[Snort-users] Use two nics

John M. Krumenacker krums at ...14015...
Wed Jan 3 18:26:35 EST 2007


I totally forgot all about that - thanks. 

I enabled SPAN on the port that the SNORT interface is plugged into and
pointed it to VLAN1. Figured this will give me all the traffic for
VLAN1.

Here is this issue - 

For the past five hours BASE sees:

TCP 0%
UDP 0%
ICMP 12%
Portscan 88%

These are the values from when i was testing. They have not changed in 5
hours - even with all we have went through - which is the indication
that something is misconfigured. It worked when i used eth0 only - but
then when I attempted eth1 it seems things got worse.

I have now added the uplink port to the router. so, in the switch now -

interface VLAN1
 ip address 192.168.1.10 255.255.255.0
 no ip route-cache
!
interface FastEthernet0/1
 description Uplink
 speed 100
 duplex full
!
interface FastEthernet0/14
 port monitor FastEthernet0/1
 port monitor VLAN1
!

did I miss something?



On Wed, 2007-01-03 at 16:11 -0600, Bush, Jason R CTR NAVSURFWARCENDIV,
NSWC Crane wrote:
> I thought of something else.
> 
> Have you configured your switch to SPAN?  Basically, you need to send a
> copy of the traffic to the port your eth1 is plugged into so it can
> listen to everything.  You can get more information on how to SPAN for
> 2900 switches at
> http://www.cisco.com/en/US/products/hw/switches/ps637/products_configura
> tion_guide_chapter09186a00800d9d3d.html.  You can also use a hub, but by
> doing so, you create a small collision domain.
> 
> 
> Jason R. Bush 
> 
> 
> -----Original Message-----
> From: snort-users-bounces at lists.sourceforge.net
> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of John M.
> Krumenacker
> Sent: Wednesday, January 03, 2007 3:47 PM
> To: snort
> Subject: Re: [Snort-users] Use two nics
> 
> 
> specifically - what output would you like to see- I can send anything 
> 
> 
> On Wed, 2007-01-03 at 22:23 +0100, rmkml wrote:
> > Hi John,
> > Happy New Year,
> > Your conf is good,
> > please send snort output please
> > Regards
> > Rmkml
> > 
> > 
> > On Wed, 3 Jan 2007, John M. Krumenacker wrote:
> > 
> > > Date: Wed, 03 Jan 2007 16:16:35 -0500
> > > From: John M. Krumenacker <krums at ...14015...>
> > > To: snort <snort-users at lists.sourceforge.net>
> > > Subject: [Snort-users] Use two nics
> > > 
> > > Hello -
> > >
> > > I would like to be able to use two NICS with my snort machine but 
> > > for some reason I have not been able to get this to work properly. 
> > > Is there a default way to set this up or is it more complicated?
> > >
> > > eth0 - management (192.168.1.0/24 subnet)
> > > eth1 - NIDS (no IP)
> > >
> > > Both are in the same switch - a cisco 2900
> > >
> > > I have configured (on Fedora 5) /etc/init.d/snort to use eth0
> > >
> > > I will attach here the contents of /etc/init.d/snort
> > > and /etc/snort/snort.conf. Can you kindly have a look and see what I
> 
> > > may have messed up?
> > > ********************************************************************
> > > ******************
> > > (the stars are here for a separator and not in the actual file)
> > >
> ************************************************************************
> **************
> > > #!/bin/sh
> > > #
> > > # chkconfig: 2345 99 82
> > > # description: Starts and stops the snort intrusion detection system
> > > #
> > > # config: /etc/snort/snort.conf
> > > # processname: snort
> > >
> > > # Source function library
> > > . /etc/rc.d/init.d/functions
> > >
> > > BASE=snort
> > > DAEMON="-D"
> > > INTERFACE="-i eth1"
> > > CONF="/etc/snort/snort.conf"
> > >
> > > # Check that $BASE exists.
> > > [ -f /usr/local/bin/$BASE ] || exit 0
> > >
> > > # Source networking configuration.
> > > . /etc/sysconfig/network
> > >
> > > # Check that networking is up.
> > > [ ${NETWORKING} = "no" ] && exit 0
> > >
> > > RETVAL=0
> > > # See how we were called.
> > > case "$1" in
> > >  start)
> > >        if [ -n "`/sbin/pidof $BASE`" ]; then
> > >                echo -n $"$BASE: already running"
> > >                echo ""
> > >                exit $RETVAL
> > >        fi
> > >        echo -n "Starting snort service: "
> > >        /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON
> > >        sleep 1
> > >        action "" /sbin/pidof $BASE
> > >        RETVAL=$?
> > >        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
> > >        ;;
> > >  stop)
> > >        echo -n "Shutting down snort service: "
> > >        killproc $BASE
> > >        RETVAL=$?
> > >        echo
> > >        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
> > >        ;;
> > >  restart|reload)
> > >        $0 stop
> > >        $0 start
> > >        RETVAL=$?
> > >        ;;
> > >  status)
> > >        status $BASE
> > >        RETVAL=$?
> > >        ;;
> > >  *)
> > >        echo "Usage: snort {start|stop|restart|reload|status}"
> > >        exit 1
> > > esac
> > >
> > > exit $RETVAL
> > >
> > >
> > > ********************************************************************
> > > ******************
> > > end of /etc/init.d/snort
> > >
> ************************************************************************
> **************
> > >
> > > ********************************************************************
> > > ******************
> > > Begin /etc/snort/snort.conf
> > >
> ************************************************************************
> **************
> > >
> > > #--------------------------------------------------
> > > #   http://www.snort.org     Snort 2.6.1.2 Ruleset
> > > #     Contact: snort-sigs at lists.sourceforge.net
> > > #--------------------------------------------------
> > > # $Id$
> > > #
> > > ###################################################
> > > # This file contains a sample snort configuration.
