[Snort-users] Not alerting TCP.

Mark Zerr mzerr at ...11203...
Fri Feb 13 12:56:09 EST 2004


I just upgraded to 2.1 and now snort is not alerting any TCP, I do get
alerts for UDP and ICMP but no TCP? Below is the startup output and my
snort.conf file, its running on Redhat 7.2. Thanks for any help.
 
Feb 13 15:21:53 uschilog01 snort: Snort exiting 
Feb 13 15:21:53 uschilog01 kernel: device eth0 left promiscuous mode
Feb 13 15:21:53 uschilog01 snortd: snort shutdown succeeded
Feb 13 15:21:59 uschilog01 kernel: eth0: Setting promiscuous mode.
Feb 13 15:21:59 uschilog01 kernel: device eth0 entered promiscuous mode
Feb 13 15:21:59 uschilog01 snort: Initializing daemon mode 
Feb 13 15:21:59 uschilog01 snort: PID path stat checked out ok, PID path
set to /var/run/ 
Feb 13 15:21:59 uschilog01 snort: Writing PID "20165" to file
"/var/run//snort_eth0.pid" 
Feb 13 15:21:59 uschilog01 snortd: snort startup succeeded
Feb 13 15:21:59 uschilog01 snort: HttpInspect Config: 
Feb 13 15:21:59 uschilog01 snort:     GLOBAL CONFIG 
Feb 13 15:21:59 uschilog01 snort:       Max Pipeline Requests:    0 
Feb 13 15:21:59 uschilog01 snort:       Inspection Type:
STATELESS 
Feb 13 15:21:59 uschilog01 snort:       Detect Proxy Usage:       NO 
Feb 13 15:21:59 uschilog01 snort:       IIS Unicode Map Filename:
/etc/snort/unicode.map 
Feb 13 15:21:59 uschilog01 snort:       IIS Unicode Map Codepage: 1252 
Feb 13 15:21:59 uschilog01 snort:     DEFAULT SERVER CONFIG: 
Feb 13 15:21:59 uschilog01 snort:       Ports: 
Feb 13 15:21:59 uschilog01 snort: 80 
Feb 13 15:21:59 uschilog01 snort: 8080 
Feb 13 15:21:59 uschilog01 snort:  
Feb 13 15:21:59 uschilog01 snort:       Flow Depth: 300 
Feb 13 15:21:59 uschilog01 snort:       Max Chunk Length: 500000 
Feb 13 15:21:59 uschilog01 snort:       Inspect Pipeline Requests: YES 
Feb 13 15:21:59 uschilog01 snort:       URI Discovery Strict Mode: NO 
Feb 13 15:21:59 uschilog01 snort:       Allow Proxy Usage: NO 
Feb 13 15:21:59 uschilog01 snort:       Disable Alerting: NO 
Feb 13 15:21:59 uschilog01 snort:       Oversize Dir Length: 0 
Feb 13 15:21:59 uschilog01 snort:       Only inspect URI: NO 
Feb 13 15:21:59 uschilog01 snort:       Ascii: YES alert: NO 
Feb 13 15:21:59 uschilog01 snort:       Double Decoding: YES alert: YES 
Feb 13 15:21:59 uschilog01 snort:       %U Encoding: YES alert: YES 
Feb 13 15:21:59 uschilog01 snort:       Bare Byte: YES alert: YES 
Feb 13 15:21:59 uschilog01 snort:       Base36: OFF 
Feb 13 15:21:59 uschilog01 snort:       UTF 8: OFF 
Feb 13 15:21:59 uschilog01 snort:       IIS Unicode: YES alert: YES 
Feb 13 15:21:59 uschilog01 snort:       Multiple Slash: YES alert: NO 
Feb 13 15:21:59 uschilog01 snort:       IIS Backslash: YES alert: NO 
Feb 13 15:21:59 uschilog01 snort:       Directory: YES alert: NO 
Feb 13 15:21:59 uschilog01 snort:       Apache WhiteSpace: YES alert:
YES 
Feb 13 15:21:59 uschilog01 snort:       IIS Delimiter: YES alert: YES 
Feb 13 15:21:59 uschilog01 snort:       IIS Unicode Map: GLOBAL IIS
UNICODE MAP CONFIG 
Feb 13 15:21:59 uschilog01 snort:       Non-RFC Compliant Characters: 
Feb 13 15:21:59 uschilog01 snort: 0x00 
Feb 13 15:21:59 uschilog01 snort:  
Feb 13 15:21:59 uschilog01 snort: rpc_decode arguments: 
Feb 13 15:21:59 uschilog01 snort:     Ports to decode RPC on: 111 32771

