[Snort-users] snort rules not being read--NOW READ :)

Donnie Green d_greenjr at ...125...
Thu Sep 5 19:02:02 EDT 2002


Thanks everyone for their help...I replaced my rules with the stable ones 
and everything works like a charm!  Thanks!


>From: "Tim" <twr at ...163...>
>To: "Donnie Green" <d_greenjr at ...125...>
>Subject: Re: [Snort-users] snort rules not being read
>Date: Thu, 5 Sep 2002 09:44:34 -0700
>
>Donnie,
>
>I had this same problem earlier when I too was pulling my hair attempting 
>to
>configure snort.....one of the guys on the list mentioned that I had the
>experimental rule set. Verify this. If you loaded a rule set that said
>current then you have the experimental rule set. As soon as I changed the
>ruleset I had for the stable ruleset everything worked just fine. The snort
>site has the correct rules posted as long as the rules set does not contain
>the word current on the filename you are good to go.
>
>Tim--Mia/Fla
>
>
>----- Original Message -----
>From: "Donnie Green" <d_greenjr at ...125...>
>To: <snort-users at lists.sourceforge.net>
>Sent: Thursday, September 05, 2002 4:26 AM
>Subject: RE: [Snort-users] snort rules not being read
>
>
> > I made the recommended changes and it looks like the rules are being
> > read--although I had to make a link "ln -s /etc/conf/snort.conf
> > /etc/snort.conf".  Now it seems as though I have a faulty
> > rule(bad-traffic.rules).  Just to see, I commented out the rule in
> > /etc/conf/snort.conf and I received an error in the next rule.  It 
>appears
> > as if the rules aren't using the correct syntax??  Following is the 
>output
> > of the command "snort".
> >
> > <prompt> snort
> > Log directory = /var/log/snort
> >
> > Initializing Network Interface eth0
> > using config file /etc/snort.conf
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Initializating Output Plugins!
> > Parsing Rules file /etc/snort.conf
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > No arguments to frag2 directive, setting defaults to:
> >     Fragment timeout: 60 seconds
> >     Fragment memory cap: 4194304 bytes
> >     Fragment min_ttl:   0
> >     Fragment ttl_limit: 5
> >     Fragment Problems: 0
> > Stream4 config:
> >     Stateful inspection: ACTIVE
> > [root@/etc]=> snort
> > Log directory = /var/log/snort
> >
> > Initializing Network Interface eth0
> > using config file /etc/snort.conf
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Initializating Output Plugins!
> > Parsing Rules file /etc/snort.conf
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > No arguments to frag2 directive, setting defaults to:
> >     Fragment timeout: 60 seconds
> >     Fragment memory cap: 4194304 bytes
> >     Fragment min_ttl:   0
> >     Fragment ttl_limit: 5
> >     Fragment Problems: 0
> > Stream4 config:
> >     Stateful inspection: ACTIVE
> >     Session statistics: INACTIVE
> >     Session timeout: 30 seconds
> >     Session memory cap: 8388608 bytes
> >     State alerts: INACTIVE
> >     Evasion alerts: INACTIVE
> >     Scan alerts: ACTIVE
> >     Log Flushed Streams: INACTIVE
> >     MinTTL: 1
> >     TTL Limit: 5
> > No arguments to stream4_reassemble, setting defaults:
> >      Reassemble client: ACTIVE
> >      Reassemble server: INACTIVE
> >      Reassemble ports: 21 23 25 53 80 143 110 111 513
> >      Reassembly alerts: ACTIVE
> >      Reassembly method: FAVOR_OLD
> > ERROR /etc/snort/bad-traffic.rules(20) => Bad protocol name ">134"
> > Fatal Error, Quitting..
> >
> >
> > >From: Bill Gercken <bgercken at ...1569...>
> > >Reply-To: bgercken at ...1569...