> > > # You can take the following steps to create your own custom
> > > configuration:
> > > #
> > > #  1) Set the variables for your network
> > > #  2) Configure dynamic loaded libraries
> > > #  3) Configure preprocessors
> > > #  4) Configure output plugins
> > > #  5) Add any runtime config directives
> > > #  6) Customize your rule set
> > > #
> > > ###################################################
> > > # Step #1: Set the network variables:
> > > #
> > > # You must change the following variables to reflect your local 
> > > network. The # variable is currently setup for an RFC 1918 address 
> > > space. #
> > > # You can specify it explicitly as:
> > > #
> > > var HOME_NET 192.168.1.0/24
> > > #
> > > # or use global variable $<interfacename>_ADDRESS which will be
> always
> > > # initialized to IP address and netmask of the network interface
> which
> > > you run
> > > # snort at.  Under Windows, this must be specified as
> > > # $(<interfacename>_ADDRESS), such as:
> > > # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> > > #
> > > # var HOME_NET $eth0_ADDRESS
> > > #
> > > # You can specify lists of IP addresses for HOME_NET
> > > # by separating the IPs with commas like this:
> > > #
> > > # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> > > #
> > > # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> > > #
> > > # or you can specify the variable to be any IP address
> > > # like this:
> > >
> > > #var HOME_NET any
> > >
> > > # Set up the external network addresses as well.  A good start may 
> > > be "any" var EXTERNAL_NET !$HOME_NET
> > >
> > > # Configure your server lists.  This allows snort to only look for 
> > > attacks to # systems that have a service up.  Why look for HTTP 
> > > attacks if you are not
> > > # running a web server?  This allows quick filtering based on IP
> > > addresses
> > > # These configurations MUST follow the same configuration scheme as
> > > defined
> > > # above for $HOME_NET.
> > >
> > > # List of DNS servers on your network
> > > var DNS_SERVERS $HOME_NET
> > >
> > > # List of SMTP servers on your network
> > > var SMTP_SERVERS $HOME_NET
> > >
> > > # List of web servers on your network
> > > var HTTP_SERVERS $HOME_NET
> > >
> > > # List of sql servers on your network
> > > var SQL_SERVERS $HOME_NET
> > >
> > > # List of telnet servers on your network
> > > var TELNET_SERVERS $HOME_NET
> > >
> > > # List of snmp servers on your network
> > > var SNMP_SERVERS $HOME_NET
> > >
> > > # Configure your service ports.  This allows snort to look for 
> > > attacks destined # to a specific application only on the ports that 
> > > application runs on. For
> > > # example, if you run a web server on port 8081, set your HTTP_PORTS
> > > variable
> > > # like this:
> > > #
> > > # var HTTP_PORTS 8081
> > > #
> > > # Port lists must either be continuous [eg 80:8080], or a single
> port
> > > [eg 80].
> > > # We will adding support for a real list of ports in the future.
> > >
> > > # Ports you run web servers on
> > > #
> > > # Please note:  [80,8080] does not work.
> > > # If you wish to define multiple HTTP ports, use the following 
> > > convention # when customizing your rule set (as part of Step #6 
> > > below).  This should
> > > # not be done here, as the rules files may depend on the
> classifications
> > > # and/or references, which are included below.
> > > #
> > > ## var HTTP_PORTS 80
> > > ## include somefile.rules
> > > ## var HTTP_PORTS 8080
> > > ## include somefile.rules
> > > var HTTP_PORTS 80
> > >
> > > # Ports you want to look for SHELLCODE on.
> > > var SHELLCODE_PORTS !80
> > >
> > > # Ports you do oracle attacks on
> > > var ORACLE_PORTS 1521
> > >
> > > # other variables
> > > #
> > > # AIM servers.  AOL has a habit of adding new AIM servers, so 
> > > instead of # modifying the signatures when they do, we add them to 
> > > this list of servers. var AIM_SERVERS
> > >
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/2
> 4,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.15
> 3.0/24,205.188.179.0/24,205.188.248.0/24]
> > >
> > > # Path to your rules files (this can be a relative path)
> > > # Note for Windows users:  You are advised to make this an absolute 
> > > path, # such as:  c:\snort\rules
> > > var RULE_PATH /etc/snort/rules
> > >
> > > # Configure the snort decoder
> > > # ============================
> > > #
> > > # Snort's decoder will alert on lots of things such as header # 
> > > truncation or options of unusual length or infrequently used tcp 
> > > options #
> > > #
> > > # Stop generic decode events:
> > > #
> > > # config disable_decode_alerts
> > > #
> > > # Stop Alerts on experimental TCP options
> > > #
> > > # config disable_tcpopt_experimental_alerts
> > > #
> > > # Stop Alerts on obsolete TCP options
> > > #
> > > # config disable_tcpopt_obsolete_alerts
> > > #
> > > # Stop Alerts on T/TCP alerts
> > > #
> > > # In snort 2.0.1 and above, this only alerts when a TCP option is
> > > detected
> > > # that shows T/TCP being actively used on the network.  If this is
> > > normal
> > > # behavior for your network, disable the next option.
> > > #
> > > # config disable_tcpopt_ttcp_alerts
> > > #
> > > # Stop Alerts on all other TCPOption type events:
> > > #
> > > # config disable_tcpopt_alerts
> > > #
> > > # Stop Alerts on invalid ip options
> > > #
> > > # config disable_ipopt_alerts
> > > #
> > > # Alert if value in length field (IP, TCP, UDP) is greater than the
> > > # actual length of the captured portion of the packet that the
> length
> > > # is supposed to represent:
> > > #
> > > # config enable_decode_oversized_alerts
> > > #
> > > # Same as above, but drop packet if in Inline mode -
> > > # enable_decode_oversized_alerts must be enabled for this to work:
> > > #
> > > # config enable_decode_oversized_drops
> > > #
> > >
> > > # Configure the detection engine
> > > # ===============================
> > > #
> > > # Use a different pattern matcher in case you have a machine with 
> > > very limited # resources:
> > > #
> > > # config detection: search-method lowmem
> > >
> > > # Configure Inline Resets
> > > # ========================
> > > #
> > > # If running an iptables firewall with snort in InlineMode() we can 
> > > now # perform resets via a physical device. We grab the indev from 
> > > iptables # and use this for the interface on which to send resets. 
