[Snort-users] snort rules not being read

Donnie Green d_greenjr at ...125...
Thu Sep 5 04:27:02 EDT 2002


I made the recommended changes and it looks like the rules are being 
read--although I had to make a link "ln -s /etc/conf/snort.conf 
/etc/snort.conf".  Now it seems as though I have a faulty 
rule(bad-traffic.rules).  Just to see, I commented out the rule in 
/etc/conf/snort.conf and I received an error in the next rule.  It appears 
as if the rules aren't using the correct syntax??  Following is the output 
of the command "snort".

<prompt> snort
Log directory = /var/log/snort

Initializing Network Interface eth0
using config file /etc/snort.conf
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
[root@/etc]=> snort
Log directory = /var/log/snort

Initializing Network Interface eth0
using config file /etc/snort.conf
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
ERROR /etc/snort/bad-traffic.rules(20) => Bad protocol name ">134"
Fatal Error, Quitting..


>From: Bill Gercken <bgercken at ...1569...>
>Reply-To: bgercken at ...1569...
>To: Donnie Green <d_greenjr at ...125...>, snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] snort rules not being read
>Date: Wed, 04 Sep 2002 23:47:19 -0400
>
>Donnie,
>
>Unless your rules happen to be in the current directory that you are
>attempting
>to run snort from, you will need to modify the RULES_PATH in your 
>snort.conf
>
>Change:
>
>var RULE_PATH ./
>
>To:
>
>var RULE_PATH /full/path/to/rules
>
>as in:
>
>var RULE_PATH /usr/local/etc/snort/
>
>or something.
>
>--
>
>Also the classification.config file must be available.
>
>include $RULE_PATH/classification.config
>
>should work.
>--
>
>In your startup script you will need to change:
>
>daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D -c /etc/snort
>
>to:
>
>daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D -c
>/etc/snort/snort.conf
>
>Regards,
>-bill
>
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Donnie
>Green
>Sent: Wednesday, September 04, 2002 11:13 PM
>To: snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] snort rules not being read
>
>
>The following is a copy of my files /etc/rc.d/init.d/snortd and
>/etc/snort/snort.conf:
>
>/etc/rc.d/init.d/snortd:
>#!/bin/sh
>#
># snortd         Start/Stop the snort IDS daemon.
>#
># chkconfig: 2345 40 60
># description:  snort is a lightweight network intrusion detection tool 
>that
>#               currently detects more than 1100 host and network
>#               vulnerabilities, portscans, backdoors, and more.
>#
># June 10, 2000 -- Dave Wreski <dave at ...725...>
>#   - initial version
>#
># July 08, 2000 Dave Wreski <dave at ...53...>
>#   - added snort user/group
>#   - support for 1.6.2
>
># Source function library.
>. /etc/rc.d/init.d/functions
>
># Specify your network interface here
>INTERFACE=eth0
>
># See how we were called.
>case "$1" in
>   start)
>         echo -n "Starting snort: "
>         ifconfig eth0 up
>daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D -c /etc/snort
>         touch /var/lock/subsys/snort
>         echo
>         ;;
>   stop)
>         echo -n "Stopping snort: "
>         killproc snort
>         rm -f /var/lock/subsys/snort
>         echo
>         ;;
>   restart)
>         $0 stop
>         $0 start
>         ;;
>   status)
>         status snort
>         ;;
>   *)
>         echo "Usage: $0 {start|stop|restart|status}"
>         exit 1
>esac
>
>exit 0
>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>+
>/etc/snort/snort.conf:
>#--------------------------------------------------
>#   http://www.snort.org     Snort 1.8.6 Ruleset
>#     Contact: snort-sigs at lists.sourceforge.net
>#--------------------------------------------------
># NOTE:This ruleset only works for 1.8.0 and later
>#--------------------------------------------------
># $Id: snort.conf,v 1.77.2.19 2002/06/29 13:32:48 chrisgreen Exp $
>#
>###################################################
># This file contains a sample snort configuration.
