3003
>>           655 - 3399
>>           656 - 3372
>>           657 - 3313
>>           658 - 3394
>>           660 - 3204
>>           661 - 3150
>>           662 - 365
>>           663 - 3305
>>           665 - 3382
>>           666 - 3110
>>           667 - 3048
>>           668 - 3211
>>           669 - 3212
>>           670 - 3413
>>           671 - 3412
>>           672 - 3423
>>           673 - 3051
>>           674 - 3024
>>           675 - 3086
>>           676 - 3421
>>           677 - 3418
>>           678 - 3132
>>           679 - 3233
>>           680 - 3118
>>           681 - 3119
>>           683 - 99
>>           685 - 3210
>>           686 - 3142
>>           687 - 3030
>>           688 - 3023
>>           689 - 3248
>>           690 - 3414
>>           691 - 3230
>>           692 - 3155
>>           693 - 3009
>>           694 - 3141
>>           695 - 3165
>>           696 - 3334
>>           697 - 3411
>>           698 - 3682
>>           699 - 3001
>>           704 - 3120
>>           705 - 3008
>>           706 - 3349
>>           707 - 3041
>>           709 - 3116
>>           710 - 3115
>>           711 - 3389
>>           729 - 3161
>>           730 - 3160
>>           731 - 3160
>>           741 - 3240
>>           742 - 3245
>>           744 - 3125
>>           747 - 3127
>>           748 - 3335
>>           749 - 3191
>>           751 - 3304
>>           752 - 3306
>>           753 - 3326
>>           754 - 3393
>>           758 - 3257
>>           759 - 3065
>>           760 - 3252
>>           761 - 3336
>>           762 - 3310
>>           763 - 3080
>>           764 - 3268
>>           765 - 3693
>>           767 - 3293
>>           769 - 3416
>>           770 - 3046
>>           771 - 3333
>>           772 - 3081
>>           775 - 3114
>>           777 - 3234
>>           780 - 3440
>>           801 - 3095
>>           828 - 3189
>>           829 - 3683
>>           847 - 3097
>>           886 - 3162
>>           887 - 3163
>>           888 - 3002
>>           900 - 3267
>>           901 - 3366
>>           911 - 3442
>>           991 - 3243
>>           994 - 3350
>>           996 - 3422
>>           997 - 3207
>>           999 - 3025
>>          1010 - 3371
>>          1025 - 63
>>          1026 - 70
>>          1033 - 324
>>          1034 - 9
>>          1036 - 341
>>          1046 - 499
>>          1077 - 226
>>          1078 - 46
>>          1080 - 839
>>          1098 - 3318
>>          1099 - 3328
>>          1112 - 221
>>          1114 - 292
>>          1124 - 207
>>          1127 - 258
>>          1132 - 257
>>          1150 - 64
>>          1155 - 330
>>          1167 - 79
>>          1168 - 491
>>          1169 - 474
>>          1187 - 23
>>          1191 - 188
>>          1194 - 353
>>          1241 - 752
>>          1270 - 3222
>>          1321 - 367
>>          1352 - 720
>>          1366 - 329
>>          1498 - 458
>>          1512 - 505
>>          1521 - 3238
>>          1525 - 3277
>>          1527 - 3272
>>          1529 - 3273
>>          1534 - 3217
>>          1571 - 3684
>>          1575 - 3274
>>          1604 - 3053
>>          1626 - 824
>>          1630 - 3275
>>          1677 - 190
>>          1698 - 3948
>>          1699 - 3948
>>          1701 - 259
>>          1755 - 735
>>          1797 - 482
>>          1801 - 306
>>          1830 - 3276
>>          1863 - 307
>>          1970 - 3244
>>          1971 - 3244
>>          1974 - 76
>>          1984 - 3388
>>          1997 - 78
>>          2000 - 2940
>>          2048 - 498
>>          2070 - 3886
>>          2152 - 3140
>>          2160 - 3010
>>          2161 - 3010
>>          2213 - 3182
>>          2217 - 3136
>>          2234 - 3103
>>          2260 - 3010