> > >To: Donnie Green <d_greenjr at ...125...>,
>snort-users at lists.sourceforge.net
> > >Subject: RE: [Snort-users] snort rules not being read
> > >Date: Wed, 04 Sep 2002 23:47:19 -0400
> > >
> > >Donnie,
> > >
> > >Unless your rules happen to be in the current directory that you are
> > >attempting
> > >to run snort from, you will need to modify the RULES_PATH in your
> > >snort.conf
> > >
> > >Change:
> > >
> > >var RULE_PATH ./
> > >
> > >To:
> > >
> > >var RULE_PATH /full/path/to/rules
> > >
> > >as in:
> > >
> > >var RULE_PATH /usr/local/etc/snort/
> > >
> > >or something.
> > >
> > >--
> > >
> > >Also the classification.config file must be available.
> > >
> > >include $RULE_PATH/classification.config
> > >
> > >should work.
> > >--
> > >
> > >In your startup script you will need to change:
> > >
> > >daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D -c /etc/snort
> > >
> > >to:
> > >
> > >daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D -c
> > >/etc/snort/snort.conf
> > >
> > >Regards,
> > >-bill
> > >
> > >
> > >-----Original Message-----
> > >From: snort-users-admin at lists.sourceforge.net
> > >[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Donnie
> > >Green
> > >Sent: Wednesday, September 04, 2002 11:13 PM
> > >To: snort-users at lists.sourceforge.net
> > >Subject: RE: [Snort-users] snort rules not being read
> > >
> > >
> > >The following is a copy of my files /etc/rc.d/init.d/snortd and
> > >/etc/snort/snort.conf:
> > >
> > >/etc/rc.d/init.d/snortd:
> > >#!/bin/sh
> > >#
> > ># snortd         Start/Stop the snort IDS daemon.
> > >#
> > ># chkconfig: 2345 40 60
> > ># description:  snort is a lightweight network intrusion detection tool
> > >that
> > >#               currently detects more than 1100 host and network
> > >#               vulnerabilities, portscans, backdoors, and more.
> > >#
> > ># June 10, 2000 -- Dave Wreski <dave at ...725...>
> > >#   - initial version
> > >#
> > ># July 08, 2000 Dave Wreski <dave at ...53...>
> > >#   - added snort user/group
> > >#   - support for 1.6.2
> > >
> > ># Source function library.
> > >. /etc/rc.d/init.d/functions
> > >
> > ># Specify your network interface here
> > >INTERFACE=eth0
> > >
> > ># See how we were called.
> > >case "$1" in
> > >   start)
> > >         echo -n "Starting snort: "
> > >         ifconfig eth0 up
> > >daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D -c /etc/snort
> > >         touch /var/lock/subsys/snort
> > >         echo
> > >         ;;
> > >   stop)
> > >         echo -n "Stopping snort: "
> > >         killproc snort
> > >         rm -f /var/lock/subsys/snort
> > >         echo
> > >         ;;
> > >   restart)
> > >         $0 stop
> > >         $0 start
> > >         ;;
> > >   status)
> > >         status snort
> > >         ;;
> > >   *)
> > >         echo "Usage: $0 {start|stop|restart|status}"
> > >         exit 1
> > >esac
> > >
> > >exit 0
> >
> >+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>+
> > >+
> > >/etc/snort/snort.conf:
> > >#--------------------------------------------------
> > >#   http://www.snort.org     Snort 1.8.6 Ruleset
> > >#     Contact: snort-sigs at lists.sourceforge.net
> > >#--------------------------------------------------
> > ># NOTE:This ruleset only works for 1.8.0 and later
> > >#--------------------------------------------------
> > ># $Id: snort.conf,v 1.77.2.19 2002/06/29 13:32:48 chrisgreen Exp $
> > >#
> > >###################################################
> > ># This file contains a sample snort configuration.
> > ># You can take the following steps to create your
> > ># own custom configuration:
> > >#
> > >#  1) Set the network variables for your network
> > >#  2) Configure preprocessors
> > >#  3) Configure output plugins
> > >#  4) Customize your rule set
> > >#
> > >###################################################
> > ># Step #1: Set the network variables:
> > >#
> > ># You must change the following variables to reflect
> > ># your local network. The variable is currently
> > ># setup for an RFC 1918 address space.