># You can take the following steps to create your
># own custom configuration:
>#
>#  1) Set the network variables for your network
>#  2) Configure preprocessors
>#  3) Configure output plugins
>#  4) Customize your rule set
>#
>###################################################
># Step #1: Set the network variables:
>#
># You must change the following variables to reflect
># your local network. The variable is currently
># setup for an RFC 1918 address space.
>#
># You can specify it explicitly as:
>#
># var HOME_NET 10.1.1.0/24
>#
># or use global variable $<interfacename>_ADDRESS
># which will be always initialized to IP address and
># netmask of the network interface which you run
># snort at.
>#
># var HOME_NET $eth0_ADDRESS
>#
># You can specify lists of IP addresses for HOME_NET
># by separating the IPs with commas like this:
>#
># var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>#
># MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>#
># or you can specify the variable to be any IP address
># like this:
>
>var HOME_NET any
>
># Set up the external network addresses as well.
># A good start may be "any"
>
>var EXTERNAL_NET $HOME_NET
>
># Set up your SMTP servers, or simply configure them
># to HOME_NET
>
>var SMTP $HOME_NET
>
># Set up your web servers, or simply configure them
># to HOME_NET
>
>var HTTP_SERVERS $HOME_NET
>
># Set up your sql servers, or simply configure them
># to HOME_NET
>
>var SQL_SERVERS $HOME_NET
>
># Define the addresses of DNS servers and other hosts
>
>var DNS_SERVERS $HOME_NET
>
>var RULE_PATH ./
>
># Ports you want to look for SHELLCODE on.  (By default, not port 80)
>var SHELLCODE_PORTS !80
>
># Ports you run web servers on.  (By default, port 80)
>var HTTP_PORTS 80
>
># Ports you do oracle type stuff on.  (Can be 80, as well as all of the
># standard oracle ports.  (By default, port 1521)
>var ORACLE_PORTS 1521
>
>
>###################################################
># Step #2: Configure preprocessors
>#
># General configuration for preprocessors is of
># the form
># preprocessor <name_of_processor>: <configuration_options>
>
># frag2: IP defragmentation support
># -------------------------------
># This preprocessor performs IP defragmentation.  This plugin will also
>detect
># people launching fragmentation attacks (usually DoS) against hosts.  No
># arguments loads the default configuration of the preprocessor, which is a
># 60 second timeout and a 4MB fragment buffer.
>
># The following (comma delimited) options are available for frag2
>#    timeout [seconds] - sets the number of [seconds] than an unfinished
>#                        fragment will be kept around waiting for
>completion,
>#                        if this time expires the fragment will be flushed
>#    memcap [bytes] - limit frag2 memory usage to [number] bytes
>#                      (default:  4194304)
>
>preprocessor frag2
>
># stream4: stateful inspection/stream reassembly for Snort
>#----------------------------------------------------------------------
># Use in concert with the -z [all|est] command line switch to defeat
># stick/snot against TCP rules.  Also performs full TCP stream
># reassembly, stateful inspection of TCP streams, etc.  Can statefully
># detect various portscan types, fingerprinting, ECN, etc.
>
># stateful inspection directive
># no arguments loads the defaults (timeout 30, memcap 8388608)
># options (options are comma delimited):
>#   detect_scans - stream4 will detect stealth portscans and generate 
>alerts
>#                  when it sees them when this option is set
>#   detect_state_problems - detect TCP state problems, this tends to be 
>very
>#                           noisy because there are a lot of crappy ip 
>stack
>#                           implementations out there
>#
>#   disable_evasion_alerts - disable fragroute alerting.  Useful for
>#                             machines with odd retransmission patterns
>#
>#   keepstats [machine|binary] - keep session statistics, add "machine" to
>#                         get them in a flat format for machine reading, 
>add
>#                         "binary" to get them in a unified binary output
>#                         format
>#   noinspect - turn off stateful inspection only
>#   timeout [number] - set the session timeout counter to [number] seconds,
>#                      default is 30 seconds
>#   memcap [number] - limit stream4 memory usage to [number] bytes
>#   log_flushed_streams - if an event is detected on a stream this option
>will
>#                         cause all packets that are stored in the stream4
>#                         packet buffers to be flushed to disk.  This only
>#                         works when logging in pcap mode!
