[Snort-sigs] [Snort-openappid] Snort IPS with openappid not able to block webpages

Navneet Singh navneet.singh2012 at ...2420...
Thu Oct 29 03:21:00 EDT 2015


Hi Costas/Y M

Thanks for your quick response.

Costas I tried to run snort with -k option, but it was not working so I
think it is not related to checksum error.
Y M I added snort.conf in previous mail. I think i have configured daq and
afpacket as inline, and normalization support too. Also when I pasted the
logs here I was trying with a long appid rule, i tried with a single filter
for appid too, but was getting same result as i told in previous mail

--
Regards
Navneet

On Wed, Oct 28, 2015 at 11:11 PM, Y M <snort at ...3751...> wrote:

> What are your Snort policy mode and afpacket daq configurations? Try
> settings these to support inline operations. Is normalization also
> configured?
>
> You also have a warning about exceeding the max. number of allowed appid's
> per rule. While this may be unrelated, it may be something to watch for.
>
> Sent from Mobile
>
>
>
>
> On Wed, Oct 28, 2015 at 7:19 AM -0700, "Navneet Singh" <
> navneet.singh2012 at ...2420...> wrote:
>
> Hi All,
>
> I am testing snort 2.9.7.6 with openappid on ubuntu 14.04 amd64 system as
> IPS using daq afpacket inline mode. But when i add rule for dropping
> packets as per appid filter, some filters do block webpages such as https
> appid filter blocks all https, some don't block like nbc appid filter and
> some just block for sometime till i refresh the webpage.
>
> Here i tested with linkedin site, the log shows drop but i was able to
> browse it.
>
> Here are following logs:
> *Snort version:*
> navneet at ...4088...:~/snort_src/snort-2.9.7.6$ snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.7.6 GRE (Build 285)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.5.3
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.8
>
> navneet at ...4088...:~$ snort --daq-list
> Available DAQ modules:
> pcap(v3): readback live multi unpriv
> ipfw(v3): live inline multi unpriv
> dump(v3): readback live inline multi unpriv
> afpacket(v5): live inline multi unpriv
>
>
> *Rule in use:*
> navneet at ...4088...:~/snort_src/snort-2.9.7.6$ cat
> /etc/snort/rules/local.rules
> drop tcp any any -> any any (msg:"No access"; appid: linkedin
> linkedin_jobs linked_profile linked_inbox linkedin_upload linkedin_contac;
> sid:1000006; rev:004;)
>
>
> *Snort logs:*
>
> navneet at ...4088...:~$ sudo snort -d -A console -u snort -g snort -c
> /etc/snort/snort.conf -i eth0:wlan0 -Q
> Enabling inline operation
> Running in IDS mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/etc/snort/snort.conf"
> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741
> 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145
> 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181
> 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371
> 34443:34444 41080 50002 55555 ]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
> PortVar 'SSH_PORTS' defined :  [ 22 ]
> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
> PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901
> 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988
> 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090
> 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091
> 9443 9999 11371 34443:34444 41080 50002 55555 ]
> PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
> Detection:
>    Search-Method = AC-Full-Q
>     Split Any/Any group = enabled
>     Search-Method-Optimizations = enabled
>     Maximum pattern length = 20
> Tagged Packet Limit: 256
> Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>   Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Log directory = /var/log/snort
> Normalizer config:
>          ip4: on
>      ip4::df: off
>      ip4::rf: off
>     ip4::tos: off
>    ip4::trim: off
>     ip4::ttl: on (min=1, new=5)
> Normalizer config:
>          tcp: on
>     tcp::ecn: stream
>   tcp::block: off
>     tcp::rsv: off
>     tcp::pad: off
> tcp::req_urg: off
> tcp::req_pay: off
> tcp::req_urp: off
>     tcp::urp: off
>     tcp::opt: off
>     tcp::ips: on
> tcp::trim_syn: off
> tcp::trim_rst: off
> tcp::trim_win: off
> tcp::trim_mss: off
> Normalizer config:
>        icmp4: on
> Normalizer config:
>          ip6: on
>    ip6::hops: on (min=1, new=5)
> Normalizer config:
>        icmp6: on
> Frag3 global config:
>     Max frags: 65536
>     Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>     Bound Address: default
>     Target-based policy: WINDOWS
>     Fragment timeout: 180 seconds
>     Fragment min_ttl:   1
>     Fragment Anomalies: Alert
>     Overlap Limit:     10
>     Min fragment Length:     100
>       Max Expected Streams: 768
> Stream global config:
>     Track TCP sessions: ACTIVE
>     Max TCP sessions: 262144
>     TCP cache pruning timeout: 30 seconds
>     TCP cache nominal timeout: 3600 seconds
>     Memcap (for reassembly packet storage): 8388608
>     Track UDP sessions: ACTIVE
>     Max UDP sessions: 131072
>     UDP cache pruning timeout: 30 seconds
>     UDP cache nominal timeout: 180 seconds
>     Track ICMP sessions: INACTIVE
>     Track IP sessions: INACTIVE
>     Log info if session memory consumption exceeds 1048576
>     Send up to 2 active responses
>     Wait at least 5 seconds between responses
>     Protocol Aware Flushing: ACTIVE
>         Maximum Flush Point: 16000
> Stream TCP Policy config:
>     Bound Address: default
>     Reassembly Policy: WINDOWS
>     Timeout: 180 seconds
>     Limit on TCP Overlaps: 10
>     Maximum number of bytes to queue per session: 1048576
>     Maximum number of segs to queue per session: 2621
>     Options:
>         Require 3-Way Handshake: YES
>         3-Way Handshake Timeout: 180
>         Detect Anomalies: YES
>     Reassembly Ports:
>       21 client (Footprint-IPS)
>       22 client (Footprint-IPS)
>       23 client (Footprint-IPS)
>       25 client (Footprint-IPS)
>       42 client (Footprint-IPS)
>       53 client (Footprint-IPS)
>       79 client (Footprint-IPS)
>       80 client (Footprint-IPS) server (Footprint-IPS)
>       81 client (Footprint-IPS) server (Footprint-IPS)
>       109 client (Footprint-IPS)
>       110 client (Footprint-IPS)
>       111 client (Footprint-IPS)
>       113 client (Footprint-IPS)
>       119 client (Footprint-IPS)
>       135 client (Footprint-IPS)
>       136 client (Footprint-IPS)
>       137 client (Footprint-IPS)
>       139 client (Footprint-IPS)
>       143 client (Footprint-IPS)
>       161 client (Footprint-IPS)
>       additional ports configured but not printed.