> > > This config # option takes an argument for the src mac address you 
> > > want to use in the # reset packet.  This way the bridge can remain 
> > > stealthy. If the src mac # option is not set we use the mac address 
> > > of the indev device. If we # don't set this option we will default 
> > > to sending resets via raw socket,
> > > # which needs an ipaddress to be assigned to the int.
> > > #
> > > # config layer2resets: 00:06:76:DD:5F:E3
> > >
> > > ###################################################
> > > # Step #2: Configure dynamic loaded libraries
> > > #
> > > # If snort was configured to use dynamically loaded libraries, # 
> > > those libraries can be loaded here. #
> > > # Each of the following configuration options can be done via
> > > # the command line as well.
> > > #
> > > # Load all dynamic preprocessors from the install path
> > > # (same as command line option --dynamic-preprocessor-lib-dir)
> > > #
> > > dynamicpreprocessor directory
> /usr/local/lib/snort_dynamicpreprocessor/
> > > #
> > > # Load a specific dynamic preprocessor library from the install path
> > > # (same as command line option --dynamic-preprocessor-lib)
> > > #
> > > # dynamicpreprocessor
> > > file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
> > > #
> > > # Load a dynamic engine from the install path
> > > # (same as command line option --dynamic-engine-lib)
> > > #
> > > dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> > > #
> > > # Load all dynamic rules libraries from the install path
> > > # (same as command line option --dynamic-detection-lib-dir)
> > > #
> > > # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
> > > #
> > > # Load a specific dynamic rule library from the install path
> > > # (same as command line option --dynamic-detection-lib)
> > > #
> > > # dynamicdetection
> > > file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
> > > #
> > >
> > > ###################################################
> > > # Step #3: Configure preprocessors
> > > #
> > > # General configuration for preprocessors is of
> > > # the form
> > > # preprocessor <name_of_processor>: <configuration_options>
> > >
> > > # Configure Flow tracking module
> > > # -------------------------------
> > > #
> > > # The Flow tracking module is meant to start unifying the state 
> > > keeping # mechanisms of snort into a single place. Right now, only a
> 
> > > portscan detector # is implemented but in the long term,  many of 
> > > the stateful subsystems of
> > > # snort will be migrated over to becoming flow plugins. This must be
> > > enabled
> > > # for flow-portscan to work correctly.
> > > #
> > > # See README.flow for additional information
> > > #
> > > preprocessor flow: stats_interval 0 hash 2
> > >
> > > # frag2: IP defragmentation support
> > > # -------------------------------
> > > # This preprocessor performs IP defragmentation.  This plugin will 
> > > also detect # people launching fragmentation attacks (usually DoS) 
> > > against hosts. No
> > > # arguments loads the default configuration of the preprocessor,
> which
> > > is a 60
> > > # second timeout and a 4MB fragment buffer.
> > >
> > > # The following (comma delimited) options are available for frag2
> > > #    timeout [seconds] - sets the number of [seconds] that an
> > > unfinished
> > > #                        fragment will be kept around waiting for
> > > completion,
> > > #                        if this time expires the fragment will be
> > > flushed
> > > #    memcap [bytes] - limit frag2 memory usage to [number] bytes
> > > #                      (default:  4194304)
> > > #
> > > #    min_ttl [number] - minimum ttl to accept
> > > #
> > > #    ttl_limit [number] - difference of ttl to accept without
> alerting
> > > #                         will cause false positves with router flap
> > > #
> > > # Frag2 uses Generator ID 113 and uses the following SIDS
> > > # for that GID:
> > > #  SID     Event description
> > > # -----   -------------------
> > > #   1       Oversized fragment (reassembled frag > 64k bytes)
> > > #   2       Teardrop-type attack
> > >
> > > #preprocessor frag2
> > >
> > > # frag3: Target-based IP defragmentation
> > > # --------------------------------------
> > > #
> > > # Frag3 is a brand new IP defragmentation preprocessor that is 
> > > capable of # performing "target-based" processing of IP fragments.  
> > > Check out the # README.frag3 file in the doc directory for more 
> > > background and configuration
> > > # information.
> > > #
> > > # Frag3 configuration is a two step process, a global initialization
> > > phase
> > > # followed by the definition of a set of defragmentation engines.
> > > #
> > > # Global configuration defines the number of fragmented packets that
> > > Snort can
> > > # track at the same time and gives you options regarding the memory
> cap
> > > for the
> > > # subsystem or, optionally, allows you to preallocate all the memory
> for
> > > the
> > > # entire frag3 system.
> > > #
> > > # frag3_global options:
> > > #   max_frags: Maximum number of frag trackers that may be active at
> > > once.
> > > #              Default value is 8192.
> > > #   memcap: Maximum amount of memory that frag3 may access at any
> given
> > > time.
> > > #           Default value is 4MB.
> > > #   prealloc_frags: Maximum number of individual fragments that may
> be
> > > processed
> > > #                   at once.  This is instead of the memcap system,
> uses
> > > static
> > > #                   allocation to increase performance.  No default
> > > value.  Each
> > > #                   preallocated fragment eats ~1550 bytes.
> > > #
> > > # Target-based behavior is attached to an engine as a "policy" for
> > > handling
> > > # overlaps and retransmissions as enumerated in the Paxson paper.