>#
>#
>
>preprocessor stream4: detect_scans, disable_evasion_alerts
>
># tcp stream reassembly directive
># no arguments loads the default configuration
>#   Only reassemble the client,
>#   Only reassemble the default list of ports (See below),
>#   Give alerts for "bad" streams
>#
># Available options (comma delimited):
>#   clientonly - reassemble traffic for the client side of a connection 
>only
>#   serveronly - reassemble traffic for the server side of a connection 
>only
>#   both - reassemble both sides of a session
>#   noalerts - turn off alerts from the stream reassembly stage of stream4
>#   ports [list] - use the space separated list of ports in [list], "all"
>#                  will turn on reassembly for all ports, "default" will
>turn
>#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 
>111
>#                  and 513
>
>preprocessor stream4_reassemble
>
># http_decode: normalize HTTP requests
># ------------------------------------
># http_decode normalizes HTTP requests from remote
># machines by converting any %XX character
># substitutions to their ASCII equivalent. This is
># very useful for doing things like defeating hostile
># attackers trying to stealth themselves from IDSs by
># mixing these substitutions in with the request.
># Specify the port numbers you want it to analyze as arguments.
># You may also specify -unicode to turn off detection of
># UNICODE directory traversal, etc attacks.  Use -cginull to
># turn off detection of CGI NULL code attacks.
>
>preprocessor http_decode: 80 -unicode -cginull
>
># rpc_decode: normalize RPC traffic
># ---------------------------------
># RPC may be sent in alternate encodings besides the usual
># 4-byte encoding that is used by default.  This preprocessor
># normalized RPC traffic in much the same way as the http_decode
># preprocessor.  This plugin takes the ports numbers that RPC
># services are running on as arguments.
>
>preprocessor rpc_decode: 111 32771
>
># bo: Back Orifice detector
># -------------------------
># Detects Back Orifice traffic on the network.  This preprocessor
># uses the Back Orifice "encryption" algorithm to search for
># traffic conforming to the Back Orifice protocol (not BO2K).
># This preprocessor can take two arguments.  The first is "-nobrute"
># which turns off the plugin's brute forcing routine (brute forces
># the key space of the protocol to find BO traffic).  The second
># argument that can be passed to the routine is a number to use
># as the default key when trying to decrypt the traffic.  The
># default value is 31337 (just like BO).  Be aware that turning on
># the brute forcing option runs the risk of impacting the overall
># performance of Snort, you've been warned...
>
>preprocessor bo
>
># telnet_decode: Telnet negotiation string normalizer
># ---------------------------------------------------
># This preprocessor "normalizes" telnet negotiation strings from
># telnet and ftp traffic.  It works in much the same way as the
># http_decode preprocessor, searching for traffic that breaks up
># the normal data stream of a protocol and replacing it with
># a normalized representation of that traffic so that the "content"
># pattern matching keyword can work without requiring modifications.
># This preprocessor requires no arguments.
>
>preprocessor telnet_decode
>
># portscan: detect a variety of portscans
># ---------------------------------------
># portscan preprocessor by Patrick Mullen <p_mullen at ...245...>
># This preprocessor detects UDP packets or TCP SYN packets going to
># four different ports in less than three seconds. "Stealth" TCP
># packets are always detected, regardless of these settings.
>
># preprocessor portscan: $HOME_NET 4 3 portscan.log
>
># Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
># specific networks or hosts to reduce false alerts. It is typical
># to see many false alerts from DNS servers so you may want to
># add your DNS servers here. You can all multiple hosts/networks
># in a whitespace-delimited list.