> Stream UDP Policy config:
>     Timeout: 180 seconds
> HttpInspect Config:
>     GLOBAL CONFIG
>       Detect Proxy Usage:       NO
>       IIS Unicode Map Filename: /etc/snort/unicode.map
>       IIS Unicode Map Codepage: 1252
>       Memcap used for logging URI and Hostname: 150994944
>       Max Gzip Memory: 104857600
>       Max Gzip Sessions: 225986
>       Gzip Compress Depth: 65535
>       Gzip Decompress Depth: 65535
>     DEFAULT SERVER CONFIG:
>       Server profile: All
>       Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381
> 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779
> 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300
> 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080
> 50002 55555
>       Server Flow Depth: 0
>       Client Flow Depth: 0
>       Max Chunk Length: 500000
>       Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
>       Max Header Field Length: 750
>       Max Number Header Fields: 100
>       Max Number of WhiteSpaces allowed with header folding: 200
>       Inspect Pipeline Requests: YES
>       URI Discovery Strict Mode: NO
>       Allow Proxy Usage: NO
>       Disable Alerting: NO
>       Oversize Dir Length: 500
>       Only inspect URI: NO
>       Normalize HTTP Headers: NO
>       Inspect HTTP Cookies: YES
>       Inspect HTTP Responses: YES
>       Extract Gzip from responses: YES
>       Decompress response files:
>       Unlimited decompression of gzip data from responses: YES
>       Normalize Javascripts in HTTP Responses: YES
>       Max Number of WhiteSpaces allowed with Javascript Obfuscation in
> HTTP responses: 200
>       Normalize HTTP Cookies: NO
>       Enable XFF and True Client IP: NO
>       Log HTTP URI data: NO
>       Log HTTP Hostname data: NO
>       Extended ASCII code support in URI: NO
>       Ascii: YES alert: NO
>       Double Decoding: YES alert: NO
>       %U Encoding: YES alert: YES
>       Bare Byte: YES alert: NO
>       UTF 8: YES alert: NO
>       IIS Unicode: YES alert: NO
>       Multiple Slash: YES alert: NO
>       IIS Backslash: YES alert: NO
>       Directory Traversal: YES alert: NO
>       Web Root Traversal: YES alert: NO
>       Apache WhiteSpace: YES alert: NO
>       IIS Delimiter: YES alert: NO
>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>       Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06
> 0x07
>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
> 32777 32778 32779
>     alert_fragments: INACTIVE
>     alert_large_fragments: INACTIVE
>     alert_incomplete: INACTIVE
>     alert_multiple_requests: INACTIVE
> FTPTelnet Config:
>     GLOBAL CONFIG
>       Inspection Type: stateful
>       Check for Encrypted Traffic: YES alert: NO
>       Continue to check encrypted data: YES
>     TELNET CONFIG:
>       Ports: 23
>       Are You There Threshold: 20
>       Normalize: YES
>       Detect Anomalies: YES
>     FTP CONFIG:
>       FTP Server: default
>         Ports (PAF): 21 2100 3535
>         Check for Telnet Cmds: YES alert: YES
>         Ignore Telnet Cmd Operations: YES alert: YES
>         Ignore open data channels: NO
>       FTP Client: default
>         Check for Bounce Attacks: YES alert: YES
>         Check for Telnet Cmds: YES alert: YES
>         Ignore Telnet Cmd Operations: YES alert: YES
>         Max Response Length: 256
> SMTP Config:
>     Ports: 25 465 587 691
>     Inspection Type: Stateful
>     Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN
> EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND
> STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR
> XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT
> X-DRCP X-ERCP X-EXCH50
>     Ignore Data: No
>     Ignore TLS Data: No
>     Ignore SMTP Alerts: No
>     Max Command Line Length: 512
>     Max Specific Command Line Length:
>        ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
>        EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
>        ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
>        IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
>        QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
>        SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
>        TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
>        XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
>        XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
>        XUSR:246
>     Max Header Line Length: 1000
>     Max Response Line Length: 512
>     X-Link2State Alert: Yes
>     Drop on X-Link2State Alert: No
>     Alert on commands: None
>     Alert on unknown commands: No
>     SMTP Memcap: 838860
>     MIME Max Mem: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
>     Log Attachment filename: Enabled
>     Log MAIL FROM Address: Enabled
>     Log RCPT TO Addresses: Enabled
>     Log Email Headers: Enabled
>     Email Hdrs Log Depth: 1464
> SSH config:
>     Autodetection: ENABLED
>     Challenge-Response Overflow Alert: ENABLED
>     SSH1 CRC32 Alert: ENABLED
>     Server Version String Overflow Alert: ENABLED
>     Protocol Mismatch Alert: ENABLED
>     Bad Message Direction Alert: DISABLED
>     Bad Payload Size Alert: DISABLED
>     Unrecognized Version Alert: DISABLED
>     Max Encrypted Packets: 20
>     Max Server Version String Length: 100
>     MaxClientBytes: 19600 (Default)
>     Ports:
> 22
> DCE/RPC 2 Preprocessor Configuration
>   Global Configuration
>     DCE/RPC Defragmentation: Enabled
>     Memcap: 102400 KB
>     Events: co
>     SMB Fingerprint policy: Disabled
>   Server Default Configuration
>     Policy: WinXP
>     Detect ports (PAF)
>       SMB: 139 445
>       TCP: 135
>       UDP: 135
>       RPC over HTTP server: 593
>       RPC over HTTP proxy: None
>     Autodetect ports (PAF)
>       SMB: None
>       TCP: 1025-65535
>       UDP: 1025-65535
>       RPC over HTTP server: 1025-65535
>       RPC over HTTP proxy: None
>     Invalid SMB shares: C$ D$ ADMIN$
>     Maximum SMB command chaining: 3 commands
>     SMB file inspection: Disabled
> DNS config:
>     DNS Client rdata txt Overflow Alert: ACTIVE
>     Obsolete DNS RR Types Alert: INACTIVE
>     Experimental DNS RR Types Alert: INACTIVE
>     Ports: 53
> SSLPP config:
>     Encrypted packets: not inspected
>     Ports:
>       443      465      563      636      989
>       992      993      994      995     7801
>      7802     7900     7901     7902     7903
>      7904     7905     7906     7907     7908
>      7909     7910     7911     7912     7913
>      7914     7915     7916     7917     7918
>      7919     7920
>     Server side data is trusted
>     Maximum SSL Heartbeat length: 0
> Sensitive Data preprocessor config:
>     Global Alert Threshold: 25
>     Masked Output: DISABLED
> SIP config:
>     Max number of sessions: 40000
>     Max number of dialogs in a session: 4 (Default)
>     Status: ENABLED
>     Ignore media channel: DISABLED
>     Max URI length: 512
>     Max Call ID length: 80
>     Max Request name length: 20 (Default)
>     Max From length: 256 (Default)
>     Max To length: 256 (Default)
>     Max Via length: 1024 (Default)
>     Max Contact length: 512
>     Max Content length: 2048
>     Ports:
> 5060 5061 5600
>     Methods:
>  invite cancel ack bye register options refer subscribe update join info
> message notify benotify do qauth sprack publish service unsubscribe prack
> IMAP Config:
>     Ports: 143
>     IMAP Memcap: 838860
>     MIME Max Mem: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
> POP Config:
>     Ports: 110
>     POP Memcap: 838860
>     MIME Max Mem: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
> Modbus config:
>     Ports:
> 502
> DNP3 config:
>     Memcap: 262144
>     Check Link-Layer CRCs: ENABLED
>     Ports:
> 20000
> Reputation config:
> WARNING: Can't find any whitelist/blacklist entries. Reputation
> Preprocessor disabled.
> AppId Configuration
>     Detector Path:          /etc/snort/rules
>     appStats Files:         appstats-u2.log
>     appStats Period:        60 secs
>     appStats Rollover Size: 20971520 bytes
>     appStats Rollover time: 86400 secs
>
>     AppInfo read from /etc/snort/rules/odp/appMapping.data
> Loading configuration file /etc/snort/rules/odp/appid.conf
> AppId: adding appIds to list of referred web apps: 2032 1520 1306 1307
> 1308 1310 1311 1312 1313 1314 1315 1316 137 1318 1319 1336 1337 1362 1372
> 1373 1424 1425 1457 1491 1619 1656 1659 1720 1721 1722 1723 1724 1725 1726
> 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743
> 1744 1745 1746 1747 1748 1750 1751 1752 1776 1778 1804 1850 1851 1852 1853
> 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1869
> 1873 1874 1875 1876 1877 1878 1879 1881 1882 1883 1884 1885 1886 1888 1889
> 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1903 1904 1905 1906
> 1907 1908 1909 1910 1912 1913 1919 1920 1921 1923 1924 1925 1926 1928 1929
> 1930 1931 1933 1934 1935 1936 1937 1938 1940 1941 1942 1943 1944 1945 1946
> 1947 1948 1949 1950 1951 1953 1955 1956 1957 1958 1959 1960
> AppId: adding appIds to list of referred web apps: 1963 1963 1964 1966
> 1969 1970 1972 1973 1975 1976 1977 1978 1979 1980 1981 1983 1984 1985 1986
> 1987 629 882 711 1393 1727 1728 1821 1992 1993 1806 1822 2022 2021 2129
> 2131 1460 1369 1392 2057 2062 1560 665 1458 929 761 2151 2157 2158 2159
> 2162 2019 2072 1508 1063 2261 2664 2690 3873 3867
> Could not read configuration file /etc/snort/rules/custom/userappid.conf
> LuaJIT: Version LuaJIT 2.0.2
>     Setting tracker size to 207
> AppInfo: AppId 151 is UNKNOWN
> AppInfo: AppId 3861 is UNKNOWN
> AppInfo: AppId 3970 is UNKNOWN
> AppInfo: AppId 939 is UNKNOWN
> AppInfo: AppId 939 is UNKNOWN
> AppInfo: AppId 1697 is UNKNOWN
> AppInfo: AppId 3971 is UNKNOWN
