[Snort-users] Snort windows help

Martin Roesch roesch at ...1935...
Mon Aug 2 20:56:01 EDT 2004


Hi Razia,

It can't find your snort.conf file.  Is it located in c:\Snort\etc?

      -Marty

On Jul 29, 2004, at 12:38 AM, Razia Mir wrote:

>  I have worked on snort in linux environment but using it in windows  
> environment for the first time.I am getting the error message and am  
> confused because I don't know what is wrong. I have reinstalled the  
> snort and changed the path but still the same message
>  
> C:\Snort\bin>snort -A full -c C:\Snort\etc\snort.conf -l C:\Snort\log
> Running in IDS mode
> Log directory = C:\Snort\log
> Initializing Network Interface  
> \Device\NPF_{E2D99213-90AE-44FD-AE62-52B6887D36AB
> }
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface  
> \Device\NPF_{E2D99213-90AE-44FD-AE62-52B6887D36AB
> }
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file C:\Snort\etc\snort.conf
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ERROR: Unable to open rules file: C:\Snort\etc\snort.conf or  
> C:\Snort\etc\C:\Sno
> rt\etc\snort.conf
> Fatal Error, Quitting..
>  
> My snort.conf file looks like this
>  
>
> #--------------------------------------------------
>
> # http://www.snort.org Snort 2.1.0 Ruleset
>
> # Contact: snort-sigs at lists.sourceforge.net
>
> #--------------------------------------------------
>
> # $Id: snort.conf,v 1.141 2004/02/20 17:27:29 cazz Exp $
>
> #
>
> ###################################################
>
> # This file contains a sample snort configuration.
>
>  # You can take the following steps to create your own custom  
> configuration:
>
> #
>
> # 1) Set the network variables for your network
>
> # 2) Configure preprocessors
>
> # 3) Configure output plugins
>
> # 4) Customize your rule set
>
> #
>
> ###################################################
>
> # Step #1: Set the network variables:
>
> #
>
> # You must change the following variables to reflect your local  
> network. The
>
> # variable is currently setup for an RFC 1918 address space.
>
> #
>
> # You can specify it explicitly as:
>
>  #
>
> # var HOME_NET 10.1.1.0/24
>
> #
>
> # or use global variable $<interfacename>_ADDRESS which will be always
>
> # initialized to IP address and netmask of the network interface which  
> you run
>
> # snort at. Under Windows, this must be specified as
>
> # $(<interfacename>_ADDRESS), such as:
>
> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
>
> #
>
> # var HOME_NET $eth0_ADDRESS
>
> #
>
> # You can specify lists of IP addresses for HOME_NET
>
> # by separating the IPs with commas like this:
>
> #
>
> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>
> #
>
> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>
> #
>
> # or you can specify the variable to be any IP address
>
> # like this:
>
> var HOME_NET any
>
> # Set up the external network addresses as well. A good start may be  
> "any"
>
> var EXTERNAL_NET any
>
> # Configure your server lists. This allows snort to only look for  
> attacks to
>
> # systems that have a service up. Why look for HTTP attacks if you are  
> not
>
> # running a web server? This allows quick filtering based on IP  
> addresses
>
> # These configurations MUST follow the same configuration scheme as  
> defined
>
> # above for $HOME_NET.
>
>  # List of DNS servers on your network
>
>  var DNS_SERVERS $HOME_NET
>
> # List of SMTP servers on your network
>
> var SMTP_SERVERS $HOME_NET
>
> # List of web servers on your network
>
> var HTTP_SERVERS $HOME_NET
>
> # List of sql servers on your network
>
>  var SQL_SERVERS $HOME_NET
>
> # List of telnet servers on your network
>
> var TELNET_SERVERS $HOME_NET
>
> # List of snmp servers on your network
>
> var SNMP_SERVERS $HOME_NET
>
> # Configure your service ports. This allows snort to look for attacks  
> destined
>
> # to a specific application only on the ports that application runs  
> on. For
>
> # example, if you run a web server on port 8081, set your HTTP_PORTS  
> variable
>
> # like this:
>
> #
>
> # var HTTP_PORTS 8081
>
> #
>
> # Port lists must either be continuous [eg 80:8080], or a single port  
> [eg 80].
>
> # We will adding support for a real list of ports in the future.
>
> # Ports you run web servers on
>
> #
>
> # Please note: [80,8080] does not work.