>>          2272 - 287
>>          2282 - 309
>>          2301 - 3061
>>          2351 - 3291
>>          2401 - 3078
>>          2438 - 311
>>          2478 - 416
>>          2492 - 3139
>>          2512 - 3053
>>          2513 - 3053
>>          2595 - 3439
>>          2598 - 84
>>          2629 - 3363
>>          2630 - 3362
>>          2631 - 3361
>>          2639 - 3011
>>          2698 - 283
>>          2797 - 3886
>>          2811 - 3131
>>          2887 - 3438
>>          2897 - 88
>>          2948 - 3425
>>          2949 - 3428
>>          3050 - 3129
>>          3052 - 3010
>>          3075 - 3279
>>          3076 - 3278
>>          3077 - 3280
>>          3088 - 3123
>>          3211 - 3351
>>          3218 - 3113
>>          3268 - 3218
>>          3305 - 348
>>          3334 - 3106
>>          3335 - 3101
>>          3336 - 3102
>>          3337 - 3105
>>          3365 - 3066
>>          3397 - 93
>>          3460 - 3258
>>          3461 - 3258
>>          3462 - 3258
>>          3463 - 3258
>>          3464 - 3258
>>          3465 - 3258
>>          3502 - 3351
>>          3506 - 3010
>>          3632 - 3107
>>          3690 - 2887
>>          3817 - 3686
>>          3868 - 3839
>>          3871 - 3351
>>          4035 - 3426
>>          4036 - 3427
>>          4045 - 3255
>>          4159 - 340
>>          4172 - 1189
>>          4490 - 3158
>>          4491 - 3158
>>          4569 - 3687
>>          4661 - 3112
>>          4662 - 3112
>>          4663 - 3112
>>          4664 - 3112
>>          4665 - 3112
>>          4672 - 3112
>>          4673 - 3112
>>          4711 - 3112
>>          4840 - 2042
>>          4884 - 200
>>          4899 - 3315
>>          5013 - 155
>>          5325 - 3135
>>          5349 - 3378
>>          5355 - 267
>>          5454 - 3010
>>          5455 - 3010
>>          5456 - 3010
>>          5662 - 3112
>>          5723 - 3271
>>          5773 - 3112
>>          5783 - 3112
>>          5999 - 3688
>>          6073 - 3104
>>          6085 - 3194
>>          6090 - 3158
>>          6343 - 3356
>>          6502 - 3244
>>          6547 - 3010
>>          6548 - 3010
>>          6549 - 3010
>>          6582 - 3283
>>          6619 - 349
>>          6620 - 250
>>          6621 - 251
>>          6622 - 281
>>          6623 - 255
>>          6665 - 3282
>>          6666 - 3282
>>          6667 - 3282
>>          6668 - 3282
>>          6669 - 3282
>>          6714 - 3172
>>          6997 - 3226
>>          7100 - 919
>>          7279 - 86
>>          7648 - 3177
>>          7649 - 3177
>>          7845 - 3010
>>          7846 - 3010
>>          8182 - 3419
>>          8211 - 3299
>>          8880 - 3060
>>          8905 - 3052
>>          8906 - 3052
>>          9022 - 29
>>          9084 - 3837
>>          9100 - 3287
>>          9200 - 3424
>>          9201 - 3431
>>          9202 - 3429
>>          9203 - 3430
>>          9204 - 3434
>>          9205 - 3432
>>          9206 - 3435
>>          9207 - 3433
>>          9318 - 368
>>          9950 - 3010
>>          9951 - 3010
>>          9952 - 3010
>>         10080 - 3691
>>         12222 - 3199
>>         12223 - 3199
>>         13991 - 3158
>>         14247 - 3158
>>         14248 - 3158
>>         14249 - 3158
>>         15871 - 2790
>>         15988 - 3158
>>         15989 - 3158
>>         20500 - 3047
>>         24032 - 3177
>>         26137 - 3244
>>         27444 - 3405
>>         31335 - 3405
>>         33435 - 3331
>>         34572 - 3158
>>         40001 - 3390
>>         40002 - 3390
>>         40003 - 3390
>>         40004 - 3390
>>         40011 - 3390
>>         47808 - 3043
>>
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> Initializing rule chains...