> AppInfo: AppId 3971 is UNKNOWN
>     TCP Port-Only Services
>             1 - 466
>             2 - 3208
>             3 - 97
>             5 - 397
>             7 - 954
>             9 - 614
>            11 - 463
>            13 - 955
>            17 - 385
>            19 - 586
>            27 - 3263
>            29 - 3231
>            31 - 305
>            33 - 128
>            37 - 470
>            38 - 388
>            39 - 399
>            41 - 3137
>            42 - 505
>            43 - 953
>            44 - 3229
>            45 - 300
>            47 - 332
>            48 - 41
>            50 - 3317
>            51 - 3167
>            52 - 519
>            54 - 517
>            55 - 244
>            56 - 516
>            58 - 518
>            61 - 333
>            62 - 5
>            64 - 3059
>            66 - 355
>            70 - 667
>            71 - 391
>            76 - 115
>            78 - 492
>            79 - 637
>            82 - 514
>            83 - 3224
>            84 - 3058
>            85 - 293
>            86 - 290
>            89 - 451
>            90 - 123
>            91 - 294
>            92 - 337
>            93 - 111
>            95 - 453
>            96 - 120
>            97 - 3384
>            98 - 715
>            99 - 289
>           101 - 671
>           102 - 3186
>           104 - 7
>           105 - 3075
>           106 - 2
>           107 - 392
>           108 - 438
>           109 - 370
>           112 - 282
>           113 - 956
>           116 - 26
>           118 - 3314
>           120 - 3055
>           121 - 142
>           122 - 433
>           124 - 27
>           125 - 269
>           126 - 342
>           127 - 3202
>           128 - 3133
>           129 - 381
>           130 - 77
>           131 - 81
>           132 - 80
>           133 - 449
>           134 - 232
>           135 - 3085
>           136 - 377
>           140 - 139
>           142 - 65
>           145 - 476
>           146 - 3188
>           147 - 3843
>           148 - 247
>           149 - 19
>           151 - 199
>           152 - 52
>           153 - 422
>           154 - 327
>           157 - 253
>           158 - 362
>           163 - 3054
>           164 - 94
>           165 - 520
>           166 - 439
>           167 - 318
>           168 - 404
>           169 - 418
>           170 - 3006
>           171 - 3247
>           172 - 91
>           173 - 521
>           174 - 275
>           175 - 493
>           176 - 174
>           177 - 513
>           178 - 343
>           180 - 396
>           181 - 485
>           182 - 42
>           183 - 344
>           184 - 345
>           185 - 3320
>           186 - 252
>           187 - 6
>           188 - 3297
>           189 - 383
>           190 - 170
>           191 - 378
>           192 - 358
>           193 - 445
>           197 - 121
>           199 - 437
>           200 - 444
>           201 - 3016
>           202 - 3015
>           203 - 3017
>           204 - 3014
>           205 - 3018
>           206 - 3022
>           207 - 3019
>           208 - 3020
>           209 - 384
>           210 - 525
>           211 - 4
>           212 - 3607
>           213 - 3178
>           214 - 494
>           215 - 441
>           216 - 3062
>           217 - 108
>           218 - 3241
>           219 - 477
>           222 - 3038
>           223 - 71
>           224 - 278
>           242 - 119
>           243 - 3383
>           244 - 228
>           245 - 263
>           246 - 127
>           247 - 3380
>           248 - 56
>           257 - 419
>           259 - 145
>           260 - 352
>           261 - 338
>           262 - 33
>           263 - 198
>           264 - 53
>           265 - 511
>           266 - 3345
>           267 - 472
>           268 - 3401
>           280 - 209
>           281 - 3290
>           282 - 67
>           283 - 393
>           284 - 3067
>           286 - 169
>           287 - 249
>           308 - 336
>           309 - 140
>           310 - 57
>           311 - 30
>           312 - 496
>           313 - 273
>           314 - 351
>           315 - 124
>           316 - 112
>           317 - 526
>           318 - 368
>           319 - 3298
>           320 - 3303
>           321 - 367
>           322 - 408
>           333 - 468
>           344 - 363
>           345 - 361
>           346 - 527
>           347 - 154
>           348 - 3045
>           349 - 291
>           350 - 279
>           352 - 130
>           353 - 322
>           354 - 54
>           355 - 107
>           356 - 93
>           357 - 55
>           358 - 424
>           359 - 339
>           360 - 412
>           361 - 417
>           362 - 446
>           363 - 3332
>           364 - 3032
>           365 - 131
>           366 - 347
>           367 - 297
>           368 - 382
>           369 - 401
>           370 - 95
>           371 - 92
>           372 - 481
>           373 - 262
>           375 - 197
>           376 - 334
>           377 - 147
>           378 - 147
>           379 - 3396
>           380 - 3397
>           381 - 206
>           383 - 3151
>           384 - 35
>           385 - 678
>           386 - 37
>           387 - 3021
>           388 - 484
>           390 - 480
>           391 - 3385
>           393 - 288
>           394 - 138
>           395 - 328
>           396 - 3259
>           397 - 302
>           398 - 254
>           399 - 3185
>           401 - 486
>           402 - 173
>           403 - 3090
>           404 - 320
>           405 - 321
>           406 - 227
>           408 - 3301
>           409 - 3300
>           410 - 113
>           411 - 400
>           413 - 436
>           414 - 230
>           416 - 425
>           417 - 350
>           418 - 211
>           419 - 34
>           420 - 435
>           421 - 3026
>           422 - 3027
>           423 - 1098
>           424 - 1098
>           425 - 215
>           426 - 434
>           427 - 3355
>           428 - 3265
>           429 - 346
>           430 - 3410
>           431 - 3409
>           432 - 212
>           433 - 335
>           434 - 296
>           435 - 3225
>           436 - 122
>           437 - 98
>           438 - 126
>           439 - 106
>           440 - 421
>           441 - 114
>           442 - 3077
>           444 - 440
>           446 - 3088
>           447 - 3087
>           448 - 3109
>           449 - 3028
>           450 - 3064
>           451 - 3069
>           452 - 3070
>           453 - 3073
>           455 - 3072
>           457 - 3344
>           460 - 3364
>           461 - 3083
>           462 - 3084
>           463 - 3005
>           464 - 3195
>           466 - 3100
>           467 - 3237
>           468 - 3294
>           469 - 3312
>           470 - 3346
>           471 - 3227
>           472 - 3201
>           473 - 3154
>           476 - 3694
>           477 - 3374
>           478 - 3373
>           479 - 3157
>           480 - 3156
>           482 - 3039
>           483 - 3406
>           484 - 3169
>           485 - 3676
>           486 - 3035
>           487 - 3358
>           488 - 3677
>           489 - 3239
>           490 - 3215
>           491 - 3138
>           492 - 3404
>           493 - 3404
>           494 - 3289
>           495 - 3168
>           496 - 3295
>           497 - 3082
>           498 - 3357
>           499 - 3184
>           501 - 3375
>           502 - 3029
>           503 - 3179
>           505 - 3206
>           506 - 3266
>           507 - 303
>           508 - 3443
>           509 - 3387
>           510 - 3124
>           511 - 3285
>           516 - 3417
>           517 - 857
>           518 - 766
>           519 - 3407
>           521 - 3836
>           522 - 3408
>           525 - 3398
>           526 - 1795
>           527 - 3376
>           528 - 3076
>           529 - 3183
>           530 - 3068
>           531 - 3049
>           532 - 3242
>           533 - 3678
>           535 - 176
>           536 - 3269
>           537 - 3253
>           538 - 3128
>           539 - 3012
>           540 - 490
>           542 - 3057
>           543 - 3193
>           544 - 3196
>           545 - 3013
>           546 - 3098
>           548 - 20
>           549 - 3164
>           550 - 3254
>           551 - 3079
>           553 - 3296
>           556 - 3321
>           557 - 3270
>           558 - 3347
>           559 - 3392
>           560 - 3329
>           561 - 3228
>           562 - 3050
>           563 - 3353
>           565 - 3437
>           566 - 3377
>           567 - 3037
>           568 - 3221
>           569 - 3220
>           570 - 3214
>           572 - 3370
>           573 - 3036
>           574 - 3126
>           575 - 3415
>           576 - 3180
>           577 - 3420
>           578 - 3181
>           579 - 3091
>           580 - 3359
>           581 - 3232
>           582 - 3339
>           583 - 3292
>           584 - 3192
>           586 - 3286
>           590 - 3400
>           592 - 3679
>           593 - 3153
>           594 - 3402
>           595 - 3044
>           596 - 3367
>           597 - 3302
>           598 - 3342
>           599 - 3007
>           600 - 3381
>           606 - 3071
>           607 - 3250
>           608 - 3354
>           609 - 3260
>           610 - 3262
>           611 - 3261
>           612 - 3148
>           613 - 3149
>           615 - 3173
>           616 - 3341
>           617 - 3340
>           618 - 3093
>           620 - 3343
>           621 - 3121
>           622 - 3056
>           624 - 3074
>           625 - 3089
>           627 - 3285
>           628 - 3308
>           629 - 3000
>           630 - 3316
>           631 - 1095
>           632 - 3040
>           633 - 3680
>           634 - 3130
>           635 - 3327