> There
> > > are
> > > # currently five policy types available: "BSD", "BSD-right",
> "First",
> > > "Linux"
> > > # and "Last".  Engines can be bound to bound to standard Snort CIDR
> > > blocks or
> > > # IP lists.
> > > #
> > > # frag3_engine options:
> > > #   timeout: Amount of time a fragmented packet may be active before
> > > expiring.
> > > #            Default value is 60 seconds.
> > > #   ttl_limit: Limit of delta allowable for TTLs of packets in the
> > > fragments.
> > > #              Based on the initial received fragment TTL.
> > > #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs
> > > below this
> > > #            value will be discarded.  Default value is 0.
> > > #   detect_anomalies: Activates frag3's anomaly detection
> mechanisms.
> > > #   policy: Target-based policy to assign to this engine.  Default
> is
> > > BSD.
> > > #   bind_to: IP address set to bind this engine to.  Default is all
> > > hosts.
> > > #
> > > # Frag3 configuration example:
> > > #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
> > > #preprocessor frag3_engine: policy linux \
> > > #                           bind_to [10.1.1.12/32,10.1.1.13/32] \
> > > #                           detect_anomalies
> > > #preprocessor frag3_engine: policy first \
> > > #                           bind_to 10.2.1.0/24 \
> > > #                           detect_anomalies
> > > #preprocessor frag3_engine: policy last \
> > > #                           bind_to 10.3.1.0/24
> > > #preprocessor frag3_engine: policy bsd
> > >
> > > preprocessor frag3_global: max_frags 65536
> > > preprocessor frag3_engine: policy first detect_anomalies
> > >
> > >
> > > # stream4: stateful inspection/stream reassembly for Snort
> > > #-------------------------------------------------------------------
> > > ---
> > > # Use in concert with the -z [all|est] command line switch to defeat
> > > stick/snot
> > > # against TCP rules.  Also performs full TCP stream reassembly,
> stateful
> > > # inspection of TCP streams, etc.  Can statefully detect various
> > > portscan
> > > # types, fingerprinting, ECN, etc.
> > >
> > > # stateful inspection directive
> > > # no arguments loads the defaults (timeout 30, memcap 8388608) # 
> > > options (options are comma delimited):
> > > #   detect_scans - stream4 will detect stealth portscans and
> generate
> > > alerts
> > > #                  when it sees them when this option is set
> > > #   detect_state_problems - detect TCP state problems, this tends to
> be
> > > very
> > > #                           noisy because there are a lot of crappy
> ip
> > > stack
> > > #                           implementations out there
> > > #
> > > #   disable_evasion_alerts - turn off the possibly noisy mitigation
> of
> > > #                            overlapping sequences.
> > > #
> > > #   ttl_limit [number]     - differential of the initial ttl on a
> > > session versus
> > > #                             the normal that someone may be playing
> > > games.
> > > #                             Routing flap may cause lots of false
> > > positives.
> > > #
> > > #   keepstats [machine|binary] - keep session statistics, add
> "machine"
> > > to
> > > #                         get them in a flat format for machine
> reading,
> > > add
> > > #                         "binary" to get them in a unified binary
> > > output
> > > #                         format
> > > #   noinspect - turn off stateful inspection only
> > > #   timeout [number] - set the session timeout counter to [number]
> > > seconds,
> > > #                      default is 30 seconds
> > > #   max_sessions [number] - limit the number of sessions stream4
> keeps
> > > #                         track of
> > > #   memcap [number] - limit stream4 memory usage to [number] bytes
> (does
> > > #                     not include session tracking, which is set by
> the
> > > #                     max_sessions option)
> > > #   log_flushed_streams - if an event is detected on a stream this
> > > option will
> > > #                         cause all packets that are stored in the
> > > stream4
> > > #                         packet buffers to be flushed to disk.
> This
> > > only
> > > #                         works when logging in pcap mode!
> > > #   server_inspect_limit [bytes] - Byte limit on server side
> inspection.
> > > #   enable_udp_sessions - turn on tracking of "sessions" over UDP.
> > > Requires
> > > #                         configure --enable-stream4udp.  UDP
> sessions
> > > are
> > > #                         only created when there is a rule for the
> > > sender or
> > > #                         responder that has a flow or flowbits
> keyword.
> > > #   max_udp_sessions [number] - limit the number of simultaneous UDP
> > > sessions
> > > #                               to track
> > > #   udp_ignore_any - Do not inspect UDP packets unless there is a
> port
> > > specific
> > > #                    rule for a given port.  This is a performance
> > > improvement
> > > #                    and turns off inspection for udp xxx any -> xxx
> any
> > > rules
> > > #   cache_clean_sessions [number] - Cleanup the session cache by
> number
> > > sessions
> > > #                                   at a time.  The larger the
> value,
> > > the
> > > #                                   more sessions are purged from
> the
> > > cache when
> > > #                                   the session limit or memcap is
> > > reached.
> > > #                                   Defaults to 5.