>> WARNING: /etc/snort/rules/local.rules(1) too many appids in rule. Max
>> allowed 10
>>
>> 1 Snort rules read
>>     1 detection rules
>>     0 decoder rules
>>     0 preprocessor rules
>> 1 Option Chains linked into 1 Chain Headers
>> 0 Dynamic rules
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>> +-------------------[Rule Port
>> Counts]---------------------------------------
>> |             tcp     udp    icmp      ip
>> |     src       0       0       0       0
>> |     dst       0       0       0       0
>> |     any       1       0       0       0
>> |      nc       1       0       0       0
>> |     s+d       0       0       0       0
>>
>> +----------------------------------------------------------------------------
>>
>>
>> +-----------------------[detection-filter-config]------------------------------
>> | memory-cap : 1048576 bytes
>>
>> +-----------------------[detection-filter-rules]-------------------------------
>> | none
>>
>> -------------------------------------------------------------------------------
>>
>>
>> +-----------------------[rate-filter-config]-----------------------------------
>> | memory-cap : 1048576 bytes
>>
>> +-----------------------[rate-filter-rules]------------------------------------
>> | none
>>
>> -------------------------------------------------------------------------------
>>
>>
>> +-----------------------[event-filter-config]----------------------------------
>> | memory-cap : 1048576 bytes
>>
>> +-----------------------[event-filter-global]----------------------------------
>>
>> +-----------------------[event-filter-local]-----------------------------------
>> | none
>>
>> +-----------------------[suppression]------------------------------------------
>> | none
>>
>> -------------------------------------------------------------------------------
>> Rule application order:
>> activation->dynamic->pass->drop->sdrop->reject->alert->log
>> Verifying Preprocessor Configurations!
>>
>> [ Port Based Pattern Matching Memory ]
>> +- [ Aho-Corasick Summary ] -------------------------------------
>> | Storage Format    : Full
>> | Finite Automaton  : DFA
>> | Alphabet Size     : 256 Chars
>> | Sizeof State      : 4 bytes
>> | Instances         : 2461
>> | Characters        : 61657
>> | States            : 46199
>> | Transitions       : 1383457
>> | State Density     : 11.7%
>> | Patterns          : 7344
>> | Match States      : 7568
>> | Memory (MB)       : 48.51
>> |   Patterns        : 0.68
>> |   Match Lists     : 1.12
>> |   DFA             : 45.82
>> +----------------------------------------------------------------
>> [ Number of patterns truncated to 20 bytes: 0 ]
>> afpacket DAQ configured to inline.
>> Acquiring network traffic from "eth0:wlan0".
>> Reload thread starting...
>> Reload thread started, thread 0x7f8ada54d700 (15335)
>> Set gid to 1001
>> Set uid to 999
>>
>>         --== Initialization Complete ==--
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.7.6 GRE (Build 285)
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/contact#team
>>            Copyright (C) 2014-2015 Cisco and/or its affiliates. All
>> rights reserved.
>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>            Using libpcap version 1.5.3
>>            Using PCRE version: 8.31 2012-07-06
>>            Using ZLIB version: 1.2.8
>>
>>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
>>            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
>>            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
>>            Preprocessor Object: APPID  Version 1.1  <Build 4>
>>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
>>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
>>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
>>            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
>>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
>>            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
>>            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
>>            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
>>            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
>>            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
>>            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
>>            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
>> Commencing packet processing (pid=15333)
>> Decoding Ethernet
>> 10/28-19:39:19.094832  [Drop] [**] [1:1000006:4] No access [**]
>> [Priority: 0] [AppID: linkedin_contac] {TCP} 23.67.137.227:443 ->
>> 192.168.6.114:39651
>> ^C*** Caught Int-Signal
>>
>> ===============================================================================
>> Run time for packet processing was 82.628417 seconds
>> Snort processed 4188 packets.