>           637 - 3198
>           638 - 3209
>           640 - 3117
>           641 - 3322
>           642 - 3681
>           643 - 3337
>           644 - 3111
>           646 - 3197
>           647 - 3096
>           648 - 402
>           650 - 3264
>           651 - 2313
>           652 - 3143
>           653 - 3323
>           654 - 3003
>           655 - 3399
>           656 - 3372
>           657 - 3313
>           658 - 3394
>           660 - 3204
>           661 - 3150
>           662 - 365
>           663 - 3305
>           665 - 3382
>           666 - 3110
>           667 - 3048
>           668 - 3211
>           669 - 3212
>           670 - 3413
>           671 - 3412
>           672 - 3423
>           673 - 3051
>           674 - 3024
>           675 - 3086
>           676 - 3421
>           677 - 3418
>           678 - 3132
>           679 - 3233
>           680 - 3118
>           681 - 3119
>           683 - 99
>           685 - 3210
>           686 - 3142
>           687 - 3030
>           688 - 3023
>           689 - 3248
>           690 - 3414
>           691 - 3230
>           692 - 3155
>           693 - 3009
>           694 - 3141
>           695 - 3165
>           696 - 3334
>           697 - 3411
>           698 - 3682
>           699 - 3001
>           704 - 3120
>           705 - 3008
>           706 - 3349
>           707 - 3041
>           709 - 3116
>           710 - 3115
>           711 - 3389
>           729 - 3161
>           730 - 3160
>           731 - 3160
>           741 - 3240
>           742 - 3245
>           744 - 3125
>           747 - 3127
>           748 - 3335
>           749 - 3191
>           751 - 3304
>           752 - 3306
>           753 - 3326
>           754 - 3393
>           758 - 3257
>           759 - 3065
>           760 - 3252
>           761 - 3336
>           762 - 3310
>           763 - 3080
>           764 - 3268
>           765 - 3693
>           767 - 3293
>           769 - 3416
>           770 - 3046
>           771 - 3333
>           772 - 3081
>           773 - 3379
>           775 - 3114
>           777 - 3234
>           780 - 3440
>           801 - 3095
>           828 - 3189
>           829 - 3683
>           847 - 3097
>           886 - 3162
>           887 - 3163
>           888 - 3002
>           900 - 3267
>           901 - 3366
>           911 - 3442
>           991 - 3243
>           994 - 3350
>           996 - 3422
>           997 - 3207
>           999 - 3025
>          1010 - 3371
>          1025 - 63
>          1026 - 70
>          1033 - 324
>          1034 - 9
>          1036 - 341
>          1046 - 499
>          1077 - 226
>          1078 - 46
>          1080 - 839
>          1098 - 3318
>          1099 - 3328
>          1112 - 221
>          1114 - 292
>          1124 - 207
>          1127 - 258
>          1132 - 257
>          1150 - 64
>          1155 - 330
>          1167 - 79
>          1168 - 491
>          1169 - 474
>          1187 - 23
>          1191 - 188
>          1194 - 353
>          1241 - 752
>          1270 - 3222
>          1321 - 367
>          1352 - 720
>          1366 - 329
>          1498 - 458
>          1512 - 505
>          1521 - 3238
>          1525 - 3277
>          1527 - 3272
>          1529 - 3273
>          1534 - 3217
>          1571 - 3684
>          1575 - 3274
>          1604 - 3053
>          1626 - 824
>          1630 - 3275
>          1677 - 190
>          1698 - 3938
>          1699 - 3948
>          1701 - 259
>          1755 - 735
>          1797 - 482
>          1801 - 306
>          1830 - 3276
>          1863 - 307
>          1970 - 3244
>          1971 - 3244
>          1974 - 76
>          1984 - 3388
>          1997 - 78
>          2000 - 2940
>          2048 - 498
>          2070 - 3886
>          2152 - 3140
>          2160 - 3010
>          2161 - 3010
>          2189 - 3122
>          2194 - 3122
>          2196 - 3122
>          2213 - 3182
>          2217 - 3136
>          2234 - 3103
>          2260 - 3010
>          2272 - 287
>          2282 - 309
>          2301 - 3061
>          2351 - 3291
>          2401 - 3078
>          2438 - 311
>          2478 - 416
>          2492 - 3139
>          2512 - 3053
>          2513 - 3053
>          2595 - 3439
>          2598 - 84
>          2629 - 3363
>          2630 - 3362
>          2631 - 3361
>          2639 - 3011
>          2698 - 283
>          2797 - 3886
>          2811 - 3131
>          2887 - 3438
>          2897 - 88
>          2948 - 3425
>          2949 - 3428
>          3050 - 3129
>          3052 - 3010
>          3075 - 3279
>          3076 - 3278
>          3077 - 3280
>          3088 - 3123
>          3200 - 3338
>          3211 - 3351
>          3218 - 3113
>          3260 - 3685
>          3268 - 3218
>          3300 - 3338
>          3305 - 348
>          3334 - 3106
>          3335 - 3101
>          3336 - 3102
>          3337 - 3105
>          3365 - 3066
>          3397 - 93
>          3460 - 3258
>          3461 - 3258
>          3462 - 3258
>          3463 - 3258
>          3464 - 3258
>          3465 - 3258
>          3502 - 3351
>          3506 - 3010
>          3600 - 3338
>          3632 - 3107
>          3690 - 2887
>          3817 - 3686
>          3868 - 3839
>          3871 - 3351
>          4035 - 3426
>          4036 - 3427
>          4045 - 3255
>          4159 - 340
>          4172 - 1189
>          4490 - 3158
>          4491 - 3158
>          4514 - 3203
>          4569 - 3687
>          4661 - 3112
>          4662 - 3112
>          4663 - 3112
>          4664 - 3112
>          4665 - 3112
>          4672 - 3112
>          4673 - 3112
>          4711 - 3112
>          4840 - 2042
>          4884 - 200
>          4899 - 3315
>          5013 - 155
>          5325 - 3135
>          5330 - 3436
>          5340 - 3436
>          5349 - 3378
>          5355 - 267
>          5454 - 3010
>          5455 - 3010
>          5456 - 3010
>          5662 - 3112
>          5723 - 3271
>          5773 - 3112
>          5783 - 3112
>          5999 - 3688
>          6073 - 3104
>          6085 - 3194
>          6090 - 3158
>          6305 - 3034
>          6343 - 3356
>          6499 - 3176
>          6502 - 3244
>          6547 - 3010
>          6548 - 3010
>          6549 - 3010
>          6582 - 3283
>          6619 - 349
>          6620 - 250
>          6621 - 251
>          6622 - 281
>          6665 - 3282
>          6666 - 3282
>          6667 - 3282
>          6668 - 3282
>          6669 - 3282
>          6714 - 3172
>          6800 - 3034
>          6891 - 3689
>          6997 - 3226
>          7100 - 919
>          7210 - 2327
>          7220 - 3144
>          7223 - 3144
>          7279 - 86
>          7631 - 3395
>          7648 - 3177
>          7649 - 3177
>          7845 - 3010
>          7846 - 3010
>          8182 - 3419
>          8801 - 3690
>          8880 - 3060
>          9022 - 29
>          9084 - 3837
>          9100 - 3287
>          9200 - 3424
>          9201 - 3431
>          9202 - 3429
>          9203 - 3430
>          9204 - 3434
>          9205 - 3432
>          9206 - 3435
>          9207 - 3433
>          9318 - 368
>          9703 - 3692
>          9704 - 3692
>          9950 - 3010
>          9951 - 3010
>          9952 - 3010
>         10000 - 1096
>         10080 - 3691
>         11010 - 3391
>         11020 - 3391
>         11965 - 3203
>         12975 - 1156
>         14247 - 3158
>         14248 - 3158
>         14249 - 3158
>         15868 - 2790
>         15988 - 3158
>         15989 - 3158
>         19150 - 3134
>         19880 - 3369
>         20016 - 3147
>         20500 - 3047
>         20510 - 3047
>         22125 - 109
>         24754 - 89
>         24800 - 3063
>         25999 - 2794
>         27665 - 3405
>         28960 - 3047
>         34572 - 3158
>         40001 - 3390
>         40002 - 3390
>         40003 - 3390
>         40004 - 3390
>         40011 - 3390
>         47808 - 3043
>         52300 - 3094
>     UDP Port-Only Services
>             1 - 466
>             2 - 3208
>             3 - 97
>             5 - 397
>             7 - 954
>             9 - 614
>            11 - 463
>            13 - 955
>            17 - 385
>            19 - 586
>            27 - 3263
>            29 - 3231
>            31 - 305
>            33 - 128
>            37 - 470
>            38 - 388
>            39 - 399
>            41 - 3137
>            42 - 505
>            44 - 3229
>            45 - 300
>            47 - 332
>            48 - 41
>            50 - 3317
>            51 - 3167
>            52 - 519
>            54 - 517
>            55 - 244
>            56 - 516
>            58 - 518
>            61 - 333
>            62 - 5
>            64 - 3059
>            66 - 355
>            70 - 667
>            71 - 391
>            76 - 115
>            78 - 492
>            79 - 637
>            82 - 514
>            83 - 3224
>            84 - 3058
>            85 - 293
>            86 - 290
>            89 - 451
>            90 - 123
>            91 - 294
>            92 - 337
>            93 - 111
>            95 - 453
>            96 - 120
>            97 - 3384
>            98 - 715
>            99 - 289
>           101 - 671
>           102 - 3186
>           104 - 7
>           105 - 3075
>           106 - 2
>           107 - 392
>           108 - 438
>           109 - 370
>           112 - 282
>           113 - 956
>           116 - 26
>           118 - 3314
>           120 - 3055
>           121 - 142
>           122 - 433
>           124 - 27
>           125 - 269
>           126 - 342
>           127 - 3202
>           128 - 3133
>           129 - 381
>           130 - 77
>           131 - 81
>           132 - 80
>           133 - 449
>           134 - 232