>
> # If you wish to define multiple HTTP ports,
>
> #
>
>  ## var HTTP_PORTS 80
>
>  ## include somefile.rules
>
>  ## var HTTP_PORTS 8080
>
> ## include somefile.rules
>
>  var HTTP_PORTS 80
>
> # Ports you want to look for SHELLCODE on.
>
> var SHELLCODE_PORTS !80
>
> # Ports you do oracle attacks on
>
> var ORACLE_PORTS 1521
>
> # other variables
>
> #
>
>  # AIM servers. AOL has a habit of adding new AIM servers, so instead  
> of
>
> # modifying the signatures when they do, we add them to this list of  
> servers.
>
> var AIM_SERVERS  
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/ 
> 24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
>
> # Path to your rules files (this can be a relative path)
>
> var RULE_PATH c:\Snort\rules
>
> # Configure the snort decoder
>
> # ============================
>
> #
>
> # Snort's decoder will alert on lots of things such as header
>
> # truncation or options of unusual length or infrequently used tcp  
> options
>
> #
>
> #
>
> # Stop generic decode events:
>
> #
>
> # config disable_decode_alerts
>
> #
>
> # Stop Alerts on experimental TCP options
>
> #
>
> # config disable_tcpopt_experimental_alerts
>
> #
>
> # Stop Alerts on obsolete TCP options
>
> #
>
> # config disable_tcpopt_obsolete_alerts
>
> #
>
> # Stop Alerts on T/TCP alerts
>
> #
>
> # In snort 2.0.1 and above, this only alerts when a TCP option is  
> detected
>
> # that shows T/TCP being actively used on the network. If this is  
> normal
>
> # behavior for your network, disable the next option.
>
> #
>
> # config disable_tcpopt_ttcp_alerts
>
> #
>
> # Stop Alerts on all other TCPOption type events:
>
> #
>
> # config disable_tcpopt_alerts
>
> #
>
> # Stop Alerts on invalid ip options
>
> #
>
> # config disable_ipopt_alerts
>
> # Configure the detection engine
>
> # ===============================
>
> #
>
> # Use a different pattern matcher in case you have a machine with very  
> limited
>
> # resources:
>
> #
>
> # config detection: search-method lowmem
>
> ###################################################
>
> # Step #2: Configure preprocessors
>
> #
>
> # General configuration for preprocessors is of
>
>  # the form
>
> # preprocessor <name_of_processor>: <configuration_options>
>
> # Configure Flow tracking module
>
> # -------------------------------
>
> #
>
> # The Flow tracking module is meant to start unifying the state keeping
>
> # mechanisms of snort into a single place. Right now, only a portscan  
> detector
>
> # is implemented but in the long term, many of the stateful subsystems  
> of
>
> # snort will be migrated over to becoming flow plugins. This must be  
> enabled
>
> # for flow-portscan to work correctly.
>
> #
>
> # See README.flow for additional information
>
> #
>
> preprocessor flow: stats_interval 0 hash 2
>
> # frag2: IP defragmentation support
>
> # -------------------------------
>
> # This preprocessor performs IP defragmentation. This plugin will also  
> detect
>
> # people launching fragmentation attacks (usually DoS) against hosts.  
> No
>
> # arguments loads the default configuration of the preprocessor, which  
> is a 60
>
> # second timeout and a 4MB fragment buffer.
>
>  # The following (comma delimited) options are available for frag2
>
> # timeout [seconds] - sets the number of [seconds] that an unfinished
>
>  # fragment will be kept around waiting for completion,
>
> # if this time expires the fragment will be flushed
>
> # memcap [bytes] - limit frag2 memory usage to [number] bytes
>
> # (default: 4194304)
>
> #
>
> # min_ttl [number] - minimum ttl to accept
>
> #
>
>  # ttl_limit [number] - difference of ttl to accept without alerting
>
> # will cause false positves with router flap
>
> #
>
>  # Frag2 uses Generator ID 113 and uses the following SIDS
>
>  # for that GID:
>
> # SID Event description
>
> # ----- -------------------
>
> # 1 Oversized fragment (reassembled frag > 64k bytes)
>
> # 2 Teardrop-type attack
>
> preprocessor frag2
>
> # stream4: stateful inspection/stream reassembly for Snort
>
> #----------------------------------------------------------------------
>
> # Use in concert with the -z [all|est] command line switch to defeat  
> stick/snot
>
> # against TCP rules. Also performs full TCP stream reassembly, stateful
>
> # inspection of TCP streams, etc. Can statefully detect various  
> portscan
>
> # types, fingerprinting, ECN, etc.