>#
>#preprocessor portscan-ignorehosts: 0.0.0.0
>
># Spade: the Statistical Packet Anomaly Detection Engine
>#-------------------------------------------------------
># READ the README.Spade file before using this plugin!
>#
># preprocessor spade: <anom-report-thresh> <state-file>
># <log-file> <prob-mode> <checkpoint-freq>  [-corrscore]
>#
># set this to a directory Spade can read and write to
># store its files
>#
># var SPADEDIR .
>#
># preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
>#
># put a list of the networks you are interested in Spade observing packets
># going to here; separate these by spaces
>#
># preprocessor spade-homenet: 0.0.0.0/0
>#
># this causes Spade to adjust the reporting threshold automatically
># the first argument is the target rate of alerts for normal circumstances
># (0.01 = 1% or you can give it an hourly rate) after the first hour (or
># however long the period is set to in the second argument), the reporting
># threshold given above is ignored you can comment this out to have the
># threshold be static, or try one of the other adapt methods below
># preprocessor spade-adapt3: 0.01 60 168
>#
># other possible Spade config lines:
># adapt method #1
>#preprocessor spade-adapt: 20 2 0.5
># adapt method #2
>#preprocessor spade-adapt2: 0.01 15 4 24 7
># offline threshold learning
>#preprocessor spade-threshlearn: 200 24
># periodically report on the anom scores and count of packets seen
>#preprocessor spade-survey:  $SPADEDIR/survey.txt 60
># print out known stats about packet feature
>#preprocessor spade-stats: entropy uncondprob condprob
>
># arpspoof
>#----------------------------------------
># Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
># unicast ARP requests, and specific ARP mapping monitoring.  To make use
># of this preprocessor you must specify the IP and hardware address of 
>hosts
>on # the same layer 2 segment as you.  Specify one host IP MAC combo per
>line.
># Also takes a "-unicast" option to turn on unicast ARP request detection.
>
>#preprocessor arpspoof
>#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
>
>####################################################################
># Step #3: Configure output plugins
>#
># Uncomment and configure the output plugins you decide to use.
># General configuration for output plugins is of the form:
>#
># output <name_of_plugin>: <configuration_options>
>#
># alert_syslog: log alerts to syslog
># ----------------------------------
># Use one or more syslog facilities as arguments
>#
># output alert_syslog: LOG_AUTH LOG_ALERT
>
># log_tcpdump: log packets in binary tcpdump format
># -------------------------------------------------
># The only argument is the output file name.
>#
># output log_tcpdump: snort.log
>
># database: log to a variety of databases
># ---------------------------------------
># See the README.database file for more information about configuring
># and using this plugin.
>#
># output database: log, mysql, user=root password=test dbname=db
>host=localhost
># output database: alert, postgresql, user=snort dbname=snort
># output database: log, unixodbc, user=snort dbname=snort
># output database: log, mssql, dbname=snort user=snort password=test
>
># xml: xml logging
># ----------------
># See the README.xml file for more information about configuring
># and using this plugin.
>#
># output xml: log, file=/var/log/snortxml
>
># unified: Snort unified binary format alerting and logging
># -------------------------------------------------------------
># The unified output plugin provides two new formats for logging
># and generating alerts from Snort, the "unified" format.  The
># unified format is a straight binary format for logging data
># out of Snort that is designed to be fast and efficient.  Used
># with barnyard (the new alert/log processor), most of the overhead
># for logging and alerting to various slow storage mechanisms
># such as databases or the network can now be avoided.
>#
># Check out the spo_unified.h file for the data formats.
>#
># Two arguments are supported.
>#    filename - base filename to write to (current time_t is appended)
>#    limit    - maximum size of spool file in MB (default: 128)
>#
># output alert_unified: filename snort.alert, limit 128
># output log_unified: filename snort.log, limit 128
>
>
># trap_snmp: SNMP alerting for Snort
># -------------------------------------------------------------
># Read the README-SNMP file for more information on enabling and using this
># plug-in.