> > > #
> > > #
> > > #
> > > # Stream4 uses Generator ID 111 and uses the following SIDS # for 
> > > that GID:
> > > #  SID     Event description
> > > # -----   -------------------
> > > #   1       Stealth activity
> > > #   2       Evasive RST packet
> > > #   3       Evasive TCP packet retransmission
> > > #   4       TCP Window violation
> > > #   5       Data on SYN packet
> > > #   6       Stealth scan: full XMAS
> > > #   7       Stealth scan: SYN-ACK-PSH-URG
> > > #   8       Stealth scan: FIN scan
> > > #   9       Stealth scan: NULL scan
> > > #   10      Stealth scan: NMAP XMAS scan
> > > #   11      Stealth scan: Vecna scan
> > > #   12      Stealth scan: NMAP fingerprint scan stateful detect
> > > #   13      Stealth scan: SYN-FIN scan
> > > #   14      TCP forward overlap
> > >
> > > preprocessor stream4: disable_evasion_alerts
> > >
> > > # tcp stream reassembly directive
> > > # no arguments loads the default configuration
> > > #   Only reassemble the client,
> > > #   Only reassemble the default list of ports (See below),
> > > #   Give alerts for "bad" streams
> > > #
> > > # Available options (comma delimited):
> > > #   clientonly - reassemble traffic for the client side of a
> connection
> > > only
> > > #   serveronly - reassemble traffic for the server side of a
> connection
> > > only
> > > #   both - reassemble both sides of a session
> > > #   noalerts - turn off alerts from the stream reassembly stage of
> > > stream4
> > > #   ports [list] - use the space separated list of ports in [list],
> > > "all"
> > > #                  will turn on reassembly for all ports, "default"
> will
> > > turn
> > > #                  on reassembly for ports 21, 23, 25, 42, 53, 80,
> 110,
> > > #                  111, 135, 136, 137, 139, 143, 445, 513, 1433,
> 1521,
> > > #                  and 3306
> > > #   favor_old - favor an old segment (based on sequence number) over
> a
> > > new one.
> > > #               This is the default.
> > > #   favor_new - favor an new segment (based on sequence number) over
> an
> > > old one.
> > > #   overlap_limit [number] - limit on overlaping segments for a
> session.
> > > #   flush_on_alert - flushes stream when an alert is generated for a
> > > session.
> > > #   flush_behavior [mode] -
> > > #           default      - use old static flushpoints (default)
> > > #           large_window - use new larger static flushpoints
> > > #           random       - use random flushpoints defined by
> > > flush_base,
> > > #                          flush_seed and flush_range
> > > #   flush_base [number] - lowest allowed random flushpoint (512 by
> > > default)
> > > #   flush_range [number] - number is the space within which random
> > > flushpoints
> > > #                          are generated (default 1213)
> > > #   flush_seed [number] - seed for the random number generator,
> defaults
> > > to
> > > #                         Snort PID + time
> > > #
> > > # Using the default random flushpoints, the smallest flushpoint is 
> > > 512, # and the largest is 1725 bytes. preprocessor 
> > > stream4_reassemble preprocessor stream4_reassemble: both,ports 21 23
> 
> > > 25 53 80 110 111 139 143 445 513 1433
> > >
> > > # stream5: Target Based stateful inspection/stream reassembly for 
> > > Snort # 
> > >
> ---------------------------------------------------------------------
> > > # EXPERIMENTAL CODE!!!
> > > #
> > > # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
> > > # USE AT YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS.
> > > # YOU HAVE BEEN WARNED.
> > > #
> > > # Stream5 is a target-based stream engine for Snort.  Its
> functionality
> > > # replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5
> > > # cannot be used simultaneously.  Comment out the stream4
> configurations
> > > # above to use Stream5.
> > > #
> > > # See README.stream for details on the configuration options.
> > > #
> > > # Example config (that emulates Stream4 with UDP support compiled
> in)
> > > # preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> > > #                              track_udp yes
> > > # preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> > > # preprocessor stream5_udp: ignore_any_rules
> > >
> > >
> > > # Performance Statistics
> > > # ----------------------
> > > # Documentation for this is provided in the Snort Manual.  You 
> > > should read it. # It is included in the release distribution as 
> > > doc/snort_manual.pdf #
> > > # preprocessor perfmonitor: time 300 file /var/snort/snort.stats
> pktcnt
> > > 10000
> > >
> > > # http_inspect: normalize and detect HTTP traffic and protocol 
> > > anomalies # # lots of options available here. See 
> > > doc/README.http_inspect. # unicode.map should be wherever your 
> > > snort.conf lives, or given # a full path to where snort can find it.
> > > preprocessor http_inspect: global \
> > >    iis_unicode_map unicode.map 1252
> > >
> > > preprocessor http_inspect_server: server default \
> > >    profile all ports { 80 8080 8180 } oversize_dir_length 500
> > >
> > > #
> > > #  Example unique server configuration
> > > #
> > > #preprocessor http_inspect_server: server 1.1.1.1 \
> > > #    ports { 80 3128 8080 } \
> > > #    flow_depth 0 \
> > > #    ascii no \
> > > #    double_decode yes \
> > > #    non_rfc_char { 0x00 } \
> > > #    chunk_length 500000 \
> > > #    non_strict \
> > > #    oversize_dir_length 300 \
> > > #    no_alerts
> > >
> > >
> > > # rpc_decode: normalize RPC traffic
> > > # ---------------------------------
> > > # RPC may be sent in alternate encodings besides the usual 4-byte 
> > > encoding # that is used by default. This plugin takes the port 
> > > numbers that RPC # services are running on as arguments - it is 
> > > assumed that the given ports
> > > # are actually running this type of service. If not, change the
> ports or
> > > turn
> > > # it off.
> > > # The RPC decode preprocessor uses generator ID 106
> > > #
> > > # arguments: space separated list
> > > # alert_fragments - alert on any rpc fragmented TCP data
> > > # no_alert_multiple_requests - don't alert when >1 rpc query is in a
> > > packet
> > > # no_alert_large_fragments - don't alert when the fragmented
> > > #                            sizes exceed the current packet size
> > > # no_alert_incomplete - don't alert when a single segment
> > > #                       exceeds the current packet size
> > >
> > > preprocessor rpc_decode: 111 32771
> > >
> > > # bo: Back Orifice detector
> > > # -------------------------
> > > # Detects Back Orifice traffic on the network.