>
> # stateful inspection directive
>
> # no arguments loads the defaults (timeout 30, memcap 8388608)
>
> # options (options are comma delimited):
>
> # detect_scans - stream4 will detect stealth portscans and generate  
> alerts
>
> # when it sees them when this option is set
>
> # detect_state_problems - detect TCP state problems, this tends to be  
> very
>
> # noisy because there are a lot of crappy ip stack
>
> # implementations out there
>
> #
>
> # disable_evasion_alerts - turn off the possibly noisy mitigation of
>
> # overlapping sequences.
>
> #
>
> #
>
> # min_ttl [number] - set a minium ttl that snort will accept to
>
> # stream reassembly
>
> #
>
> # ttl_limit [number] - differential of the initial ttl on a session  
> versus
>
> # the normal that someone may be playing games.
>
> # Routing flap may cause lots of false positives.
>
> #
>
>  # keepstats [machine|binary] - keep session statistics, add "machine"  
> to
>
>  # get them in a flat format for machine reading, add
>
> # "binary" to get them in a unified binary output
>
>  # format
>
> # noinspect - turn off stateful inspection only
>
> # timeout [number] - set the session timeout counter to [number]  
> seconds,
>
> # default is 30 seconds
>
> # memcap [number] - limit stream4 memory usage to [number] bytes
>
> # log_flushed_streams - if an event is detected on a stream this  
> option will
>
> # cause all packets that are stored in the stream4
>
> # packet buffers to be flushed to disk. This only
>
>  # works when logging in pcap mode!
>
> #
>
> # Stream4 uses Generator ID 111 and uses the following SIDS
>
>  # for that GID:
>
> # SID Event description
>
> # ----- -------------------
>
> # 1 Stealth activity
>
> # 2 Evasive RST packet
>
> # 3 Evasive TCP packet retransmission
>
> # 4 TCP Window violation
>
> # 5 Data on SYN packet
>
> # 6 Stealth scan: full XMAS
>
> # 7 Stealth scan: SYN-ACK-PSH-URG
>
> # 8 Stealth scan: FIN scan
>
> # 9 Stealth scan: NULL scan
>
> # 10 Stealth scan: NMAP XMAS scan
>
> # 11 Stealth scan: Vecna scan
>
> # 12 Stealth scan: NMAP fingerprint scan stateful detect
>
> # 13 Stealth scan: SYN-FIN scan
>
> # 14 TCP forward overlap
>
> preprocessor stream4: disable_evasion_alerts
>
> # tcp stream reassembly directive
>
> # no arguments loads the default configuration
>
>  # Only reassemble the client,
>
> # Only reassemble the default list of ports (See below),
>
>  # Give alerts for "bad" streams
>
> #
>
> # Available options (comma delimited):
>
> # clientonly - reassemble traffic for the client side of a connection  
> only
>
> # serveronly - reassemble traffic for the server side of a connection  
> only
>
> # both - reassemble both sides of a session
>
> # noalerts - turn off alerts from the stream reassembly stage of  
> stream4
>
> # ports [list] - use the space separated list of ports in [list], "all"
>
>  # will turn on reassembly for all ports, "default" will turn
>
> # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
>
> # and 513
>
> preprocessor stream4_reassemble
>
> # http_inspect: normalize and detect HTTP traffic and protocol  
> anomalies
>
> #
>
> # lots of options available here. See doc/README.http_inspect.
>
> # unicode.map should be wherever your snort.conf lives, or given
>
> # a full path to where snort can find it.
>
> preprocessor http_inspect: global \
>
> iis_unicode_map unicode.map 1252
>
>  preprocessor http_inspect_server: server default \
>
> profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> #
>
> # Example unqiue server configuration
>
> #
>
> #preprocessor http_inspect_server: server 1.1.1.1 \
>
> # ports { 80 3128 8080 } \
>
> # flow_depth 0 \
>
> # ascii no \
>
> # double_decode yes \
>
> # non_rfc_char { 0x00 } \
>
> # chunk_length 500000 \
>
> # non_strict \
>
> # oversize_dir_length 300 \
>
> # no_alerts
>
>  
>
> # rpc_decode: normalize RPC traffic
>
> # ---------------------------------
>
> # RPC may be sent in alternate encodings besides the usual 4-byte  
> encoding
>
> # that is used by default. This plugin takes the port numbers that RPC
>
> # services are running on as arguments - it is assumed that the given  
> ports
>
> # are actually running this type of service. If not, change the ports  
> or turn
>
> # it off.