Feb 13 15:21:59 uschilog01 snort:     alert_fragments: INACTIVE 
Feb 13 15:21:59 uschilog01 snort:     alert_large_fragments: ACTIVE 
Feb 13 15:21:59 uschilog01 snort:     alert_incomplete: ACTIVE 
Feb 13 15:21:59 uschilog01 snort:     alert_multiple_requests: ACTIVE 
Feb 13 15:21:59 uschilog01 snort: telnet_decode arguments: 
Feb 13 15:21:59 uschilog01 snort:     Ports to decode telnet on: 21 23
25 119  
Feb 13 15:22:00 uschilog01 snort: Snort initialization completed
successfully
 
Snort.conf:
 
 
#--------------------------------------------------
#   http://www.snort.org     Snort 2.1.0 Ruleset
#     Contact: snort-sigs at lists.sourceforge.net
#--------------------------------------------------
# $Id: snort.conf,v 1.137 2004/01/15 20:38:06 jh8 Exp $
#
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your own custom
configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network.
The
# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as: 
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which
you run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
 
var HOME_NET [x.x.0.0/22,x.x.10/24]
 
var EXTERNAL_NET !$HOME_NET
 
# Configure your server lists.  This allows snort to only look for
attacks to
# systems that have a service up.  Why look for HTTP attacks if you are
not
# running a web server?  This allows quick filtering based on IP
addresses
# These configurations MUST follow the same configuration scheme as
defined
# above for $HOME_NET.  
 
# List of DNS servers on your network 
var DNS_SERVERS $HOME_NET
 
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
 
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
 
# List of sql servers on your network 
var SQL_SERVERS $HOME_NET
 
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
 
# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET
 
# Configure your service ports.  This allows snort to look for attacks
destined
# to a specific application only on the ports that application runs on.
For
# example, if you run a web server on port 8081, set your HTTP_PORTS
variable
# like this:
#
# var HTTP_PORTS 8081
#
# Port lists must either be continuous [eg 80:8080], or a single port
[eg 80].
# We will adding support for a real list of ports in the future.
 
# Ports you run web servers on
#
# Please note:  [80,8080] does not work.
# If you wish to define multiple HTTP ports,
# 
## var HTTP_PORTS 80 
## include somefile.rules 
## var HTTP_PORTS 8080
## include somefile.rules 
var HTTP_PORTS 80
 
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80
 
# Ports you do oracle attacks on
var ORACLE_PORTS 1521
 
# other variables
# 
# AIM servers.  AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of
servers.
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24
,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
 
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort 
 
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp
options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when the a TCP option is
detected
# that shows T/TCP being actively used on the network.  If this is
normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
 
# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very
limited
# resources:
#
# config detection: search-method lowmem
 
###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>
 
# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan
detector
# is implemented but in the long term,  many of the stateful subsystems
of
# snort will be migrated over to becoming flow plugins. This must be
enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
# preprocessor flow: stats_interval 0 hash 2
 
# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation.  This plugin will also
detect
# people launching fragmentation attacks (usually DoS) against hosts.
No
# arguments loads the default configuration of the preprocessor, which
is a 60
# second timeout and a 4MB fragment buffer. 
 
# The following (comma delimited) options are available for frag2
#    timeout [seconds] - sets the number of [seconds] that an unfinished

#                        fragment will be kept around waiting for
completion,
#                        if this time expires the fragment will be
flushed
#    memcap [bytes] - limit frag2 memory usage to [number] bytes
#                      (default:  4194304)
#
#    min_ttl [number] - minimum ttl to accept
# 
#    ttl_limit [number] - difference of ttl to accept without alerting
#                         will cause false positves with router flap
# 
# Frag2 uses Generator ID 113 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Oversized fragment (reassembled frag > 64k bytes)
#   2       Teardrop-type attack
 
preprocessor frag2
 
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat
stick/snot
# against TCP rules.  Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc.  Can statefully detect various
portscan
# types, fingerprinting, ECN, etc.
 