>           135 - 3085
>           136 - 377
>           140 - 139
>           142 - 65
>           145 - 476
>           146 - 3188
>           147 - 3843
>           148 - 247
>           149 - 19
>           151 - 199
>           152 - 52
>           153 - 422
>           154 - 327
>           157 - 253
>           158 - 362
>           163 - 3054
>           164 - 94
>           165 - 520
>           166 - 439
>           167 - 318
>           168 - 404
>           169 - 418
>           170 - 3006
>           171 - 3247
>           172 - 91
>           173 - 521
>           174 - 275
>           175 - 493
>           176 - 174
>           177 - 513
>           178 - 343
>           180 - 396
>           181 - 485
>           182 - 42
>           183 - 344
>           184 - 345
>           185 - 3320
>           186 - 252
>           187 - 6
>           188 - 3297
>           189 - 383
>           190 - 170
>           191 - 378
>           192 - 358
>           193 - 445
>           197 - 121
>           199 - 437
>           200 - 444
>           201 - 3016
>           202 - 3015
>           203 - 3017
>           204 - 3014
>           205 - 3018
>           206 - 3022
>           207 - 3019
>           208 - 3020
>           209 - 384
>           210 - 525
>           211 - 4
>           212 - 3607
>           213 - 3178
>           214 - 494
>           215 - 441
>           216 - 3062
>           217 - 108
>           218 - 3241
>           219 - 477
>           222 - 3038
>           223 - 71
>           224 - 278
>           242 - 119
>           243 - 3383
>           244 - 228
>           245 - 263
>           246 - 127
>           247 - 3380
>           248 - 56
>           257 - 419
>           259 - 145
>           260 - 352
>           261 - 338
>           262 - 33
>           263 - 198
>           264 - 53
>           265 - 511
>           266 - 3345
>           267 - 472
>           268 - 3401
>           270 - 177
>           280 - 209
>           281 - 3290
>           282 - 67
>           283 - 393
>           284 - 3067
>           286 - 169
>           287 - 249
>           308 - 336
>           309 - 140
>           310 - 57
>           311 - 30
>           312 - 496
>           313 - 273
>           314 - 351
>           315 - 124
>           316 - 112
>           317 - 526
>           318 - 368
>           319 - 3298
>           320 - 3303
>           321 - 367
>           322 - 408
>           333 - 468
>           344 - 363
>           345 - 361
>           346 - 527
>           347 - 154
>           348 - 3045
>           349 - 291
>           350 - 279
>           352 - 130
>           353 - 322
>           354 - 54
>           355 - 107
>           356 - 93
>           357 - 55
>           358 - 424
>           359 - 339
>           360 - 412
>           361 - 417
>           362 - 446
>           363 - 3332
>           364 - 3032
>           365 - 131
>           366 - 347
>           367 - 297
>           368 - 382
>           369 - 401
>           370 - 95
>           371 - 92
>           372 - 481
>           373 - 262
>           375 - 197
>           376 - 334
>           377 - 147
>           378 - 147
>           379 - 3396
>           380 - 3397
>           381 - 206
>           383 - 3151
>           384 - 35
>           385 - 678
>           386 - 37
>           387 - 3021
>           388 - 484
>           390 - 480
>           391 - 3385
>           393 - 288
>           394 - 138
>           395 - 328
>           396 - 3259
>           397 - 302
>           398 - 254
>           399 - 3185
>           401 - 486
>           402 - 173
>           403 - 3090
>           404 - 320
>           405 - 321
>           406 - 227
>           408 - 3301
>           409 - 3300
>           410 - 113
>           411 - 3319
>           412 - 3386
>           413 - 436
>           414 - 230
>           415 - 66
>           416 - 425
>           417 - 350
>           418 - 211
>           419 - 34
>           420 - 435
>           421 - 3026
>           422 - 3027
>           423 - 1098
>           424 - 1098
>           425 - 215
>           426 - 434
>           427 - 3355
>           428 - 3265
>           429 - 346
>           430 - 3410
>           431 - 3409
>           432 - 212
>           433 - 335
>           434 - 296
>           435 - 3225
>           436 - 122
>           437 - 98
>           438 - 126
>           439 - 106
>           440 - 421
>           441 - 114
>           442 - 3077
>           444 - 440
>           446 - 3088
>           447 - 3087
>           448 - 3109
>           449 - 3028
>           450 - 3064
>           451 - 3069
>           452 - 3070
>           453 - 3073
>           455 - 3072
>           457 - 3344
>           460 - 3364
>           461 - 3083
>           462 - 3084
>           463 - 3005
>           464 - 3195
>           466 - 3100
>           467 - 3237
>           468 - 3294
>           469 - 3312
>           470 - 3346
>           471 - 3227
>           472 - 3201
>           473 - 3154
>           476 - 3694
>           477 - 3374
>           478 - 3373
>           479 - 3157
>           480 - 3156
>           482 - 3039
>           483 - 3406
>           484 - 3169
>           485 - 3676
>           486 - 3035
>           487 - 3358
>           488 - 3677
>           489 - 3239
>           490 - 3215
>           491 - 3138
>           492 - 3404
>           493 - 3404
>           494 - 3289
>           495 - 3168
>           496 - 3295
>           497 - 3082
>           498 - 3357
>           499 - 3184
>           501 - 3375
>           502 - 3029
>           503 - 3179
>           505 - 3206
>           506 - 3266
>           507 - 303
>           508 - 3443
>           509 - 3387
>           510 - 3124
>           511 - 3285
>           514 - 462
>           516 - 3417
>           517 - 857
>           518 - 766
>           519 - 3407
>           520 - 395
>           521 - 3836
>           522 - 3408
>           525 - 3398
>           526 - 1795
>           527 - 3376
>           528 - 3076
>           529 - 3183
>           530 - 3068
>           531 - 3049
>           532 - 3242
>           533 - 3678
>           535 - 176
>           536 - 3269
>           537 - 3253
>           538 - 3128
>           539 - 3012
>           540 - 490
>           542 - 3057
>           543 - 3193
>           544 - 3196
>           545 - 3013
>           546 - 3098
>           548 - 20
>           549 - 3164
>           550 - 3254
>           551 - 3079
>           553 - 3296
>           556 - 3321
>           557 - 3270
>           558 - 3347
>           559 - 3392
>           560 - 3329
>           561 - 3228
>           562 - 3050
>           563 - 3353
>           565 - 3437
>           566 - 3377
>           567 - 3037
>           568 - 3221
>           569 - 3220
>           570 - 3214
>           572 - 3370
>           573 - 3036
>           574 - 3126
>           575 - 3415
>           576 - 3180
>           577 - 3420
>           578 - 3181
>           579 - 3091
>           580 - 3359
>           581 - 3232
>           582 - 3339
>           583 - 3292
>           584 - 3192
>           586 - 3286
>           587 - 3205
>           590 - 3400
>           592 - 3679
>           593 - 3153
>           594 - 3402
>           595 - 3044
>           596 - 3367
>           597 - 3302
>           598 - 3342
>           599 - 3007
>           600 - 3381
>           606 - 3071
>           607 - 3250
>           608 - 3354
>           609 - 3260
>           610 - 3262
>           611 - 3261
>           612 - 3148
>           613 - 3149
>           615 - 3173
>           616 - 3341
>           617 - 3340
>           618 - 3093
>           620 - 3343
>           621 - 3121
>           622 - 3056
>           624 - 3074
>           625 - 3089
>           627 - 3285
>           628 - 3308
>           629 - 3000
>           630 - 3316
>           631 - 1095
>           632 - 3040
>           633 - 3680
>           634 - 3130
>           635 - 3327
>           637 - 3198
>           638 - 3209
>           640 - 3117
>           641 - 3322
>           642 - 3681
>           643 - 3337
>           644 - 3111
>           646 - 3197
>           647 - 3096
>           648 - 402
>           650 - 3264
>           651 - 2313
>           652 - 3143
>           653 - 3323
>           654 - 3003
>           655 - 3399
>           656 - 3372
>           657 - 3313
>           658 - 3394
>           660 - 3204
>           661 - 3150
>           662 - 365
>           663 - 3305
>           665 - 3382
>           666 - 3110
>           667 - 3048
>           668 - 3211
>           669 - 3212
>           670 - 3413
>           671 - 3412
>           672 - 3423
>           673 - 3051
>           674 - 3024
>           675 - 3086
>           676 - 3421
>           677 - 3418
>           678 - 3132
>           679 - 3233
>           680 - 3118
>           681 - 3119
>           683 - 99
>           685 - 3210
>           686 - 3142
>           687 - 3030
>           688 - 3023
>           689 - 3248
>           690 - 3414
>           691 - 3230
>           692 - 3155
>           693 - 3009
>           694 - 3141
>           695 - 3165
>           696 - 3334
>           697 - 3411
>           698 - 3682
>           699 - 3001
>           704 - 3120
>           705 - 3008
>           706 - 3349
>           707 - 3041
>           709 - 3116
>           710 - 3115
>           711 - 3389
>           729 - 3161
>           730 - 3160
>           731 - 3160
>           741 - 3240
>           742 - 3245
>           744 - 3125
>           747 - 3127
>           748 - 3335
>           749 - 3191
>           751 - 3304
>           752 - 3306