> > >#
> > ># You can specify it explicitly as:
> > >#
> > ># var HOME_NET 10.1.1.0/24
> > >#
> > ># or use global variable $<interfacename>_ADDRESS
> > ># which will be always initialized to IP address and
> > ># netmask of the network interface which you run
> > ># snort at.
> > >#
> > ># var HOME_NET $eth0_ADDRESS
> > >#
> > ># You can specify lists of IP addresses for HOME_NET
> > ># by separating the IPs with commas like this:
> > >#
> > ># var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> > >#
> > ># MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> > >#
> > ># or you can specify the variable to be any IP address
> > ># like this:
> > >
> > >var HOME_NET any
> > >
> > ># Set up the external network addresses as well.
> > ># A good start may be "any"
> > >
> > >var EXTERNAL_NET $HOME_NET
> > >
> > ># Set up your SMTP servers, or simply configure them
> > ># to HOME_NET
> > >
> > >var SMTP $HOME_NET
> > >
> > ># Set up your web servers, or simply configure them
> > ># to HOME_NET
> > >
> > >var HTTP_SERVERS $HOME_NET
> > >
> > ># Set up your sql servers, or simply configure them
> > ># to HOME_NET
> > >
> > >var SQL_SERVERS $HOME_NET
> > >
> > ># Define the addresses of DNS servers and other hosts
> > >
> > >var DNS_SERVERS $HOME_NET
> > >
> > >var RULE_PATH ./
> > >
> > ># Ports you want to look for SHELLCODE on.  (By default, not port 80)
> > >var SHELLCODE_PORTS !80
> > >
> > ># Ports you run web servers on.  (By default, port 80)
> > >var HTTP_PORTS 80
> > >
> > ># Ports you do oracle type stuff on.  (Can be 80, as well as all of the
> > ># standard oracle ports.  (By default, port 1521)
> > >var ORACLE_PORTS 1521
> > >
> > >
> > >###################################################
> > ># Step #2: Configure preprocessors
> > >#
> > ># General configuration for preprocessors is of
> > ># the form
> > ># preprocessor <name_of_processor>: <configuration_options>
> > >
> > ># frag2: IP defragmentation support
> > ># -------------------------------
> > ># This preprocessor performs IP defragmentation.  This plugin will also
> > >detect
> > ># people launching fragmentation attacks (usually DoS) against hosts.  
>No
> > ># arguments loads the default configuration of the preprocessor, which 
>is
>a
> > ># 60 second timeout and a 4MB fragment buffer.
> > >
> > ># The following (comma delimited) options are available for frag2
> > >#    timeout [seconds] - sets the number of [seconds] than an 
>unfinished
> > >#                        fragment will be kept around waiting for
> > >completion,
> > >#                        if this time expires the fragment will be
>flushed
> > >#    memcap [bytes] - limit frag2 memory usage to [number] bytes
> > >#                      (default:  4194304)
> > >
> > >preprocessor frag2
> > >
> > ># stream4: stateful inspection/stream reassembly for Snort
> > >#----------------------------------------------------------------------
> > ># Use in concert with the -z [all|est] command line switch to defeat
> > ># stick/snot against TCP rules.  Also performs full TCP stream
> > ># reassembly, stateful inspection of TCP streams, etc.  Can statefully
> > ># detect various portscan types, fingerprinting, ECN, etc.
> > >
> > ># stateful inspection directive
> > ># no arguments loads the defaults (timeout 30, memcap 8388608)
> > ># options (options are comma delimited):
> > >#   detect_scans - stream4 will detect stealth portscans and generate
> > >alerts
> > >#                  when it sees them when this option is set
> > >#   detect_state_problems - detect TCP state problems, this tends to be
> > >very
> > >#                           noisy because there are a lot of crappy ip
> > >stack
> > >#                           implementations out there
> > >#
> > >#   disable_evasion_alerts - disable fragroute alerting.  Useful for
> > >#                             machines with odd retransmission patterns
> > >#
> > >#   keepstats [machine|binary] - keep session statistics, add "machine"
>to
> > >#                         get them in a flat format for machine 
>reading,
> > >add
> > >#                         "binary" to get them in a unified binary 
>output
> > >#                         format
> > >#   noinspect - turn off stateful inspection only
> > >#   timeout [number] - set the session timeout counter to [number]
>seconds,
> > >#                      default is 30 seconds
> > >#   memcap [number] - limit stream4 memory usage to [number] bytes
> > >#   log_flushed_streams - if an event is detected on a stream this 
>option
> > >will
> > >#                         cause all packets that are stored in the
>stream4
> > >#                         packet buffers to be flushed to disk.  This
>only
> > >#                         works when logging in pcap mode!