>
> # The RPC decode preprocessor uses generator ID 106
>
> #
>
> # arguments: space separated list
>
> # alert_fragments - alert on any rpc fragmented TCP data
>
> # no_alert_multiple_requests - don't alert when >1 rpc query is in a  
> packet
>
> # no_alert_large_fragments - don't alert when the fragmented
>
> # sizes exceed the current packet size
>
> # no_alert_incomplete - don't alert when a single segment
>
> # exceeds the current packet size
>
> preprocessor rpc_decode: 111 32771
>
> # bo: Back Orifice detector
>
> # -------------------------
>
> # Detects Back Orifice traffic on the network. Takes no arguments in  
> 2.0.
>
> #
>
>  # The Back Orifice detector uses Generator ID 105 and uses the
>
>  # following SIDS for that GID:
>
> # SID Event description
>
> # ----- -------------------
>
> # 1 Back Orifice traffic detected
>
> preprocessor bo
>
> # telnet_decode: Telnet negotiation string normalizer
>
> # ---------------------------------------------------
>
> # This preprocessor "normalizes" telnet negotiation strings from  
> telnet and ftp
>
> # traffic. It works in much the same way as the http_decode  
> preprocessor,
>
> # searching for traffic that breaks up the normal data stream of a  
> protocol and
>
> # replacing it with a normalized representation of that traffic so  
> that the
>
> # "content" pattern matching keyword can work without requiring  
> modifications.
>
> # This preprocessor requires no arguments.
>
> # Portscan uses Generator ID 109 and does not generate any SID  
> currently.
>
> preprocessor telnet_decode
>
> # Flow-Portscan: detect a variety of portscans
>
> # ---------------------------------------
>
> # Note: The Flow preprocessor (above) must first be enabled for  
> Flow-Portscan to
>
> # work.
>
> #
>
> # This module detects portscans based off of flow creation in the flow
>
> # preprocessors. The goal is to catch catch one->many hosts and  
> one->many
>
> # ports scans.
>
> #
>
> # Flow-Portscan has numerous options available, please read
>
> # README.flow-portscan for help configuring this option.
>
>  # Flow-Portscan uses Generator ID 121 and uses the following SIDS for  
> that GID:
>
> # SID Event description
>
> # ----- -------------------
>
> # 1 flow-portscan: Fixed Scale Scanner Limit Exceeded
>
> # 2 flow-portscan: Sliding Scale Scanner Limit Exceeded
>
>  # 3 flow-portscan: Fixed Scale Talker Limit Exceeded
>
> # 4 flow-portscan: Sliding Scale Talker Limit Exceeded
>
> # preprocessor flow-portscan: \
>
> # talker-sliding-scale-factor 0.50 \
>
> # talker-fixed-threshold 30 \
>
> # talker-sliding-threshold 30 \
>
> # talker-sliding-window 20 \
>
> # talker-fixed-window 30 \
>
> # scoreboard-rows-talker 30000 \
>
> # server-watchnet [10.2.0.0/30] \
>
> # server-ignore-limit 200 \
>
> # server-rows 65535 \
>
> # server-learning-time 14400 \
>
> # server-scanner-limit 4 \
>
> # scanner-sliding-window 20 \
>
> # scanner-sliding-scale-factor 0.50 \
>
> # scanner-fixed-threshold 15 \
>
> # scanner-sliding-threshold 40 \
>
> # scanner-fixed-window 15 \
>
> # scoreboard-rows-scanner 30000 \
>
> # src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
>
> # dst-ignore-net [10.0.0.0/30] \
>
> # alert-mode once \
>
> # output-mode msg \
>
> # tcp-penalties on
>
> # arpspoof
>
> #----------------------------------------
>
> # Experimental ARP detection code from Jeff Nathan, detects ARP  
> attacks,
>
> # unicast ARP requests, and specific ARP mapping monitoring. To make  
> use of
>
> # this preprocessor you must specify the IP and hardware address of  
> hosts on
>
> # the same layer 2 segment as you. Specify one host IP MAC combo per  
> line.
>
> # Also takes a "-unicast" option to turn on unicast ARP request  
> detection.