> > > #
> > > # arguments:
> > > #   syntax:
> > > #     preprocessor bo: noalert { client | server | general |
> > > snort_attack } \
> > > #                      drop    { client | server | general |
> > > snort_attack }
> > > #   example:
> > > #     preprocessor bo: noalert { general server } drop {
> snort_attack }
> > >
> > > #
> > > # The Back Orifice detector uses Generator ID 105 and uses the # 
> > > following SIDS for that GID:
> > > #  SID     Event description
> > > # -----   -------------------
> > > #   1       Back Orifice traffic detected
> > > #   2       Back Orifice Client Traffic Detected
> > > #   3       Back Orifice Server Traffic Detected
> > > #   4       Back Orifice Snort Buffer Attack
> > >
> > > preprocessor bo
> > >
> > > # telnet_decode: Telnet negotiation string normalizer
> > > # ---------------------------------------------------
> > > # This preprocessor "normalizes" telnet negotiation strings from 
> > > telnet and ftp # traffic.  It works in much the same way as the 
> > > http_decode preprocessor,
> > > # searching for traffic that breaks up the normal data stream of a
> > > protocol and
> > > # replacing it with a normalized representation of that traffic so
> that
> > > the
> > > # "content" pattern matching keyword can work without requiring
> > > modifications.
> > > # This preprocessor requires no arguments.
> > > #
> > > # DEPRECATED in favor of ftp_telnet dynamic preprocessor
> > > #preprocessor telnet_decode
> > > #
> > > # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff
> > > overflow
> > > #
> > >
> ------------------------------------------------------------------------
> ---
> > > # This preprocessor normalizes telnet negotiation strings from
> telnet
> > > and
> > > # ftp traffic.  It looks for traffic that breaks the normal data
> stream
> > > # of the protocol, replacing it with a normalized representation of
> that
> > > # traffic so that the "content" pattern matching keyword can work
> > > without
> > > # requiring modifications.
> > > #
> > > # It also performs protocol correctness checks for the FTP command
> > > channel,
> > > # and identifies open FTP data transfers.
> > > #
> > > # FTPTelnet has numerous options available, please read
> > > # README.ftptelnet for help configuring the options for the global
> > > # telnet, ftp server, and ftp client sections for the protocol.
> > >
> > > #####
> > > # Per Step #2, set the following to load the ftptelnet preprocessor 
> > > # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so> # or
> 
> > > use commandline option # --dynamic-preprocessor-lib <full path to 
> > > libsf_ftptelnet_preproc.so>
> > >
> > > preprocessor ftp_telnet: global \
> > >   encrypted_traffic yes \
> > >   inspection_type stateful
> > >
> > > preprocessor ftp_telnet_protocol: telnet \
> > >   normalize \
> > >   ayt_attack_thresh 200
> > >
> > > # This is consistent with the FTP rules as of 18 Sept 2004. # CWD 
> > > can have param length of 200 # MODE has an additional mode of Z 
> > > (compressed) # Check for string formats in USER & PASS commands
> > > # Check nDTM commands that set modification time on the file.
> > > preprocessor ftp_telnet_protocol: ftp server default \
> > >   def_max_param_len 100 \
> > >   alt_max_param_len 200 { CWD } \
> > >   cmd_validity MODE < char ASBCZ > \
> > >   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> > >   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> > >   telnet_cmds yes \
> > >   data_chan
> > >
> > > preprocessor ftp_telnet_protocol: ftp client default \
> > >   max_resp_len 256 \
> > >   bounce yes \
> > >   telnet_cmds yes
> > >
> > > # smtp: SMTP normalizer, protocol enforcement and buffer overflow #
> > >
> ------------------------------------------------------------------------
> ---
> > > # This preprocessor normalizes SMTP commands by removing extraneous
> > > spaces.
> > > # It looks for overly long command lines, response lines, and data
> > > header lines.
> > > # It can alert on invalid commands, or specific valid commands.  It
> can
> > > optionally
> > > # ignore mail data, and can ignore TLS encrypted data.
> > > #
> > > # SMTP has numerous options available, please read README.SMTP for
> help
> > > # configuring options.
> > >
> > > #####
> > > # Per Step #2, set the following to load the smtp preprocessor # 
> > > dynamicpreprocessor <full path to libsf_smtp_preproc.so> # or use 
> > > commandline option # --dynamic-preprocessor-lib <full path to 
> > > libsf_smtp_preproc.so>
> > >
> > > preprocessor smtp: \
> > >  ports { 25 } \
> > >  inspection_type stateful \
> > >  normalize cmds \
> > >  normalize_cmds { EXPN VRFY RCPT } \  alt_max_command_line_len 260 {
> 
> > > MAIL } \  alt_max_command_line_len 300 { RCPT } \
> > >  alt_max_command_line_len 500 { HELP HELO ETRN } \
> > >  alt_max_command_line_len 255 { EXPN VRFY }
> > >
> > > # sfPortscan
> > > # ----------
> > > # Portscan detection module.  Detects various types of portscans and
> 
> > > # portsweeps.  For more information on detection philosophy, alert 
> > > types, # and detailed portscan information, please refer to the
> > > README.sfportscan.
> > > #
> > > # -configuration options-
> > > #     proto { tcp udp icmp ip all }
> > > #       The arguments to the proto option are the types of protocol
> > > scans that
> > > #       the user wants to detect.  Arguments should be separated by
> > > spaces and
> > > #       not commas.
> > > #     scan_type { portscan portsweep decoy_portscan
> distributed_portscan
> > > all }
> > > #       The arguments to the scan_type option are the scan types
> that
> > > the
> > > #       user wants to detect.  Arguments should be separated by
> spaces
> > > and not
> > > #       commas.
> > > #     sense_level { low|medium|high }
> > > #       There is only one argument to this option and it is the
> level of
> > > #       sensitivity in which to detect portscans.  The 'low'
> sensitivity
> > > #       detects scans by the common method of looking for response
> > > errors, such
> > > #       as TCP RSTs or ICMP unreachables.  This level requires the
> least
> > > #       tuning.  The 'medium' sensitivity level detects portscans
> and
> > > #       filtered portscans (portscans that receive no response).