>> Snort ran for 0 days 0 hours 1 minutes 22 seconds
>>    Pkts/min:         4188
>>    Pkts/sec:           51
>> *** Opening /var/log/snort/appstats-u2.log.1446041392 for output
>>
>> ===============================================================================
>> Memory usage summary:
>>   Total non-mmapped bytes (arena):       40943616
>>   Bytes in mapped regions (hblkhd):      15011840
>>   Total allocated space (uordblks):      13870944
>>   Total free space (fordblks):           27072672
>>   Topmost releasable block (keepcost):   133360
>>
>> ===============================================================================
>> Packet I/O Totals:
>>    Received:         4162
>>    Analyzed:         4188 (100.625%)
>>     Dropped:            0 (  0.000%)
>>    Filtered:            0 (  0.000%)
>> Outstanding:            0 (  0.000%)
>>    Injected:            4
>>
>> ===============================================================================
>> Breakdown by protocol (includes rebuilt packets):
>>         Eth:         4203 (100.000%)
>>        VLAN:            0 (  0.000%)
>>         IP4:         2471 ( 58.791%)
>>        Frag:            0 (  0.000%)
>>        ICMP:            0 (  0.000%)
>>         UDP:         1055 ( 25.101%)
>>         TCP:         1368 ( 32.548%)
>>         IP6:          255 (  6.067%)
>>     IP6 Ext:          294 (  6.995%)
>>    IP6 Opts:           39 (  0.928%)
>>       Frag6:            0 (  0.000%)
>>       ICMP6:           96 (  2.284%)
>>        UDP6:          159 (  3.783%)
>>        TCP6:            0 (  0.000%)
>>      Teredo:            0 (  0.000%)
>>     ICMP-IP:            0 (  0.000%)
>>     IP4/IP4:            0 (  0.000%)
>>     IP4/IP6:            0 (  0.000%)
>>     IP6/IP4:            0 (  0.000%)
>>     IP6/IP6:            0 (  0.000%)
>>         GRE:            0 (  0.000%)
>>     GRE Eth:            0 (  0.000%)
>>    GRE VLAN:            0 (  0.000%)
>>     GRE IP4:            0 (  0.000%)
>>     GRE IP6:            0 (  0.000%)
>> GRE IP6 Ext:            0 (  0.000%)
>>    GRE PPTP:            0 (  0.000%)
>>     GRE ARP:            0 (  0.000%)
>>     GRE IPX:            0 (  0.000%)
>>    GRE Loop:            0 (  0.000%)
>>        MPLS:            0 (  0.000%)
>>         ARP:         1419 ( 33.762%)
>>         IPX:            0 (  0.000%)
>>    Eth Loop:            0 (  0.000%)
>>    Eth Disc:            0 (  0.000%)
>>    IP4 Disc:            0 (  0.000%)
>>    IP6 Disc:            0 (  0.000%)
>>    TCP Disc:            0 (  0.000%)
>>    UDP Disc:            0 (  0.000%)
>>   ICMP Disc:            0 (  0.000%)
>> All Discard:            0 (  0.000%)
>>       Other:          106 (  2.522%)
>> Bad Chk Sum:            0 (  0.000%)
>>     Bad TTL:            0 (  0.000%)
>>      S5 G 1:            7 (  0.167%)
>>      S5 G 2:            8 (  0.190%)
>>       Total:         4203
>>
>> ===============================================================================
>> Action Stats:
>>      Alerts:            1 (  0.024%)
>>      Logged:            1 (  0.024%)
>>      Passed:            0 (  0.000%)
>> Limits:
>>       Match:            0
>>       Queue:            0
>>         Log:            0
>>       Event:            0
>>       Alert:            0
>> Verdicts:
>>       Allow:         3996 ( 96.012%)
>>       Block:            0 (  0.000%)
>>     Replace:           83 (  1.994%)
>>   Whitelist:           86 (  2.066%)
>>   Blacklist:           23 (  0.553%)
>>      Ignore:            0 (  0.000%)
>>       Retry:            0 (  0.000%)
>>
>> ===============================================================================
>> Normalizer statistics:
>>               ip4::trim: 0
>> Would         ip4::trim: 0
>>                ip4::tos: 0
>> Would          ip4::tos: 0
>>                 ip4::df: 0
>> Would           ip4::df: 0
>>                 ip4::rf: 0
>> Would           ip4::rf: 0
>>                ip4::ttl: 0
>> Would          ip4::ttl: 0
>>               ip4::opts: 44
>> Would         ip4::opts: 0
>>             icmp4::echo: 0
>> Would       icmp4::echo: 0
>>                ip6::ttl: 0