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
#   detect_scans - stream4 will detect stealth portscans and generate
alerts
#                  when it sees them when this option is set
#   detect_state_problems - detect TCP state problems, this tends to be
very
#                           noisy because there are a lot of crappy ip
stack
#                           implementations out there
#
#   disable_evasion_alerts - turn off the possibly noisy mitigation of
#                            overlapping sequences.
#
#
#   min_ttl [number]       - set a minium ttl that snort will accept to
#                            stream reassembly
#
#   ttl_limit [number]     - differential of the initial ttl on a
session versus
#                             the normal that someone may be playing
games.
#                             Routing flap may cause lots of false
positives.
# 
#   keepstats [machine|binary] - keep session statistics, add "machine"
to 
#                         get them in a flat format for machine reading,
add
#                         "binary" to get them in a unified binary
output 
#                         format
#   noinspect - turn off stateful inspection only
#   timeout [number] - set the session timeout counter to [number]
seconds,
#                      default is 30 seconds
#   memcap [number] - limit stream4 memory usage to [number] bytes
#   log_flushed_streams - if an event is detected on a stream this
option will
#                         cause all packets that are stored in the
stream4
#                         packet buffers to be flushed to disk.  This
only 
#                         works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Stealth activity
#   2       Evasive RST packet
#   3       Evasive TCP packet retransmission
#   4       TCP Window violation
#   5       Data on SYN packet
#   6       Stealth scan: full XMAS
#   7       Stealth scan: SYN-ACK-PSH-URG
#   8       Stealth scan: FIN scan
#   9       Stealth scan: NULL scan
#   10      Stealth scan: NMAP XMAS scan
#   11      Stealth scan: Vecna scan
#   12      Stealth scan: NMAP fingerprint scan stateful detect
#   13      Stealth scan: SYN-FIN scan
#   14      TCP forward overlap
 
preprocessor stream4: disable_evasion_alerts
 
# tcp stream reassembly directive
# no arguments loads the default configuration 
#   Only reassemble the client,
#   Only reassemble the default list of ports (See below),  
#   Give alerts for "bad" streams
#
# Available options (comma delimited):
#   clientonly - reassemble traffic for the client side of a connection
only
#   serveronly - reassemble traffic for the server side of a connection
only
#   both - reassemble both sides of a session
#   noalerts - turn off alerts from the stream reassembly stage of
stream4
#   ports [list] - use the space separated list of ports in [list],
"all" 
#                  will turn on reassembly for all ports, "default" will
turn
#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110,
111
#                  and 513
 
preprocessor stream4_reassemble
 
# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252
 
preprocessor http_inspect_server: server default \
    profile all \
    ports { 80 8080 }
#
#  Example unqiue server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
#    ports { 80 3128 8080 } \
#    flow_depth 0 \
#    ascii no \
#    double_decode yes \
#    non_rfc_char { 0x00 } \
#    chunk_length 500000 \
#    non_strict \
#    no_alerts
 
 
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte
encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given
ports
# are actually running this type of service. If not, change the ports or
turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a
packet
# no_alert_large_fragments - don't alert when the fragmented
#                            sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
#                       exceeds the current packet size
 
preprocessor rpc_decode: 111 32771
 
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  Takes no arguments in
2.0.
# 
# The Back Orifice detector uses Generator ID 105 and uses the 
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected
 
preprocessor bo
 
# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet
and ftp
# traffic.  It works in much the same way as the http_decode
preprocessor,
# searching for traffic that breaks up the normal data stream of a
protocol and
# replacing it with a normalized representation of that traffic so that
the
# "content" pattern matching keyword can work without requiring
modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID
currently.
 
preprocessor telnet_decode
 
# Flow-Portscan: detect a variety of portscans
# ---------------------------------------
# Note:  The Flow preprocessor (above) must first be enabled for
Flow-Portscan to
# work.
#
# This module detects portscans based off of flow creation in the flow
# preprocessors.  The goal is to catch catch one->many hosts and
one->many
# ports scans.
#
# Flow-Portscan has numerous options available, please read
# README.flow-portscan for help configuring this option. 
 