> > >#
> > >#
> > >
> > >preprocessor stream4: detect_scans, disable_evasion_alerts
> > >
> > ># tcp stream reassembly directive
> > ># no arguments loads the default configuration
> > >#   Only reassemble the client,
> > >#   Only reassemble the default list of ports (See below),
> > >#   Give alerts for "bad" streams
> > >#
> > ># Available options (comma delimited):
> > >#   clientonly - reassemble traffic for the client side of a connection
> > >only
> > >#   serveronly - reassemble traffic for the server side of a connection
> > >only
> > >#   both - reassemble both sides of a session
> > >#   noalerts - turn off alerts from the stream reassembly stage of
>stream4
> > >#   ports [list] - use the space separated list of ports in [list], 
>"all"
> > >#                  will turn on reassembly for all ports, "default" 
>will
> > >turn
> > >#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 
>110,
> > >111
> > >#                  and 513
> > >
> > >preprocessor stream4_reassemble
> > >
> > ># http_decode: normalize HTTP requests
> > ># ------------------------------------
> > ># http_decode normalizes HTTP requests from remote
> > ># machines by converting any %XX character
> > ># substitutions to their ASCII equivalent. This is
> > ># very useful for doing things like defeating hostile
> > ># attackers trying to stealth themselves from IDSs by
> > ># mixing these substitutions in with the request.
> > ># Specify the port numbers you want it to analyze as arguments.
> > ># You may also specify -unicode to turn off detection of
> > ># UNICODE directory traversal, etc attacks.  Use -cginull to
> > ># turn off detection of CGI NULL code attacks.
> > >
> > >preprocessor http_decode: 80 -unicode -cginull
> > >
> > ># rpc_decode: normalize RPC traffic
> > ># ---------------------------------
> > ># RPC may be sent in alternate encodings besides the usual
> > ># 4-byte encoding that is used by default.  This preprocessor
> > ># normalized RPC traffic in much the same way as the http_decode
> > ># preprocessor.  This plugin takes the ports numbers that RPC
> > ># services are running on as arguments.
> > >
> > >preprocessor rpc_decode: 111 32771
> > >
> > ># bo: Back Orifice detector
> > ># -------------------------
> > ># Detects Back Orifice traffic on the network.  This preprocessor
> > ># uses the Back Orifice "encryption" algorithm to search for
> > ># traffic conforming to the Back Orifice protocol (not BO2K).
> > ># This preprocessor can take two arguments.  The first is "-nobrute"
> > ># which turns off the plugin's brute forcing routine (brute forces
> > ># the key space of the protocol to find BO traffic).  The second
> > ># argument that can be passed to the routine is a number to use
> > ># as the default key when trying to decrypt the traffic.  The
> > ># default value is 31337 (just like BO).  Be aware that turning on
> > ># the brute forcing option runs the risk of impacting the overall
> > ># performance of Snort, you've been warned...
> > >
> > >preprocessor bo
> > >
> > ># telnet_decode: Telnet negotiation string normalizer
> > ># ---------------------------------------------------
> > ># This preprocessor "normalizes" telnet negotiation strings from
> > ># telnet and ftp traffic.  It works in much the same way as the
> > ># http_decode preprocessor, searching for traffic that breaks up
> > ># the normal data stream of a protocol and replacing it with
> > ># a normalized representation of that traffic so that the "content"
> > ># pattern matching keyword can work without requiring modifications.
> > ># This preprocessor requires no arguments.