>           753 - 3326
>           754 - 3393
>           758 - 3257
>           759 - 3065
>           760 - 3252
>           761 - 3336
>           762 - 3310
>           763 - 3080
>           764 - 3268
>           765 - 3693
>           767 - 3293
>           769 - 3416
>           770 - 3046
>           771 - 3333
>           772 - 3081
>           775 - 3114
>           777 - 3234
>           780 - 3440
>           801 - 3095
>           828 - 3189
>           829 - 3683
>           847 - 3097
>           886 - 3162
>           887 - 3163
>           888 - 3002
>           900 - 3267
>           901 - 3366
>           911 - 3442
>           991 - 3243
>           994 - 3350
>           996 - 3422
>           997 - 3207
>           999 - 3025
>          1010 - 3371
>          1025 - 63
>          1026 - 70
>          1033 - 324
>          1034 - 9
>          1036 - 341
>          1046 - 499
>          1077 - 226
>          1078 - 46
>          1080 - 839
>          1098 - 3318
>          1099 - 3328
>          1112 - 221
>          1114 - 292
>          1124 - 207
>          1127 - 258
>          1132 - 257
>          1150 - 64
>          1155 - 330
>          1167 - 79
>          1168 - 491
>          1169 - 474
>          1187 - 23
>          1191 - 188
>          1194 - 353
>          1241 - 752
>          1270 - 3222
>          1321 - 367
>          1352 - 720
>          1366 - 329
>          1498 - 458
>          1512 - 505
>          1521 - 3238
>          1525 - 3277
>          1527 - 3272
>          1529 - 3273
>          1534 - 3217
>          1571 - 3684
>          1575 - 3274
>          1604 - 3053
>          1626 - 824
>          1630 - 3275
>          1677 - 190
>          1698 - 3948
>          1699 - 3948
>          1701 - 259
>          1755 - 735
>          1797 - 482
>          1801 - 306
>          1830 - 3276
>          1863 - 307
>          1970 - 3244
>          1971 - 3244
>          1974 - 76
>          1984 - 3388
>          1997 - 78
>          2000 - 2940
>          2048 - 498
>          2070 - 3886
>          2152 - 3140
>          2160 - 3010
>          2161 - 3010
>          2213 - 3182
>          2217 - 3136
>          2234 - 3103
>          2260 - 3010
>          2272 - 287
>          2282 - 309
>          2301 - 3061
>          2351 - 3291
>          2401 - 3078
>          2438 - 311
>          2478 - 416
>          2492 - 3139
>          2512 - 3053
>          2513 - 3053
>          2595 - 3439
>          2598 - 84
>          2629 - 3363
>          2630 - 3362
>          2631 - 3361
>          2639 - 3011
>          2698 - 283
>          2797 - 3886
>          2811 - 3131
>          2887 - 3438
>          2897 - 88
>          2948 - 3425
>          2949 - 3428
>          3050 - 3129
>          3052 - 3010
>          3075 - 3279
>          3076 - 3278
>          3077 - 3280
>          3088 - 3123
>          3211 - 3351
>          3218 - 3113
>          3268 - 3218
>          3305 - 348
>          3334 - 3106
>          3335 - 3101
>          3336 - 3102
>          3337 - 3105
>          3365 - 3066
>          3397 - 93
>          3460 - 3258
>          3461 - 3258
>          3462 - 3258
>          3463 - 3258
>          3464 - 3258
>          3465 - 3258
>          3502 - 3351
>          3506 - 3010
>          3632 - 3107
>          3690 - 2887
>          3817 - 3686
>          3868 - 3839
>          3871 - 3351
>          4035 - 3426
>          4036 - 3427
>          4045 - 3255
>          4159 - 340
>          4172 - 1189
>          4490 - 3158
>          4491 - 3158
>          4569 - 3687
>          4661 - 3112
>          4662 - 3112
>          4663 - 3112
>          4664 - 3112
>          4665 - 3112
>          4672 - 3112
>          4673 - 3112
>          4711 - 3112
>          4840 - 2042
>          4884 - 200
>          4899 - 3315
>          5013 - 155
>          5325 - 3135
>          5349 - 3378
>          5355 - 267
>          5454 - 3010
>          5455 - 3010
>          5456 - 3010
>          5662 - 3112
>          5723 - 3271
>          5773 - 3112
>          5783 - 3112
>          5999 - 3688
>          6073 - 3104
>          6085 - 3194
>          6090 - 3158
>          6343 - 3356
>          6502 - 3244
>          6547 - 3010
>          6548 - 3010
>          6549 - 3010
>          6582 - 3283
>          6619 - 349
>          6620 - 250
>          6621 - 251
>          6622 - 281
>          6623 - 255
>          6665 - 3282
>          6666 - 3282
>          6667 - 3282
>          6668 - 3282
>          6669 - 3282
>          6714 - 3172
>          6997 - 3226
>          7100 - 919
>          7279 - 86
>          7648 - 3177
>          7649 - 3177
>          7845 - 3010
>          7846 - 3010
>          8182 - 3419
>          8211 - 3299
>          8880 - 3060
>          8905 - 3052
>          8906 - 3052
>          9022 - 29
>          9084 - 3837
>          9100 - 3287
>          9200 - 3424
>          9201 - 3431
>          9202 - 3429
>          9203 - 3430
>          9204 - 3434
>          9205 - 3432
>          9206 - 3435
>          9207 - 3433
>          9318 - 368
>          9950 - 3010
>          9951 - 3010
>          9952 - 3010
>         10080 - 3691
>         12222 - 3199
>         12223 - 3199
>         13991 - 3158
>         14247 - 3158
>         14248 - 3158
>         14249 - 3158
>         15871 - 2790
>         15988 - 3158
>         15989 - 3158
>         20500 - 3047
>         24032 - 3177
>         26137 - 3244
>         27444 - 3405
>         31335 - 3405
>         33435 - 3331
>         34572 - 3158
>         40001 - 3390
>         40002 - 3390
>         40003 - 3390
>         40004 - 3390
>         40011 - 3390
>         47808 - 3043
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> WARNING: /etc/snort/rules/local.rules(1) too many appids in rule. Max
> allowed 10
>
> 1 Snort rules read
>     1 detection rules
>     0 decoder rules
>     0 preprocessor rules
> 1 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> +-------------------[Rule Port
> Counts]---------------------------------------
> |             tcp     udp    icmp      ip
> |     src       0       0       0       0
> |     dst       0       0       0       0
> |     any       1       0       0       0
> |      nc       1       0       0       0
> |     s+d       0       0       0       0
>
> +----------------------------------------------------------------------------
>
>
> +-----------------------[detection-filter-config]------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[detection-filter-rules]-------------------------------
> | none
>
> -------------------------------------------------------------------------------
>
>
> +-----------------------[rate-filter-config]-----------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[rate-filter-rules]------------------------------------
> | none
>
> -------------------------------------------------------------------------------
>
>
> +-----------------------[event-filter-config]----------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[event-filter-global]----------------------------------
>
> +-----------------------[event-filter-local]-----------------------------------
> | none
>
> +-----------------------[suppression]------------------------------------------
> | none
>
> -------------------------------------------------------------------------------
> Rule application order:
> activation->dynamic->pass->drop->sdrop->reject->alert->log
> Verifying Preprocessor Configurations!
>
> [ Port Based Pattern Matching Memory ]
> +- [ Aho-Corasick Summary ] -------------------------------------
> | Storage Format    : Full
> | Finite Automaton  : DFA
> | Alphabet Size     : 256 Chars
> | Sizeof State      : 4 bytes
> | Instances         : 2461
> | Characters        : 61657
> | States            : 46199
> | Transitions       : 1383457
> | State Density     : 11.7%
> | Patterns          : 7344
> | Match States      : 7568
> | Memory (MB)       : 48.51
> |   Patterns        : 0.68
> |   Match Lists     : 1.12
> |   DFA             : 45.82
> +----------------------------------------------------------------
> [ Number of patterns truncated to 20 bytes: 0 ]
> afpacket DAQ configured to inline.
> Acquiring network traffic from "eth0:wlan0".
> Reload thread starting...
> Reload thread started, thread 0x7f8ada54d700 (15335)
> Set gid to 1001
> Set uid to 999
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.7.6 GRE (Build 285)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.5.3
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.8
>
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
>            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
>            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
>            Preprocessor Object: APPID  Version 1.1  <Build 4>
>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
>            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
>            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
>            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
>            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
>            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
>            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
>            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
> Commencing packet processing (pid=15333)
> Decoding Ethernet
> 10/28-19:39:19.094832  [Drop] [**] [1:1000006:4] No access [**] [Priority:
> 0] [AppID: linkedin_contac] {TCP} 23.67.137.227:443 -> 192.168.6.114:39651
> ^C*** Caught Int-Signal
>
> ===============================================================================
> Run time for packet processing was 82.628417 seconds
> Snort processed 4188 packets.