>> Would          ip6::ttl: 0
>>               ip6::opts: 39
>> Would         ip6::opts: 0
>>             icmp6::echo: 0
>> Would       icmp6::echo: 0
>>            tcp::syn_opt: 0
>> Would      tcp::syn_opt: 0
>>                tcp::opt: 0
>> Would          tcp::opt: 0
>>                tcp::pad: 0
>> Would          tcp::pad: 0
>>                tcp::rsv: 0
>> Would          tcp::rsv: 0
>>                 tcp::ns: 0
>> Would           tcp::ns: 0
>>                tcp::urp: 0
>> Would          tcp::urp: 0
>>            tcp::ecn_pkt: 0
>> Would      tcp::ecn_pkt: 0
>>             tcp::ts_ecr: 0
>> Would       tcp::ts_ecr: 0
>>            tcp::req_urg: 0
>> Would      tcp::req_urg: 0
>>            tcp::req_pay: 0
>> Would      tcp::req_pay: 0
>>            tcp::req_urp: 0
>> Would      tcp::req_urp: 0
>>            tcp::ecn_ssn: 0
>> Would      tcp::ecn_ssn: 0
>>             tcp::ts_nop: 0
>> Would       tcp::ts_nop: 0
>>           tcp::ips_data: 0
>> Would     tcp::ips_data: 0
>>              tcp::block: 0
>> Would        tcp::block: 0
>>           tcp::trim_syn: 0
>> Would     tcp::trim_syn: 0
>>           tcp::trim_rst: 0
>> Would     tcp::trim_rst: 0
>>           tcp::trim_win: 0
>> Would     tcp::trim_win: 0
>>           tcp::trim_mss: 0
>> Would     tcp::trim_mss: 0
>>
>> ===============================================================================
>> Frag3 statistics:
>>         Total Fragments: 0
>>       Frags Reassembled: 0
>>                Discards: 0
>>           Memory Faults: 0
>>                Timeouts: 0
>>                Overlaps: 0
>>               Anomalies: 0
>>                  Alerts: 0
>>                   Drops: 0
>>      FragTrackers Added: 0
>>     FragTrackers Dumped: 0
>> FragTrackers Auto Freed: 0
>>     Frag Nodes Inserted: 0
>>      Frag Nodes Deleted: 0
>>
>> ===============================================================================
>>
>> ===============================================================================
>> Stream statistics:
>>             Total sessions: 168
>>               TCP sessions: 26
>>               UDP sessions: 142
>>              ICMP sessions: 0
>>                IP sessions: 0
>>                 TCP Prunes: 0
>>                 UDP Prunes: 0
>>                ICMP Prunes: 0
>>                  IP Prunes: 0
>> TCP StreamTrackers Created: 26
>> TCP StreamTrackers Deleted: 26
>>               TCP Timeouts: 0
>>               TCP Overlaps: 0
>>        TCP Segments Queued: 625
>>      TCP Segments Released: 625
>>        TCP Rebuilt Packets: 312
>>          TCP Segments Used: 613
>>               TCP Discards: 0
>>                   TCP Gaps: 0
>>       UDP Sessions Created: 142
>>       UDP Sessions Deleted: 142
>>               UDP Timeouts: 0
>>               UDP Discards: 0
>>                     Events: 1
>>            Internal Events: 0
>>            TCP Port Filter
>>                   Filtered: 0
>>                  Inspected: 0
>>                    Tracked: 1331
>>            UDP Port Filter
>>                   Filtered: 0
>>                  Inspected: 0
>>                    Tracked: 142
>>
>> ===============================================================================
>>
>> ===============================================================================
>> SMTP Preprocessor Statistics
>>   Total sessions                                    : 0
>>   Max concurrent sessions                           : 0
>>
>> ===============================================================================
>> dcerpc2 Preprocessor Statistics
>>   Total sessions: 0
>>
>> ===============================================================================
>> SSL Preprocessor:
>>    SSL packets decoded: 96
>>           Client Hello: 30
>>           Server Hello: 30
>>            Certificate: 28
>>            Server Done: 14
>>    Client Key Exchange: 2
>>    Server Key Exchange: 7
>>          Change Cipher: 8
>>               Finished: 0
>>     Client Application: 2
>>     Server Application: 5
>>                  Alert: 0
>>   Unrecognized records: 22
>>   Completed handshakes: 0