> > >
> > >preprocessor telnet_decode
> > >
> > ># portscan: detect a variety of portscans
> > ># ---------------------------------------
> > ># portscan preprocessor by Patrick Mullen <p_mullen at ...245...>
> > ># This preprocessor detects UDP packets or TCP SYN packets going to
> > ># four different ports in less than three seconds. "Stealth" TCP
> > ># packets are always detected, regardless of these settings.
> > >
> > ># preprocessor portscan: $HOME_NET 4 3 portscan.log
> > >
> > ># Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
> > ># specific networks or hosts to reduce false alerts. It is typical
> > ># to see many false alerts from DNS servers so you may want to
> > ># add your DNS servers here. You can all multiple hosts/networks
> > ># in a whitespace-delimited list.
> > >#
> > >#preprocessor portscan-ignorehosts: 0.0.0.0
> > >
> > ># Spade: the Statistical Packet Anomaly Detection Engine
> > >#-------------------------------------------------------
> > ># READ the README.Spade file before using this plugin!
> > >#
> > ># preprocessor spade: <anom-report-thresh> <state-file>
> > ># <log-file> <prob-mode> <checkpoint-freq>  [-corrscore]
> > >#
> > ># set this to a directory Spade can read and write to
> > ># store its files
> > >#
> > ># var SPADEDIR .
> > >#
> > ># preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> > >#
> > ># put a list of the networks you are interested in Spade observing
>packets
> > ># going to here; separate these by spaces
> > >#
> > ># preprocessor spade-homenet: 0.0.0.0/0
> > >#
> > ># this causes Spade to adjust the reporting threshold automatically
> > ># the first argument is the target rate of alerts for normal
>circumstances
> > ># (0.01 = 1% or you can give it an hourly rate) after the first hour 
>(or
> > ># however long the period is set to in the second argument), the
>reporting
> > ># threshold given above is ignored you can comment this out to have the
> > ># threshold be static, or try one of the other adapt methods below
> > ># preprocessor spade-adapt3: 0.01 60 168
> > >#
> > ># other possible Spade config lines:
> > ># adapt method #1
> > >#preprocessor spade-adapt: 20 2 0.5
> > ># adapt method #2
> > >#preprocessor spade-adapt2: 0.01 15 4 24 7
> > ># offline threshold learning
> > >#preprocessor spade-threshlearn: 200 24
> > ># periodically report on the anom scores and count of packets seen
> > >#preprocessor spade-survey:  $SPADEDIR/survey.txt 60
> > ># print out known stats about packet feature
> > >#preprocessor spade-stats: entropy uncondprob condprob
> > >
> > ># arpspoof
> > >#----------------------------------------
> > ># Experimental ARP detection code from Jeff Nathan, detects ARP 
>attacks,
> > ># unicast ARP requests, and specific ARP mapping monitoring.  To make 
>use
> > ># of this preprocessor you must specify the IP and hardware address of
> > >hosts
> > >on # the same layer 2 segment as you.  Specify one host IP MAC combo 
>per
> > >line.
> > ># Also takes a "-unicast" option to turn on unicast ARP request
>detection.
> > >
> > >#preprocessor arpspoof
> > >#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
> > >
> > >
> > >####################################################################
> > ># Step #3: Configure output plugins
> > >#
> > ># Uncomment and configure the output plugins you decide to use.
> > ># General configuration for output plugins is of the form:
> > >#
> > ># output <name_of_plugin>: <configuration_options>
> > >#
> > ># alert_syslog: log alerts to syslog
> > ># ----------------------------------
> > ># Use one or more syslog facilities as arguments
> > >#
> > ># output alert_syslog: LOG_AUTH LOG_ALERT
> > >
> > ># log_tcpdump: log packets in binary tcpdump format
> > ># -------------------------------------------------
> > ># The only argument is the output file name.
> > >#
> > ># output log_tcpdump: snort.log
> > >
> > ># database: log to a variety of databases
> > ># ---------------------------------------
> > ># See the README.database file for more information about configuring
> > ># and using this plugin.