> Snort ran for 0 days 0 hours 1 minutes 22 seconds
>    Pkts/min:         4188
>    Pkts/sec:           51
> *** Opening /var/log/snort/appstats-u2.log.1446041392 for output
>
> ===============================================================================
> Memory usage summary:
>   Total non-mmapped bytes (arena):       40943616
>   Bytes in mapped regions (hblkhd):      15011840
>   Total allocated space (uordblks):      13870944
>   Total free space (fordblks):           27072672
>   Topmost releasable block (keepcost):   133360
>
> ===============================================================================
> Packet I/O Totals:
>    Received:         4162
>    Analyzed:         4188 (100.625%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            4
>
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>         Eth:         4203 (100.000%)
>        VLAN:            0 (  0.000%)
>         IP4:         2471 ( 58.791%)
>        Frag:            0 (  0.000%)
>        ICMP:            0 (  0.000%)
>         UDP:         1055 ( 25.101%)
>         TCP:         1368 ( 32.548%)
>         IP6:          255 (  6.067%)
>     IP6 Ext:          294 (  6.995%)
>    IP6 Opts:           39 (  0.928%)
>       Frag6:            0 (  0.000%)
>       ICMP6:           96 (  2.284%)
>        UDP6:          159 (  3.783%)
>        TCP6:            0 (  0.000%)
>      Teredo:            0 (  0.000%)
>     ICMP-IP:            0 (  0.000%)
>     IP4/IP4:            0 (  0.000%)
>     IP4/IP6:            0 (  0.000%)
>     IP6/IP4:            0 (  0.000%)
>     IP6/IP6:            0 (  0.000%)
>         GRE:            0 (  0.000%)
>     GRE Eth:            0 (  0.000%)
>    GRE VLAN:            0 (  0.000%)
>     GRE IP4:            0 (  0.000%)
>     GRE IP6:            0 (  0.000%)
> GRE IP6 Ext:            0 (  0.000%)
>    GRE PPTP:            0 (  0.000%)
>     GRE ARP:            0 (  0.000%)
>     GRE IPX:            0 (  0.000%)
>    GRE Loop:            0 (  0.000%)
>        MPLS:            0 (  0.000%)
>         ARP:         1419 ( 33.762%)
>         IPX:            0 (  0.000%)
>    Eth Loop:            0 (  0.000%)
>    Eth Disc:            0 (  0.000%)
>    IP4 Disc:            0 (  0.000%)
>    IP6 Disc:            0 (  0.000%)
>    TCP Disc:            0 (  0.000%)
>    UDP Disc:            0 (  0.000%)
>   ICMP Disc:            0 (  0.000%)
> All Discard:            0 (  0.000%)
>       Other:          106 (  2.522%)
> Bad Chk Sum:            0 (  0.000%)
>     Bad TTL:            0 (  0.000%)
>      S5 G 1:            7 (  0.167%)
>      S5 G 2:            8 (  0.190%)
>       Total:         4203
>
> ===============================================================================
> Action Stats:
>      Alerts:            1 (  0.024%)
>      Logged:            1 (  0.024%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:         3996 ( 96.012%)
>       Block:            0 (  0.000%)
>     Replace:           83 (  1.994%)
>   Whitelist:           86 (  2.066%)
>   Blacklist:           23 (  0.553%)
>      Ignore:            0 (  0.000%)
>       Retry:            0 (  0.000%)
>
> ===============================================================================
> Normalizer statistics:
>               ip4::trim: 0
> Would         ip4::trim: 0
>                ip4::tos: 0
> Would          ip4::tos: 0
>                 ip4::df: 0
> Would           ip4::df: 0
>                 ip4::rf: 0
> Would           ip4::rf: 0
>                ip4::ttl: 0
> Would          ip4::ttl: 0
>               ip4::opts: 44
> Would         ip4::opts: 0
>             icmp4::echo: 0
> Would       icmp4::echo: 0
>                ip6::ttl: 0
> Would          ip6::ttl: 0
>               ip6::opts: 39
> Would         ip6::opts: 0
>             icmp6::echo: 0
> Would       icmp6::echo: 0
>            tcp::syn_opt: 0
> Would      tcp::syn_opt: 0
>                tcp::opt: 0
> Would          tcp::opt: 0
>                tcp::pad: 0
> Would          tcp::pad: 0
>                tcp::rsv: 0
> Would          tcp::rsv: 0
>                 tcp::ns: 0
> Would           tcp::ns: 0
>                tcp::urp: 0
> Would          tcp::urp: 0
>            tcp::ecn_pkt: 0
> Would      tcp::ecn_pkt: 0
>             tcp::ts_ecr: 0
> Would       tcp::ts_ecr: 0
>            tcp::req_urg: 0
> Would      tcp::req_urg: 0
>            tcp::req_pay: 0
> Would      tcp::req_pay: 0
>            tcp::req_urp: 0
> Would      tcp::req_urp: 0
>            tcp::ecn_ssn: 0
> Would      tcp::ecn_ssn: 0
>             tcp::ts_nop: 0
> Would       tcp::ts_nop: 0
>           tcp::ips_data: 0
> Would     tcp::ips_data: 0
>              tcp::block: 0
> Would        tcp::block: 0
>           tcp::trim_syn: 0
> Would     tcp::trim_syn: 0
>           tcp::trim_rst: 0
> Would     tcp::trim_rst: 0
>           tcp::trim_win: 0
> Would     tcp::trim_win: 0
>           tcp::trim_mss: 0
> Would     tcp::trim_mss: 0
>
> ===============================================================================
> Frag3 statistics:
>         Total Fragments: 0
>       Frags Reassembled: 0
>                Discards: 0
>           Memory Faults: 0
>                Timeouts: 0
>                Overlaps: 0
>               Anomalies: 0
>                  Alerts: 0
>                   Drops: 0
>      FragTrackers Added: 0
>     FragTrackers Dumped: 0
> FragTrackers Auto Freed: 0
>     Frag Nodes Inserted: 0
>      Frag Nodes Deleted: 0
>
> ===============================================================================
>
> ===============================================================================
> Stream statistics:
>             Total sessions: 168
>               TCP sessions: 26
>               UDP sessions: 142
>              ICMP sessions: 0
>                IP sessions: 0
>                 TCP Prunes: 0
>                 UDP Prunes: 0
>                ICMP Prunes: 0
>                  IP Prunes: 0
> TCP StreamTrackers Created: 26
> TCP StreamTrackers Deleted: 26
>               TCP Timeouts: 0
>               TCP Overlaps: 0
>        TCP Segments Queued: 625
>      TCP Segments Released: 625
>        TCP Rebuilt Packets: 312
>          TCP Segments Used: 613
>               TCP Discards: 0
>                   TCP Gaps: 0
>       UDP Sessions Created: 142
>       UDP Sessions Deleted: 142
>               UDP Timeouts: 0
>               UDP Discards: 0
>                     Events: 1
>            Internal Events: 0
>            TCP Port Filter
>                   Filtered: 0
>                  Inspected: 0
>                    Tracked: 1331
>            UDP Port Filter
>                   Filtered: 0
>                  Inspected: 0
>                    Tracked: 142
>
> ===============================================================================
>
> ===============================================================================
> SMTP Preprocessor Statistics
>   Total sessions                                    : 0
>   Max concurrent sessions                           : 0
>
> ===============================================================================
> dcerpc2 Preprocessor Statistics
>   Total sessions: 0
>
> ===============================================================================
> SSL Preprocessor:
>    SSL packets decoded: 96
>           Client Hello: 30
>           Server Hello: 30
>            Certificate: 28
>            Server Done: 14
>    Client Key Exchange: 2
>    Server Key Exchange: 7
>          Change Cipher: 8
>               Finished: 0
>     Client Application: 2
>     Server Application: 5
>                  Alert: 0
>   Unrecognized records: 22
>   Completed handshakes: 0
>         Bad handshakes: 0
>       Sessions ignored: 4
>     Detection disabled: 1
>
> ===============================================================================
> SIP Preprocessor Statistics
>   Total sessions: 0
>
> ===============================================================================
> Reputation Preprocessor Statistics
>   Total Memory Allocated: 0
>
> ===============================================================================
> Application Identification Preprocessor:
>    Total packets received : 4500
>   Total packets processed : 2567
>     Total packets ignored : 1933
> Service State:
> Lua detector StatsLua Stats total memory usage 0
> kb===============================================================================
> Snort exiting
>
>
> *snort.conf:*
> navneet at ...4088...:~$ cat /etc/snort/snort.conf |grep -v ^#|grep -v ^$
> ipvar HOME_NET 192.168.6.0/24
> ipvar EXTERNAL_NET !$HOME_NET
> ipvar DNS_SERVERS $HOME_NET
> ipvar SMTP_SERVERS $HOME_NET
> ipvar HTTP_SERVERS $HOME_NET
> ipvar SQL_SERVERS $HOME_NET
> ipvar TELNET_SERVERS $HOME_NET
> ipvar SSH_SERVERS $HOME_NET
> ipvar FTP_SERVERS $HOME_NET
> ipvar SIP_SERVERS $HOME_NET
> portvar HTTP_PORTS
> [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
> portvar SHELLCODE_PORTS !80
> portvar ORACLE_PORTS 1024:
> portvar SSH_PORTS 22
> portvar FTP_PORTS [21,2100,3535]
> portvar SIP_PORTS [5060,5061,5600]
> portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
> portvar GTP_PORTS [2123,2152,3386]
> ipvar AIM_SERVERS [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
> ]
> var RULE_PATH /etc/snort/rules
> var SO_RULE_PATH /etc/snort/so_rules
> var PREPROC_RULE_PATH /etc/snort/preproc_rules
> var WHITE_LIST_PATH /etc/snort/rules
> var BLACK_LIST_PATH /etc/snort/rules
> config disable_decode_alerts
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_obsolete_alerts
> config disable_tcpopt_ttcp_alerts
> config disable_tcpopt_alerts
> config disable_ipopt_alerts
> config checksum_mode: all
> config daq:afpacket
> config daq_dir:/usr/local/lib/daq