>#
>#
># The SnmpTrapGenerator outputplugin requires several parameters
># The parameters depend on the Snmpversion that is used (specified)
># For the SNMPv2c case the paremeters will be as follows
>#  alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber>
>#         <hostName> <community>
>#
># For SNMPv2c traps
>#
>#output trap_snmp: alert, 7, trap -v 2c -p 162  myTrapListener myCommunity
>#
># For SNMPv2c informs
>#
>#output trap_snmp: alert, 7, inform -v 2c -p 162  myTrapListener 
>myCommunity
>#
># For SNMPv3 traps with
># security name = snortUser
># security level = authentication and privacy
># authentication parameters :
>#           authentication protocol = SHA ,
>#           authentication pass phrase = SnortAuthPassword
># privacy (encryption) parameters
>#           privacy protocol = DES,
>#           privacy pass phrase = SnortPrivPassword
>#
>#output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv -a
>SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
>#For SNMPv3 informs with authentication and encryption
>#output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l authPriv -a
>SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
>
># You can optionally define new rule types and associate one or
># more output plugins specifically to that type.
>#
># This example will create a type that will log to just tcpdump.
># ruletype suspicious
># {
>#   type log
>#   output log_tcpdump: suspicious.log
># }
>#
># EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
># suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
>#
># This example will create a rule type that will log to syslog
># and a mysql database.
># ruletype redalert
># {
>#   type alert
>#   output alert_syslog: LOG_AUTH LOG_ALERT
>#   output database: log, mysql, user=snort dbname=snort host=localhost
># }
>#
># EXAMPLE RULE FOR REDALERT RULETYPE
># redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being
>LEET"; \
>#   flags:A+;)
>
>#
># Include classification & priority settings
>#
>
>include classification.config
>
>
>####################################################################
># Step #4: Customize your rule set
>#
># Up to date snort rules are available at http://www.snort.org
>#
># The snort web site has documentation about how to write your own
># custom snort rules.
>#
># The rules included with this distribution generate alerts based on
># on suspicious activity. Depending on your network environment, your
># security policies, and what you consider to be suspicious, some of
># these rules may either generate false positives ore may be detecting
># activity you consider to be acceptable; therefore, you are
># encouraged to comment out rules that are not applicable in your
># environment.
>#
># Note that using all of the rules at the same time may lead to
># serious packet loss on slower machines. YMMV, use with caution,
># standard disclaimers apply. :)
>#
># The following individuals contributed many of rules in this
># distribution.
>#
># Credits:
>#   Ron Gula <rgula at ...922...> of Network Security Wizards
>#   Max Vision <vision at ...4...>
>#   Martin Markgraf <martin at ...923...>
>#   Fyodor Yarochkin <fygrave at ...121...>
>#   Nick Rogness <nick at ...176...>
>#   Jim Forster <jforster at ...176...>
>#   Scott McIntyre <scott at ...315...>
>#   Tom Vandepoel <Tom.Vandepoel at ...271...>
>#   Brian Caswell <bmc at ...950...>
>#   Zeno <admin at ...4494...>
>#   Ryan Russell <ryan at ...35...>
>#
>#=========================================
># Include all relevant rulesets here
>#
># shellcode, policy, info, backdoor, and virus rulesets are
># disabled by default.  These require tuning and maintance.
># Please read the included specific file for more information.