> > >#
> > ># output database: log, mysql, user=root password=test dbname=db
> > >host=localhost
> > ># output database: alert, postgresql, user=snort dbname=snort
> > ># output database: log, unixodbc, user=snort dbname=snort
> > ># output database: log, mssql, dbname=snort user=snort password=test
> > >
> > ># xml: xml logging
> > ># ----------------
> > ># See the README.xml file for more information about configuring
> > ># and using this plugin.
> > >#
> > ># output xml: log, file=/var/log/snortxml
> > >
> > ># unified: Snort unified binary format alerting and logging
> > ># -------------------------------------------------------------
> > ># The unified output plugin provides two new formats for logging
> > ># and generating alerts from Snort, the "unified" format.  The
> > ># unified format is a straight binary format for logging data
> > ># out of Snort that is designed to be fast and efficient.  Used
> > ># with barnyard (the new alert/log processor), most of the overhead
> > ># for logging and alerting to various slow storage mechanisms
> > ># such as databases or the network can now be avoided.
> > >#
> > ># Check out the spo_unified.h file for the data formats.
> > >#
> > ># Two arguments are supported.
> > >#    filename - base filename to write to (current time_t is appended)
> > >#    limit    - maximum size of spool file in MB (default: 128)
> > >#
> > ># output alert_unified: filename snort.alert, limit 128
> > ># output log_unified: filename snort.log, limit 128
> > >
> > >
> > ># trap_snmp: SNMP alerting for Snort
> > ># -------------------------------------------------------------
> > ># Read the README-SNMP file for more information on enabling and using
>this
> > ># plug-in.
> > >#
> > >#
> > ># The SnmpTrapGenerator outputplugin requires several parameters
> > ># The parameters depend on the Snmpversion that is used (specified)
> > ># For the SNMPv2c case the paremeters will be as follows
> > >#  alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber>
> > >#         <hostName> <community>
> > >#
> > ># For SNMPv2c traps
> > >#
> > >#output trap_snmp: alert, 7, trap -v 2c -p 162  myTrapListener
>myCommunity
> > >#
> > ># For SNMPv2c informs
> > >#
> > >#output trap_snmp: alert, 7, inform -v 2c -p 162  myTrapListener
> > >myCommunity
> > >#
> > ># For SNMPv3 traps with
> > ># security name = snortUser
> > ># security level = authentication and privacy
> > ># authentication parameters :
> > >#           authentication protocol = SHA ,
> > >#           authentication pass phrase = SnortAuthPassword
> > ># privacy (encryption) parameters
> > >#           privacy protocol = DES,
> > >#           privacy pass phrase = SnortPrivPassword
> > >#
> > >#output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv 
>-a
> > >SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
> > >#For SNMPv3 informs with authentication and encryption
> > >#output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l
>authPriv -a
> > >SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
> > >
> > ># You can optionally define new rule types and associate one or
> > ># more output plugins specifically to that type.
> > >#
> > ># This example will create a type that will log to just tcpdump.
> > ># ruletype suspicious
> > ># {
> > >#   type log
> > >#   output log_tcpdump: suspicious.log
> > ># }
> > >#
> > ># EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
> > ># suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC 
>Server";)
> > >#
> > ># This example will create a rule type that will log to syslog
> > ># and a mysql database.
> > ># ruletype redalert
> > ># {
> > >#   type alert
> > >#   output alert_syslog: LOG_AUTH LOG_ALERT
> > >#   output database: log, mysql, user=snort dbname=snort host=localhost
> > ># }
> > >#
> > ># EXAMPLE RULE FOR REDALERT RULETYPE
> > ># redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being
> > >LEET"; \
> > >#   flags:A+;)
> > >
> > >#
> > ># Include classification & priority settings
> > >#
> > >
> > >include classification.config
> > >
> > >
> > >####################################################################
> > ># Step #4: Customize your rule set
> > >#
> > ># Up to date snort rules are available at http://www.snort.org
> > >#
> > ># The snort web site has documentation about how to write your own
> > ># custom snort rules.