# Flow-Portscan uses Generator ID 121 and uses the following SIDS for
that GID:
#  SID     Event description
# -----   -------------------
#   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
#   2       flow-portscan: Sliding Scale Scanner Limit Exceeded 
#   3       flow-portscan: Fixed Scale Talker Limit Exceeded
#   4       flow-portscan: Sliding Scale Talker Limit Exceeded
 
# preprocessor flow-portscan: \
#       talker-sliding-scale-factor 0.50 \
#       talker-fixed-threshold 30 \
#       talker-sliding-threshold 30 \
#       talker-sliding-window 20 \
#       talker-fixed-window 30 \
#       scoreboard-rows-talker 30000 \
#       server-watchnet [10.2.0.0/30] \
#       server-ignore-limit 200 \
#       server-rows 65535 \
#       server-learning-time 14400 \
#       server-scanner-limit 4 \
#       scanner-sliding-window 20 \
#       scanner-sliding-scale-factor 0.50 \
#       scanner-fixed-threshold 15 \
#       scanner-sliding-threshold 40 \
#       scanner-fixed-window 15 \
#       scoreboard-rows-scanner 30000 \
#       src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
#       dst-ignore-net [10.0.0.0/30] \
#       alert-mode once \
#       output-mode msg \
#       tcp-penalties on
 
# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring.  To make
use of
# this preprocessor you must specify the IP and hardware address of
hosts on
# the same layer 2 segment as you.  Specify one host IP MAC combo per
line.
# Also takes a "-unicast" option to turn on unicast ARP request
detection. 
# Arpspoof uses Generator ID 112 and uses the following SIDS for that
GID:
 
#  SID     Event description
# -----   -------------------
#   1       Unicast ARP request
#   2       Etherframe ARP mismatch (src)
#   3       Etherframe ARP mismatch (dst)
#   4       ARP cache overwrite attack
 
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
 
 
# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual.  You should
read it.
# It is included in the release distribution as doc/snort_manual.pdf
# 
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
10000
 
####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.  General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments.  Win32 can also
optionally
# specify a particular hostname/port.  Under Win32, the default hostname
is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
 
# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log
 
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test dbname=db
host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
 
# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging and
generating
# alerts from Snort, the "unified" format.  The unified format is a
straight
# binary format for logging data out of Snort that is designed to be
fast and
# efficient.  Used with barnyard (the new alert/log processor), most of
the
# overhead for logging and alerting to various slow storage mechanisms
such as
# databases or the network can now be avoided.  
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
 
# You can optionally define new rule types and associate one or more
output
# plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
Server";)
#
# This example will create a rule type that will log to syslog and a
mysql
# database:
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
#   (msg:"Someone is being LEET"; flags:A+;)
 
#
# Include classification & priority settings
#
 
include classification.config
 
#
# Include reference systems
#
 
include reference.config
 
####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own
custom snort
# rules.
#
# The rules included with this distribution generate alerts based on on
# suspicious activity. Depending on your network environment, your
security
# policies, and what you consider to be suspicious, some of these rules
may
# either generate false positives ore may be detecting activity you
consider to
# be acceptable; therefore, you are encouraged to comment out rules that
are
# not applicable in your environment.
#
# The following individuals contributed many of rules in this
distribution.
#
# Credits:
#   Ron Gula <rgula at ...922...> of Network Security Wizards
#   Max Vision <vision at ...4...>
#   Martin Markgraf <martin at ...923...>
#   Fyodor Yarochkin <fygrave at ...121...>
#   Nick Rogness <nick at ...176...>
#   Jim Forster <jforster at ...176...>
#   Scott McIntyre <scott at ...315...>
#   Tom Vandepoel <Tom.Vandepoel at ...271...>
#   Brian Caswell <bmc at ...950...>
#   Zeno <admin at ...4494...>
#   Ryan Russell <ryan at ...35...>
 
 
 
#=========================================
# Include all relevant rulesets here 
# 
# The following rulesets are disabled by default:
#
#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
virus,
#   chat, multimedia, and p2p
#            
# These rules are either site policy specific or require tuning in order
to not
# generate false positive alerts in most enviornments.
# 
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are
triggered.
#=========================================
 
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
 
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
 
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
 
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
 
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
 
# Include any thresholding or suppression commands. See threshold.conf
in the
# <snort src>/etc directory for details. Commands don't necessarily need
to be
# contained in this conf, but a separate conf makes it easier to
maintain them. 
# Uncomment if needed.
# include threshold.conf
 
 
Thanks,
Mark Zerr, CISSP
Manager Global Systems Security
Kanbay, Inc.
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040213/0e4e2f09/attachment.html>


More information about the Snort-users mailing list