>#=========================================
>
>include $RULE_PATH/bad-traffic.rules
>include $RULE_PATH/exploit.rules
>include $RULE_PATH/scan.rules
>include $RULE_PATH/finger.rules
>include $RULE_PATH/ftp.rules
>include $RULE_PATH/telnet.rules
>include $RULE_PATH/smtp.rules
>include $RULE_PATH/rpc.rules
>include $RULE_PATH/rservices.rules
>include $RULE_PATH/dos.rules
>include $RULE_PATH/ddos.rules
>include $RULE_PATH/dns.rules
>include $RULE_PATH/tftp.rules
>include $RULE_PATH/web-cgi.rules
>include $RULE_PATH/web-coldfusion.rules
>include $RULE_PATH/web-iis.rules
>include $RULE_PATH/web-frontpage.rules
>include $RULE_PATH/web-misc.rules
>include $RULE_PATH/web-attacks.rules
>include $RULE_PATH/sql.rules
>include $RULE_PATH/x11.rules
>include $RULE_PATH/icmp.rules
>include $RULE_PATH/netbios.rules
>include $RULE_PATH/misc.rules
>include $RULE_PATH/attack-responses.rules
># include $RULE_PATH/backdoor.rules
>include $RULE_PATH/shellcode.rules
># include $RULE_PATH/policy.rules
># include $RULE_PATH/porn.rules
># include $RULE_PATH/info.rules
># include $RULE_PATH/icmp-info.rules
># include $RULE_PATH/virus.rules
>include $RULE_PATH/local.rules
>
>
>
>
>
> >From: "Michael Steele" <michaels at ...155...>
> >To: "'Donnie Green'" <d_greenjr at ...125...>
> >CC: <snort-users at lists.sourceforge.net>
> >Subject: RE: [Snort-users] snort rules not being read
> >Date: Wed, 4 Sep 2002 16:24:32 -0700
> >
> >Donnie,
> >
> >Try this:
> >
> >This should detail any problems with Snort configuration
> >
> ># snort -o -a -e -i eth0 -l /var/log/snort -c /etc/snort/snort.conf -T
> >
> >Not sure about the startup as we need more info as to what you have
> >already done.
> >
> >-Michael
> >--
> >  Michael Steele | System Engineer / Support Technician
> >  mailto:michaels at ...155...
> >  Silicon Defense: IDS solutions - http://www.silicondefense.com
> >  Snort: Open Source Network IDS - http://www.snort.org
> >
> >
> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Donnie
> >Green
> >Sent: Tuesday, September 03, 2002 7:40 PM
> >To: snort-users at lists.sourceforge.net
> >Subject: [Snort-users] snort rules not being read
> >
> >I'm running RH7.3, snort-1.8.7, logging to /var/log/snort.
> >
> >I have two problems: (1)When I boot Linux, snort does not start up and
> >(2) I
> >cannot get snort to read in the rules even if I use the command "snort
> >-i
> >eth0 -c /etc/snort" after booting.  Below is a portion of the output of
> >preceeding command.  Does anyone have a configuration that works??
> >
> >
> >hostname#  snort -i eth0 -c /etc/snort
> >Log directory = /var/log/snort
> >
> >Initializing Network Interface eth0
> >
> >         --== Initializing Snort ==--
> >Decoding Ethernet on interface eth0
> >Initializing Preprocessors!
> >Initializing Plug-ins!
> >Initializating Output Plugins!
> >Parsing Rules file /etc/snort
> >
> >+++++++++++++++++++++++++++++++++++++++++++++++++++
> >Initializing rule chains...
> >0 Snort rules read...
> >0 Option Chains linked into 0 Chain Headers
> >0 Dynamic rules
> >+++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> >Rule application order: ->activation->dynamic->alert->pass->log
> >
> >         --== Initialization Complete ==--
> >
> >-*> Snort! <*-
> >Version 1.8.7 (Build 128)
> >
> >_________________________________________________________________
> >MSN Photos is the easiest way to share and print your photos:
> >http://photos.msn.com/support/worldwide.aspx
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by: OSDN - Tired of that same old
> >cell phone?  Get a new here for FREE!
> >https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by: OSDN - Tired of that same old
> >cell phone?  Get a new here for FREE!
> >https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>_________________________________________________________________
>Join the world’s largest e-mail service with MSN Hotmail.
>http://www.hotmail.com
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx





More information about the Snort-users mailing list