> > >#
> > ># The rules included with this distribution generate alerts based on
> > ># on suspicious activity. Depending on your network environment, your
> > ># security policies, and what you consider to be suspicious, some of
> > ># these rules may either generate false positives ore may be detecting
> > ># activity you consider to be acceptable; therefore, you are
> > ># encouraged to comment out rules that are not applicable in your
> > ># environment.
> > >#
> > ># Note that using all of the rules at the same time may lead to
> > ># serious packet loss on slower machines. YMMV, use with caution,
> > ># standard disclaimers apply. :)
> > >#
> > ># The following individuals contributed many of rules in this
> > ># distribution.
> > >#
> > ># Credits:
> > >#   Ron Gula <rgula at ...922...> of Network Security Wizards
> > >#   Max Vision <vision at ...4...>
> > >#   Martin Markgraf <martin at ...923...>
> > >#   Fyodor Yarochkin <fygrave at ...121...>
> > >#   Nick Rogness <nick at ...176...>
> > >#   Jim Forster <jforster at ...176...>
> > >#   Scott McIntyre <scott at ...315...>
> > >#   Tom Vandepoel <Tom.Vandepoel at ...271...>
> > >#   Brian Caswell <bmc at ...950...>
> > >#   Zeno <admin at ...4494...>
> > >#   Ryan Russell <ryan at ...35...>
> > >#
> > >#=========================================
> > ># Include all relevant rulesets here
> > >#
> > ># shellcode, policy, info, backdoor, and virus rulesets are
> > ># disabled by default.  These require tuning and maintance.
> > ># Please read the included specific file for more information.
> > >#=========================================
> > >
> > >include $RULE_PATH/bad-traffic.rules
> > >include $RULE_PATH/exploit.rules
> > >include $RULE_PATH/scan.rules
> > >include $RULE_PATH/finger.rules
> > >include $RULE_PATH/ftp.rules
> > >include $RULE_PATH/telnet.rules
> > >include $RULE_PATH/smtp.rules
> > >include $RULE_PATH/rpc.rules
> > >include $RULE_PATH/rservices.rules
> > >include $RULE_PATH/dos.rules
> > >include $RULE_PATH/ddos.rules
> > >include $RULE_PATH/dns.rules
> > >include $RULE_PATH/tftp.rules
> > >include $RULE_PATH/web-cgi.rules
> > >include $RULE_PATH/web-coldfusion.rules
> > >include $RULE_PATH/web-iis.rules
> > >include $RULE_PATH/web-frontpage.rules
> > >include $RULE_PATH/web-misc.rules
> > >include $RULE_PATH/web-attacks.rules
> > >include $RULE_PATH/sql.rules
> > >include $RULE_PATH/x11.rules
> > >include $RULE_PATH/icmp.rules
> > >include $RULE_PATH/netbios.rules
> > >include $RULE_PATH/misc.rules
> > >include $RULE_PATH/attack-responses.rules
> > ># include $RULE_PATH/backdoor.rules
> > >include $RULE_PATH/shellcode.rules
> > ># include $RULE_PATH/policy.rules
> > ># include $RULE_PATH/porn.rules
> > ># include $RULE_PATH/info.rules
> > ># include $RULE_PATH/icmp-info.rules
> > ># include $RULE_PATH/virus.rules
> > >include $RULE_PATH/local.rules
> > >
> > >
> > >
> > >
> > >
> > > >From: "Michael Steele" <michaels at ...155...>
> > > >To: "'Donnie Green'" <d_greenjr at ...125...>
> > > >CC: <snort-users at lists.sourceforge.net>
> > > >Subject: RE: [Snort-users] snort rules not being read
> > > >Date: Wed, 4 Sep 2002 16:24:32 -0700
> > > >
> > > >Donnie,
> > > >
> > > >Try this:
> > > >
> > > >This should detail any problems with Snort configuration
> > > >
> > > ># snort -o -a -e -i eth0 -l /var/log/snort -c /etc/snort/snort.conf 
>-T
> > > >
> > > >Not sure about the startup as we need more info as to what you have
> > > >already done.