>
>  # Arpspoof uses Generator ID 112 and uses the following SIDS for that  
> GID:
>
> # SID Event description
>
> # ----- -------------------
>
> # 1 Unicast ARP request
>
> # 2 Etherframe ARP mismatch (src)
>
> # 3 Etherframe ARP mismatch (dst)
>
> # 4 ARP cache overwrite attack
>
> #preprocessor arpspoof
>
> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
>  
>
> # Performance Statistics
>
> # ----------------------
>
> # Documentation for this is provided in the Snort Manual. You should  
> read it.
>
> # It is included in the release distribution as doc/snort_manual.pdf
>
> #
>
>  # preprocessor perfmonitor: time 300 file /var/snort/snort.stats  
> pktcnt 10000
>
> ####################################################################
>
> # Step #3: Configure output plugins
>
> #
>
> # Uncomment and configure the output plugins you decide to use. General
>
> # configuration for output plugins is of the form:
>
> #
>
> # output <name_of_plugin>: <configuration_options>
>
> #
>
> # alert_syslog: log alerts to syslog
>
> # ----------------------------------
>
> # Use one or more syslog facilities as arguments. Win32 can also  
> optionally
>
> # specify a particular hostname/port. Under Win32, the default  
> hostname is
>
> # '127.0.0.1', and the default port is 514.
>
> #
>
> # [Unix flavours should use this format...]
>
> # output alert_syslog: LOG_AUTH LOG_ALERT
>
> #
>
> # [Win32 can use any of these formats...]
>
> # output alert_syslog: LOG_AUTH LOG_ALERT
>
> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
>
> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>
> # log_tcpdump: log packets in binary tcpdump format
>
> # -------------------------------------------------
>
> # The only argument is the output file name.
>
> output alert_fast: alert.ids
>
> # output log_tcpdump: tcpdump.log
>
> # database: log to a variety of databases
>
> # ---------------------------------------
>
> # See the README.database file for more information about configuring
>
> # and using this plugin.
>
> #
>
> # output database: log, mysql, user=root password=test dbname=db  
> host=localhost
>
> # output database: alert, postgresql, user=snort dbname=snort
>
> # output database: log, odbc, user=snort dbname=snort
>
> # output database: log, mssql, dbname=snort user=snort password=test
>
> # output database: log, oracle, dbname=snort user=snort password=test
>
> # unified: Snort unified binary format alerting and logging
>
> # -------------------------------------------------------------
>
> # The unified output plugin provides two new formats for logging and  
> generating
>
> # alerts from Snort, the "unified" format. The unified format is a  
> straight
>
> # binary format for logging data out of Snort that is designed to be  
> fast and
>
> # efficient. Used with barnyard (the new alert/log processor), most of  
> the
>
> # overhead for logging and alerting to various slow storage mechanisms  
> such as
>
> # databases or the network can now be avoided.
>
>  #
>
> # Check out the spo_unified.h file for the data formats.
>
> #
>
> # Two arguments are supported.
>
> # filename - base filename to write to (current time_t is appended)
>
> # limit - maximum size of spool file in MB (default: 128)
>
> #
>
> # output alert_unified: filename snort.alert, limit 128
>
> # output log_unified: filename snort.log, limit 128
>
> # You can optionally define new rule types and associate one or more  
> output
>
> # plugins specifically to that type.
>
> #
>
> # This example will create a type that will log to just tcpdump.
>
> # ruletype suspicious
>
> # {
>
> # type log
>
> # output log_tcpdump: suspicious.log
>
> # }
>
> #
>
> # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
>
> # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC  
> Server";)
>
> #
>
> # This example will create a rule type that will log to syslog and a  
> mysql
>
> # database:
>
> # ruletype redalert
>
> # {
>
> # type alert
>
> # output alert_syslog: LOG_AUTH LOG_ALERT
>
> # output database: log, mysql, user=snort dbname=snort host=localhost
>
> # }
>
> #
>
> # EXAMPLE RULE FOR REDALERT RULETYPE:
>
> # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
>
> # (msg:"Someone is being LEET"; flags:A+;)
>
> #
>
> # Include classification & priority settings
>
> #
>
> include c:\Snort\etc\classification.config
>
> #
>
> # Include reference systems
>
> #
>
> include c:\Snort\etc\reference.config
>
> ####################################################################
>
> # Step #4: Customize your rule set
>
> #
>
> # Up to date snort rules are available at http://www.snort.org
>
> #
>
> # The snort web site has documentation about how to write your own  
> custom snort
>
> # rules.