>>         Bad handshakes: 0
>>       Sessions ignored: 4
>>     Detection disabled: 1
>>
>> ===============================================================================
>> SIP Preprocessor Statistics
>>   Total sessions: 0
>>
>> ===============================================================================
>> Reputation Preprocessor Statistics
>>   Total Memory Allocated: 0
>>
>> ===============================================================================
>> Application Identification Preprocessor:
>>    Total packets received : 4500
>>   Total packets processed : 2567
>>     Total packets ignored : 1933
>> Service State:
>> Lua detector StatsLua Stats total memory usage 0
>> kb===============================================================================
>> Snort exiting
>>
>>
>> *snort.conf:*
>> navneet at ...103...:~$ cat /etc/snort/snort.conf |grep -v ^#|grep -v ^$
>> ipvar HOME_NET 192.168.6.0/24
>> ipvar EXTERNAL_NET !$HOME_NET
>> ipvar DNS_SERVERS $HOME_NET
>> ipvar SMTP_SERVERS $HOME_NET
>> ipvar HTTP_SERVERS $HOME_NET
>> ipvar SQL_SERVERS $HOME_NET
>> ipvar TELNET_SERVERS $HOME_NET
>> ipvar SSH_SERVERS $HOME_NET
>> ipvar FTP_SERVERS $HOME_NET
>> ipvar SIP_SERVERS $HOME_NET
>> portvar HTTP_PORTS
>> [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
>> portvar SHELLCODE_PORTS !80
>> portvar ORACLE_PORTS 1024:
>> portvar SSH_PORTS 22
>> portvar FTP_PORTS [21,2100,3535]
>> portvar SIP_PORTS [5060,5061,5600]
>> portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
>> portvar GTP_PORTS [2123,2152,3386]
>> ipvar AIM_SERVERS [
>> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>> ]
>> var RULE_PATH /etc/snort/rules
>> var SO_RULE_PATH /etc/snort/so_rules
>> var PREPROC_RULE_PATH /etc/snort/preproc_rules
>> var WHITE_LIST_PATH /etc/snort/rules
>> var BLACK_LIST_PATH /etc/snort/rules
>> config disable_decode_alerts
>> config disable_tcpopt_experimental_alerts
>> config disable_tcpopt_obsolete_alerts
>> config disable_tcpopt_ttcp_alerts
>> config disable_tcpopt_alerts
>> config disable_ipopt_alerts
>> config checksum_mode: all
>> config daq:afpacket
>> config daq_dir:/usr/local/lib/daq
>> config daq_mode:inline
>> config daq_var:buffer_size_mb=1024
>> config policy_mode:inline
>> config pcre_match_limit: 3500
>> config pcre_match_limit_recursion: 1500
>> config detection: search-method ac-split search-optimize max-pattern-len
>> 20
>> config event_queue: max_queue 8 log 5 order_events content_length
>> config paf_max: 16000
>> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>> preprocessor normalize_ip4
>> preprocessor normalize_tcp: ips ecn stream
>> preprocessor normalize_icmp4
>> preprocessor normalize_ip6
>> preprocessor normalize_icmp6
>> preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy windows detect_anomalies overlap_limit
>> 10 min_fragment_length 100 timeout 180
>> preprocessor stream5_global: track_tcp yes, \
>>    track_udp yes, \
>>    track_icmp no, \
>>    max_tcp 262144, \
>>    max_udp 131072, \
>>    max_active_responses 2, \
>>    min_response_seconds 5
>> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
>> 180, \
>>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>>     ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139
>> 143 \
>>         161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665
>> 6666 6667 6668 6669 \
>>         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778
>> 32779, \
>>     ports both 80 81 311 383 443 465 563 591 593 636 901 989 992 993 994
>> 995 1220 1414 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7907
>> 7000 7001 7144 7145 7510 7802 7777 7779 \
>>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912
>> 7913 7914 7915 7916 \
>>         7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118
>> 8123 8180 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999
>> 11371 34443 34444 41080 50002 55555
>> preprocessor stream5_udp: timeout 180
>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> compress_depth 65535 decompress_depth 65535 max_gzip_mem 104857600
>> preprocessor http_inspect_server: server default \