> > > >
> > > >-Michael
> > > >--
> > > >  Michael Steele | System Engineer / Support Technician
> > > >  mailto:michaels at ...155...
> > > >  Silicon Defense: IDS solutions - http://www.silicondefense.com
> > > >  Snort: Open Source Network IDS - http://www.snort.org
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: snort-users-admin at lists.sourceforge.net
> > > >[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Donnie
> > > >Green
> > > >Sent: Tuesday, September 03, 2002 7:40 PM
> > > >To: snort-users at lists.sourceforge.net
> > > >Subject: [Snort-users] snort rules not being read
> > > >
> > > >I'm running RH7.3, snort-1.8.7, logging to /var/log/snort.
> > > >
> > > >I have two problems: (1)When I boot Linux, snort does not start up 
>and
> > > >(2) I
> > > >cannot get snort to read in the rules even if I use the command 
>"snort
> > > >-i
> > > >eth0 -c /etc/snort" after booting.  Below is a portion of the output 
>of
> > > >preceeding command.  Does anyone have a configuration that works??
> > > >
> > > >
> > > >hostname#  snort -i eth0 -c /etc/snort
> > > >Log directory = /var/log/snort
> > > >
> > > >Initializing Network Interface eth0
> > > >
> > > >         --== Initializing Snort ==--
> > > >Decoding Ethernet on interface eth0
> > > >Initializing Preprocessors!
> > > >Initializing Plug-ins!
> > > >Initializating Output Plugins!
> > > >Parsing Rules file /etc/snort
> > > >
> > > >+++++++++++++++++++++++++++++++++++++++++++++++++++
> > > >Initializing rule chains...
> > > >0 Snort rules read...
> > > >0 Option Chains linked into 0 Chain Headers
> > > >0 Dynamic rules
> > > >+++++++++++++++++++++++++++++++++++++++++++++++++++
> > > >
> > > >Rule application order: ->activation->dynamic->alert->pass->log
> > > >
> > > >         --== Initialization Complete ==--
> > > >
> > > >-*> Snort! <*-
> > > >Version 1.8.7 (Build 128)
> > > >
> > > >_________________________________________________________________
> > > >MSN Photos is the easiest way to share and print your photos:
> > > >http://photos.msn.com/support/worldwide.aspx
> > > >
> > > >
> > > >
> > > >-------------------------------------------------------
> > > >This sf.net email is sponsored by: OSDN - Tired of that same old
> > > >cell phone?  Get a new here for FREE!
> > > >https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > > >_______________________________________________
> > > >Snort-users mailing list
> > > >Snort-users at lists.sourceforge.net
> > > >Go to this URL to change user options or unsubscribe:
> > > >https://lists.sourceforge.net/lists/listinfo/snort-users
> > > >Snort-users list archive:
> > > >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >-------------------------------------------------------
> > > >This sf.net email is sponsored by: OSDN - Tired of that same old
> > > >cell phone?  Get a new here for FREE!
> > > >https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > > >_______________________________________________
> > > >Snort-users mailing list
> > > >Snort-users at lists.sourceforge.net
> > > >Go to this URL to change user options or unsubscribe:
> > > >https://lists.sourceforge.net/lists/listinfo/snort-users
> > > >Snort-users list archive:
> > > >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > >_________________________________________________________________
> > >Join the world's largest e-mail service with MSN Hotmail.
> > >http://www.hotmail.com
> > >
> > >
> > >
> > >-------------------------------------------------------
> > >This sf.net email is sponsored by: OSDN - Tired of that same old
> > >cell phone?  Get a new here for FREE!
> > >https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > >_______________________________________________
> > >Snort-users mailing list
> > >Snort-users at lists.sourceforge.net
> > >Go to this URL to change user options or unsubscribe:
> > >https://lists.sourceforge.net/lists/listinfo/snort-users
> > >Snort-users list archive:
> > >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > _________________________________________________________________
> > MSN Photos is the easiest way to share and print your photos:
> > http://photos.msn.com/support/worldwide.aspx
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone?  Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx





More information about the Snort-users mailing list