>
> #
>
> # The rules included with this distribution generate alerts based on on
>
> # suspicious activity. Depending on your network environment, your  
> security
>
> # policies, and what you consider to be suspicious, some of these  
> rules may
>
> # either generate false positives ore may be detecting activity you  
> consider to
>
> # be acceptable; therefore, you are encouraged to comment out rules  
> that are
>
> # not applicable in your environment.
>
> #
>
> # The following individuals contributed many of rules in this  
> distribution.
>
> #
>
> # Credits:
>
> # Ron Gula <rgula at ...922...> of Network Security Wizards
>
> # Max Vision <vision at ...4...>
>
> # Martin Markgraf <martin at ...923...>
>
> # Fyodor Yarochkin <fygrave at ...121...>
>
> # Nick Rogness <nick at ...176...>
>
> # Jim Forster <jforster at ...176...>
>
> # Scott McIntyre <scott at ...315...>
>
> # Tom Vandepoel <Tom.Vandepoel at ...271...>
>
> # Brian Caswell <bmc at ...950...>
>
> # Zeno <admin at ...4494...>
>
> # Ryan Russell <ryan at ...35...>
>
>  
>
>  
>
> #=========================================
>
> # Include all relevant rulesets here
>
>  #
>
>  # The following rulesets are disabled by default:
>
> #
>
> # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,  
> virus,
>
> # chat, multimedia, and p2p
>
> #
>
>  # These rules are either site policy specific or require tuning in  
> order to not
>
> # generate false positive alerts in most enviornments.
>
> #
>
>  # Please read the specific include file for more information and
>
> # README.alert_order for how rule ordering affects how alerts are  
> triggered.
>
> #=========================================
>
> #include $RULE_PATH/local.rules
>
> include $RULE_PATH/bad-traffic.rules
>
> include $RULE_PATH/exploit.rules
>
> include $RULE_PATH/scan.rules
>
> include $RULE_PATH/finger.rules
>
> include $RULE_PATH/ftp.rules
>
> include $RULE_PATH/telnet.rules
>
> include $RULE_PATH/rpc.rules
>
> include $RULE_PATH/rservices.rules
>
> include $RULE_PATH/dos.rules
>
> include $RULE_PATH/ddos.rules
>
> include $RULE_PATH/dns.rules
>
> include $RULE_PATH/tftp.rules
>
> include $RULE_PATH/web-cgi.rules
>
> include $RULE_PATH/web-coldfusion.rules
>
> include $RULE_PATH/web-iis.rules
>
> include $RULE_PATH/web-frontpage.rules
>
> include $RULE_PATH/web-misc.rules
>
> include $RULE_PATH/web-client.rules
>
> include $RULE_PATH/web-php.rules
>
> include $RULE_PATH/sql.rules
>
> include $RULE_PATH/x11.rules
>
> include $RULE_PATH/icmp.rules
>
> include $RULE_PATH/netbios.rules
>
> include $RULE_PATH/misc.rules
>
> include $RULE_PATH/attack-responses.rules
>
> include $RULE_PATH/oracle.rules
>
> include $RULE_PATH/mysql.rules
>
> include $RULE_PATH/snmp.rules
>
> include $RULE_PATH/smtp.rules
>
> include $RULE_PATH/imap.rules
>
> include $RULE_PATH/pop2.rules
>
> include $RULE_PATH/pop3.rules
>
> include $RULE_PATH/nntp.rules
>
> include $RULE_PATH/other-ids.rules
>
> # include $RULE_PATH/web-attacks.rules
>
> # include $RULE_PATH/backdoor.rules
>
> # include $RULE_PATH/shellcode.rules
>
> # include $RULE_PATH/policy.rules
>
> # include $RULE_PATH/porn.rules
>
> # include $RULE_PATH/info.rules
>
> # include $RULE_PATH/icmp-info.rules
>
> # include $RULE_PATH/virus.rules
>
> # include $RULE_PATH/chat.rules
>
> # include $RULE_PATH/multimedia.rules
>
> # include $RULE_PATH/p2p.rules
>
> #include $RULE_PATH/experimental.rules
>
> # Include any thresholding or suppression commands. See threshold.conf  
> in the
>
> # <snort src>/etc directory for details. Commands don't necessarily  
> need to be
>
> # contained in this conf, but a separate conf makes it easier to  
> maintain them.
>
>  # Uncomment if needed.
>
> # include threshold.conf
>
>  
>
> Thanks for any help.
>
> Do you Yahoo!?
>  Yahoo! Mail is new and improved - Check it out!
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list