> This
> > > #       sensitivity level usually requires tuning out scan events
> from
> > > NATed
> > > #       IPs, DNS cache servers, etc.  The 'high' sensitivity level
> has
> > > #       lower thresholds for portscan detection and a longer time
> window
> > > than
> > > #       the 'medium' sensitivity level.  Requires more tuning and
> may be
> > > noisy
> > > #       on very active networks.  However, this sensitivity levels
> > > catches the
> > > #       most scans.
> > > #     memcap { positive integer }
> > > #       The maximum number of bytes to allocate for portscan
> detection.
> > > The
> > > #       higher this number the more nodes that can be tracked.
> > > #     logfile { filename }
> > > #       This option specifies the file to log portscan and detailed
> > > portscan
> > > #       values to.  If there is not a leading /, then snort logs to
> the
> > > #       configured log directory.  Refer to README.sfportscan for
> > > details on
> > > #       the logged values in the logfile.
> > > #     watch_ip { Snort IP List }
> > > #     ignore_scanners { Snort IP List }
> > > #     ignore_scanned { Snort IP List }
> > > #       These options take a snort IP list as the argument.  The
> > > 'watch_ip'
> > > #       option specifies the IP(s) to watch for portscan.  The
> > > #       'ignore_scanners' option specifies the IP(s) to ignore as
> > > scanners.
> > > #       Note that these hosts are still watched as scanned hosts.
> The
> > > #       'ignore_scanners' option is used to tune alerts from very
> active
> > > #       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned'
> > > option
> > > #       specifies the IP(s) to ignore as scanned hosts.  Note that
> these
> > > hosts
> > > #       are still watched as scanner hosts.  The 'ignore_scanned'
> option
> > > is
> > > #       used to tune alerts from very active hosts such as syslog
> > > servers, etc.
> > > #     detect_ack_scans
> > > #       This option will include sessions picked up in midstream by
> the
> > > stream
> > > #       module, which is necessary to detect ACK scans.  However,
> this
> > > can lead to
> > > #       false alerts, especially under heavy load with dropped
> packets;
> > > which is why
> > > #       the option is off by default.
> > > #
> > > preprocessor sfportscan: proto  { all } \
> > >                         memcap { 10000000 } \
> > >                         sense_level { low }
> > >
> > > # arpspoof
> > > #----------------------------------------
> > > # Experimental ARP detection code from Jeff Nathan, detects ARP 
> > > attacks, # unicast ARP requests, and specific ARP mapping 
> > > monitoring.  To make use of # this preprocessor you must specify the
> 
> > > IP and hardware address of hosts on
> > > # the same layer 2 segment as you.  Specify one host IP MAC combo
> per
> > > line.
> > > # Also takes a "-unicast" option to turn on unicast ARP request
> > > detection.
> > > # Arpspoof uses Generator ID 112 and uses the following SIDS for
> that
> > > GID:
> > >
> > > #  SID     Event description
> > > # -----   -------------------
> > > #   1       Unicast ARP request
> > > #   2       Etherframe ARP mismatch (src)
> > > #   3       Etherframe ARP mismatch (dst)
> > > #   4       ARP cache overwrite attack
> > >
> > > #preprocessor arpspoof
> > > #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
> > >
> > > # ssh
> > > #----------------------------------------
> > > # EXPERIMENTAL CODE!!!
> > > #
> > > # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE! # 
> > > USE AT YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS. # YOU 
> > > HAVE BEEN WARNED. #
> > > # The SSH preprocessor detects the following exploits: Gobbles, CRC
> 32,
> > > # Secure CRT, and the Protocol Mismatch exploit.
> > > #
> > > # Both Gobbles and CRC 32 attacks occur after the key exchange, and
> are
> > > # therefore encrypted.  Both attacks involve sending a large payload
> > > # (20kb+) to the server immediately after the authentication
> challenge.
> > > # To detect the attacks, the SSH preprocessor counts the number of
> bytes
> > > # transmitted to the server.  If those bytes exceed a pre-defined
> limit
> > > # within a pre-define number of packets, an alert is generated.
> Since
> > > # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
> > > # version string exchange is used to distinguish the attacks.
> > > #
> > > # The Secure CRT and protocol mismatch exploits are observable
> before
> > > # the key exchange.
> > > #
> > > # SSH has numerous options available, please read README.ssh for
> help
> > > # configuring options.
> > >
> > > #####
> > > # Per Step #2, set the following to load the ssh preprocessor # 
> > > dynamicpreprocessor <full path to libsf_ssh_preproc.so> # or use 
> > > commandline option # --dynamic-preprocessor-lib <full path to 
> > > libsf_ssh_preproc.so> #
> > > #preprocessor ssh: server_ports { 22 } \
> > > #                  max_client_bytes 19600 \
> > > #                  max_encrypted_packets 20
> > >
> > > # DCE/RPC
> > > #----------------------------------------
> > > #
> > > # The dcerpc preprocessor detects and decodes SMB and DCE/RPC 
> > > traffic. # It is primarily interested in DCE/RPC data, and only 
> > > decodes SMB # to get at the DCE/RPC data carried by the SMB layer. #
> > > # Currently, the preprocessor only handles reassembly of
> fragmentation
> > > # at both the SMB and DCE/RPC layer.  Snort rules can be evaded by
> > > # using both types of fragmentation; with the preprocessor enabled
> > > # the rules are given a buffer with a reassembled SMB or DCE/RPC
> > > # packet to examine.
> > > #
> > > # At the SMB layer, only fragmentation using WriteAndX is currently
> > > # reassembled.  Other methods will be handled in future versions of
> > > # the preprocessor.