> config daq_mode:inline
> config daq_var:buffer_size_mb=1024
> config policy_mode:inline
> config pcre_match_limit: 3500
> config pcre_match_limit_recursion: 1500
> config detection: search-method ac-split search-optimize max-pattern-len 20
> config event_queue: max_queue 8 log 5 order_events content_length
> config paf_max: 16000
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> preprocessor normalize_ip4
> preprocessor normalize_tcp: ips ecn stream
> preprocessor normalize_icmp4
> preprocessor normalize_ip6
> preprocessor normalize_icmp6
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy windows detect_anomalies overlap_limit
> 10 min_fragment_length 100 timeout 180
> preprocessor stream5_global: track_tcp yes, \
>    track_udp yes, \
>    track_icmp no, \
>    max_tcp 262144, \
>    max_udp 131072, \
>    max_active_responses 2, \
>    min_response_seconds 5
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
> 180, \
>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>     ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139
> 143 \
>         161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665
> 6666 6667 6668 6669 \
>         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778
> 32779, \
>     ports both 80 81 311 383 443 465 563 591 593 636 901 989 992 993 994
> 995 1220 1414 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7907
> 7000 7001 7144 7145 7510 7802 7777 7779 \
>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912
> 7913 7914 7915 7916 \
>         7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118
> 8123 8180 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999
> 11371 34443 34444 41080 50002 55555
> preprocessor stream5_udp: timeout 180
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 65535 decompress_depth 65535 max_gzip_mem 104857600
> preprocessor http_inspect_server: server default \
>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
> POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK
> CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
> BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>     chunk_length 500000 \
>     server_flow_depth 0 \
>     client_flow_depth 0 \
>     post_depth 65495 \
>     oversize_dir_length 500 \
>     max_header_length 750 \
>     max_headers 100 \
>     max_spaces 200 \
>     small_chunk_length { 10 5 } \
>     ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809
> 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000
> 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800
> 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002
> 55555 } \
>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>     enable_cookie \
>     extended_response_inspection \
>     inspect_gzip \
>     normalize_utf \
>     unlimited_decompress \
>     normalize_javascript \
>     apache_whitespace no \
>     ascii no \
>     bare_byte no \
>     directory no \
>     double_decode no \
>     iis_backslash no \
>     iis_delimiter no \
>     iis_unicode no \
>     multi_slash no \
>     utf_8 no \
>     u_encode yes \
>     webroot no
> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
> 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments
> no_alert_incomplete
> preprocessor bo
> preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic
> no check_encrypted
> preprocessor ftp_telnet_protocol: telnet \
>     ayt_attack_thresh 20 \
>     normalize ports { 23 } \
>     detect_anomalies
> preprocessor ftp_telnet_protocol: ftp server default \
>     def_max_param_len 100 \
>     ports { 21 2100 3535 } \
>     telnet_cmds yes \
>     ignore_telnet_erase_cmds yes \
>     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
>     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
>     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
>     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
>     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
>     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
>     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
>     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
>     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
>     ftp_cmds { XSEN XSHA1 XSHA256 } \
>     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
> REIN STOU SYST XCUP XPWD } \
>     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
> XMKD } \
>     alt_max_param_len 256 { CWD RNTO } \
>     alt_max_param_len 400 { PORT } \
>     alt_max_param_len 512 { SIZE } \
>     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
>     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
>     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
>     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
>     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
>     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
>     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
>     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
>     cmd_validity ALLO < int [ char R int ] > \
>     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
>     cmd_validity MACB < string > \
>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>     cmd_validity MODE < char ASBCZ > \
>     cmd_validity PORT < host_port > \
>     cmd_validity PROT < char CSEP > \
>     cmd_validity STRU < char FRPO [ string ] > \
>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number
> ] } >
> preprocessor ftp_telnet_protocol: ftp client default \
>     max_resp_len 256 \
>     bounce yes \
>     ignore_telnet_erase_cmds yes \
>     telnet_cmds yes
> preprocessor smtp: ports { 25 465 587 691 } \
>     inspection_type stateful \
>     b64_decode_depth 0 \
>     qp_decode_depth 0 \
>     bitenc_decode_depth 0 \
>     uu_decode_depth 0 \
>     log_mailfrom \
>     log_rcptto \
>     log_filename \
>     log_email_hdrs \
>     normalize cmds \
>     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM
> ESND ESOM ETRN EVFY } \
>     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
> RSET SAML SEND SOML } \
>     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT
> X-DRCP X-ERCP X-EXCH50 } \
>     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
> XLICENSE XQUE XSTA XTRN XUSR } \
>     max_command_line_len 512 \
>     max_header_line_len 1000 \
>     max_response_line_len 512 \
>     alt_max_command_line_len 260 { MAIL } \
>     alt_max_command_line_len 300 { RCPT } \
>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET
> QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR
> XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
>     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
> ESOM ETRN EVFY } \
>     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
> SAML SEND SOML } \
>     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
> X-ERCP X-EXCH50 } \
>     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE
> XQUE XSTA XTRN XUSR } \
>     xlink2state { enabled }
> preprocessor ssh: server_ports { 22 } \
>                   autodetect \
>                   max_client_bytes 19600 \
>                   max_encrypted_packets 20 \
>                   max_server_version_len 100 \
>                   enable_respoverflow enable_ssh1crc32 \
>                   enable_srvoverflow enable_protomismatch
> preprocessor dcerpc2: memcap 102400, events [co ]
> preprocessor dcerpc2_server: default, policy WinXP, \
>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
> preprocessor dns: ports { 53 } enable_rdata_overflow
> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802
> 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914
> 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
> preprocessor sensitive_data: alert_threshold 25
> preprocessor sip: max_sessions 40000, \
>    ports { 5060 5061 5600 }, \
>    methods { invite \
>              cancel \
>              ack \
>              bye \
>              register \
>              options \
>              refer \
>              subscribe \
>              update \
>              join \
>              info \
>              message \
>              notify \
>              benotify \
>              do \
>              qauth \
>              sprack \
>              publish \
>              service \
>              unsubscribe \
>              prack }, \
>    max_uri_len 512, \
>    max_call_id_len 80, \
>    max_requestName_len 20, \
>    max_from_len 256, \
>    max_to_len 256, \
>    max_via_len 1024, \
>    max_contact_len 512, \
>    max_content_len 2048
> preprocessor imap: \
>    ports { 143 } \
>    b64_decode_depth 0 \
>    qp_decode_depth 0 \
>    bitenc_decode_depth 0 \
>    uu_decode_depth 0
> preprocessor pop: \
>    ports { 110 } \
>    b64_decode_depth 0 \
>    qp_decode_depth 0 \
>    bitenc_decode_depth 0 \
>    uu_decode_depth 0
> preprocessor modbus: ports { 502 }
> preprocessor dnp3: ports { 20000 } \
>    memcap 262144 \
>    check_crc
> preprocessor reputation: \
>    memcap 500, \
>    priority whitelist, \
>    nested_ip inner, \
>    whitelist $WHITE_LIST_PATH/white_list.rules, \
>    blacklist $BLACK_LIST_PATH/black_list.rules
> preprocessor appid: app_stats_filename appstats-u2.log, \
>    app_stats_period 60, \
>    app_detector_dir /etc/snort/rules
> output unified2: filename snort.log, limit 128, appid_event_types
> include classification.config
> include reference.config
> include rules/local.rules
> include rules/snort.rules
> include threshold.conf
>
>
> Please help me with understanding the issue causing such behaviour.
>
> --
> Regards
> Navneet
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151029/a0b95407/attachment.html>


More information about the Snort-sigs mailing list