>>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
>> POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK
>> CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
>> BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
>> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>>     chunk_length 500000 \
>>     server_flow_depth 0 \
>>     client_flow_depth 0 \
>>     post_depth 65495 \
>>     oversize_dir_length 500 \
>>     max_header_length 750 \
>>     max_headers 100 \
>>     max_spaces 200 \
>>     small_chunk_length { 10 5 } \
>>     ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809
>> 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000
>> 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800
>> 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002
>> 55555 } \
>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>     enable_cookie \
>>     extended_response_inspection \
>>     inspect_gzip \
>>     normalize_utf \
>>     unlimited_decompress \
>>     normalize_javascript \
>>     apache_whitespace no \
>>     ascii no \
>>     bare_byte no \
>>     directory no \
>>     double_decode no \
>>     iis_backslash no \
>>     iis_delimiter no \
>>     iis_unicode no \
>>     multi_slash no \
>>     utf_8 no \
>>     u_encode yes \
>>     webroot no
>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
>> 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments
>> no_alert_incomplete
>> preprocessor bo
>> preprocessor ftp_telnet: global inspection_type stateful
>> encrypted_traffic no check_encrypted
>> preprocessor ftp_telnet_protocol: telnet \
>>     ayt_attack_thresh 20 \
>>     normalize ports { 23 } \
>>     detect_anomalies
>> preprocessor ftp_telnet_protocol: ftp server default \
>>     def_max_param_len 100 \
>>     ports { 21 2100 3535 } \
>>     telnet_cmds yes \
>>     ignore_telnet_erase_cmds yes \
>>     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
>>     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
>>     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
>>     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
>>     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
>>     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
>>     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
>>     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
>>     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
>>     ftp_cmds { XSEN XSHA1 XSHA256 } \
>>     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
>> REIN STOU SYST XCUP XPWD } \
>>     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
>> XMKD } \
>>     alt_max_param_len 256 { CWD RNTO } \
>>     alt_max_param_len 400 { PORT } \
>>     alt_max_param_len 512 { SIZE } \
>>     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
>>     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
>>     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
>>     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
>>     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
>>     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
>>     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
>>     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
>>     cmd_validity ALLO < int [ char R int ] > \
>>     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
>>     cmd_validity MACB < string > \
>>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>     cmd_validity MODE < char ASBCZ > \
>>     cmd_validity PORT < host_port > \
>>     cmd_validity PROT < char CSEP > \
>>     cmd_validity STRU < char FRPO [ string ] > \
>>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number
>> ] } >
>> preprocessor ftp_telnet_protocol: ftp client default \
>>     max_resp_len 256 \
>>     bounce yes \
>>     ignore_telnet_erase_cmds yes \
>>     telnet_cmds yes
>> preprocessor smtp: ports { 25 465 587 691 } \
>>     inspection_type stateful \
>>     b64_decode_depth 0 \
>>     qp_decode_depth 0 \
>>     bitenc_decode_depth 0 \
>>     uu_decode_depth 0 \
>>     log_mailfrom \
>>     log_rcptto \
>>     log_filename \
>>     log_email_hdrs \
>>     normalize cmds \
>>     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM
>> ESND ESOM ETRN EVFY } \
>>     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
>> RSET SAML SEND SOML } \
>>     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT
>> X-DRCP X-ERCP X-EXCH50 } \
>>     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>> XLICENSE XQUE XSTA XTRN XUSR } \
>>     max_command_line_len 512 \
>>     max_header_line_len 1000 \
>>     max_response_line_len 512 \
>>     alt_max_command_line_len 260 { MAIL } \
>>     alt_max_command_line_len 300 { RCPT } \
>>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA
>> RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR
>> XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
>>     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
>> ESOM ETRN EVFY } \
>>     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
>> SAML SEND SOML } \
>>     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
>> X-ERCP X-EXCH50 } \
>>     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>> XLICENSE XQUE XSTA XTRN XUSR } \
>>     xlink2state { enabled }
>> preprocessor ssh: server_ports { 22 } \
>>                   autodetect \
>>                   max_client_bytes 19600 \
>>                   max_encrypted_packets 20 \
>>                   max_server_version_len 100 \
>>                   enable_respoverflow enable_ssh1crc32 \
>>                   enable_srvoverflow enable_protomismatch
>> preprocessor dcerpc2: memcap 102400, events [co ]
>> preprocessor dcerpc2_server: default, policy WinXP, \
>>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
>>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>>     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
>> preprocessor dns: ports { 53 } enable_rdata_overflow
>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802
>> 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914
>> 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
>> preprocessor sensitive_data: alert_threshold 25
>> preprocessor sip: max_sessions 40000, \
>>    ports { 5060 5061 5600 }, \
>>    methods { invite \
>>              cancel \
>>              ack \
>>              bye \
>>              register \
>>              options \
>>              refer \
>>              subscribe \
>>              update \
>>              join \
>>              info \
>>              message \
>>              notify \
>>              benotify \
>>              do \
>>              qauth \
>>              sprack \
>>              publish \
>>              service \
>>              unsubscribe \
>>              prack }, \
>>    max_uri_len 512, \
>>    max_call_id_len 80, \
>>    max_requestName_len 20, \
>>    max_from_len 256, \
>>    max_to_len 256, \
>>    max_via_len 1024, \
>>    max_contact_len 512, \
>>    max_content_len 2048
>> preprocessor imap: \
>>    ports { 143 } \
>>    b64_decode_depth 0 \
>>    qp_decode_depth 0 \
>>    bitenc_decode_depth 0 \
>>    uu_decode_depth 0
>> preprocessor pop: \
>>    ports { 110 } \
>>    b64_decode_depth 0 \
>>    qp_decode_depth 0 \
>>    bitenc_decode_depth 0 \
>>    uu_decode_depth 0
>> preprocessor modbus: ports { 502 }
>> preprocessor dnp3: ports { 20000 } \
>>    memcap 262144 \
>>    check_crc
>> preprocessor reputation: \
>>    memcap 500, \
>>    priority whitelist, \
>>    nested_ip inner, \
>>    whitelist $WHITE_LIST_PATH/white_list.rules, \
>>    blacklist $BLACK_LIST_PATH/black_list.rules
>> preprocessor appid: app_stats_filename appstats-u2.log, \
>>    app_stats_period 60, \
>>    app_detector_dir /etc/snort/rules
>> output unified2: filename snort.log, limit 128, appid_event_types
>> include classification.config
>> include reference.config
>> include rules/local.rules
>> include rules/snort.rules
>> include threshold.conf
>>
>>
>> Please help me with understanding the issue causing such behaviour.
>>
>> --
>> Regards
>> Navneet
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151029/50277bd8/attachment.html>


More information about the Snort-openappid mailing list