> > > #
> > > # Autodetection of SMB is done by looking for "\xFFSMB" at the start
> of
> > > # the SMB data, as well as checking the NetBIOS header (which is
> always
> > > # present for SMB) for the type "SMB Session".
> > > #
> > > # Autodetection of DCE/RPC is not as reliable.  Currently, two bytes
> are
> > > # checked in the packet.  Assuming that the data is a DCE/RPC
> header,
> > > # one byte is checked for DCE/RPC version (5) and another for the
> type
> > > # "DCE/RPC Request".  If both match, the preprocessor proceeds with
> that
> > > # assumption that it is looking at DCE/RPC data.  If subsequent
> checks
> > > # are nonsensical, it ends processing.
> > > #
> > > # DCERPC has numerous options available, please read README.dcerpc
> for
> > > help
> > > # configuring options.
> > >
> > > #####
> > > # Per Step #2, set the following to load the dcerpc preprocessor # 
> > > dynamicpreprocessor <full path to libsf_dcerpc_preproc.so> # or use 
> > > commandline option # --dynamic-preprocessor-lib <full path to 
> > > libsf_dcerpc_preproc.so>
> > >
> > > preprocessor dcerpc: \
> > >    autodetect \
> > >    max_frag_size 3000 \
> > >    memcap 100000
> > >
> > > # DNS
> > > #----------------------------------------
> > > # The dns preprocessor (currently) decodes DNS Response traffic # 
> > > and detects a few vulnerabilities. #
> > > # DNS has a few options available, please read README.dns for
> > > # help configuring options.
> > >
> > > #####
> > > # Per Step #2, set the following to load the dns preprocessor # 
> > > dynamicpreprocessor <full path to libsf_dns_preproc.so> # or use 
> > > commandline option # --dynamic-preprocessor-lib <full path to 
> > > libsf_dns_preproc.so>
> > >
> > > preprocessor dns: \
> > >    ports { 53 } \
> > >    enable_rdata_overflow
> > >
> > > ####################################################################
> > > # Step #4: Configure output plugins
> > > #
> > > # Uncomment and configure the output plugins you decide to use.  
> > > General # configuration for output plugins is of the form: #
> > > # output <name_of_plugin>: <configuration_options>
> > > #
> > > # alert_syslog: log alerts to syslog
> > > # ----------------------------------
> > > # Use one or more syslog facilities as arguments.  Win32 can also
> > > optionally
> > > # specify a particular hostname/port.  Under Win32, the default
> hostname
> > > is
> > > # '127.0.0.1', and the default port is 514.
> > > #
> > > # [Unix flavours should use this format...]
> > > # output alert_syslog: LOG_AUTH LOG_ALERT
> > > #
> > > # [Win32 can use any of these formats...]
> > > # output alert_syslog: LOG_AUTH LOG_ALERT
> > > # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
> > > # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> > >
> > > # log_tcpdump: log packets in binary tcpdump format
> > > # -------------------------------------------------
> > > # The only argument is the output file name.
> > > #
> > > # output log_tcpdump: tcpdump.log
> > >
> > > # database: log to a variety of databases
> > > # ---------------------------------------
> > > # See the README.database file for more information about 
> > > configuring # and using this plugin. #
> > > output database: log, mysql, user=snort password=snortuser
> dbname=snort
> > > host=localhost
> > > # output database: alert, postgresql, user=snort dbname=snort
> > > # output database: log, odbc, user=snort dbname=snort
> > > # output database: log, mssql, dbname=snort user=snort password=test
> > > # output database: log, oracle, dbname=snort user=snort
> password=test
> > >
> > > # unified: Snort unified binary format alerting and logging # 
> > > -------------------------------------------------------------
> > > # The unified output plugin provides two new formats for logging and
> 
> > > generating # alerts from Snort, the "unified" format.  The unified 
> > > format is a straight
> > > # binary format for logging data out of Snort that is designed to be
> > > fast and
> > > # efficient.  Used with barnyard (the new alert/log processor), most
> of
> > > the
> > > # overhead for logging and alerting to various slow storage
> mechanisms
> > > such as
> > > # databases or the network can now be avoided.
> > > #
> > > # Check out the spo_unified.h file for the data formats.
> > > #
> > > # Two arguments are supported.
> > > #    filename - base filename to write to (current time_t is
> appended)
> > > #    limit    - maximum size of spool file in MB (default: 128)
> > > #
> > > # output alert_unified: filename snort.alert, limit 128
> > > # output log_unified: filename snort.log, limit 128
> > >
> > >
> > > # prelude: log to the Prelude Hybrid IDS system
> > > # ---------------------------------------------
> > > #
> > > # profile = Name of the Prelude profile to use (default is snort). #
> > > # Snort priority to IDMEF severity mappings:
> > > # high < medium < low < info
> > > #
> > > # These are the default mapped from classification.config:
> > > # info   = 4
> > > # low    = 3
> > > # medium = 2
> > > # high   = anything below medium
> > > #
> > > # output alert_prelude
> > > # output alert_prelude: profile=snort-profile-name
> > >
> > >
> > > # You can optionally define new rule types and associate one or more
> > > output
> > > # plugins specifically to that type.
> > > #
> > > # This example will create a type that will log to just tcpdump.
> > > # ruletype suspicious
> > > # {
> > > #   type log
> > > #   output log_tcpdump: suspicious.log
> > > # }
> > > #
> > > # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
> > > # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
> > > Server";)
> > > #
> > > # This example will create a rule type that will log to syslog and a
> > > mysql
> > > # database:
> > > # ruletype redalert
> > > # {
> > > #   type alert
> > > #   output alert_syslog: LOG_AUTH LOG_ALERT
> > > #   output database: log, mysql, user=snort dbname=snort
> host=localhost
> > > # }
> > > #
> > > # EXAMPLE RULE FOR REDALERT RULETYPE:
> > > # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
> > > #   (msg:"Someone is being LEET"; flags:A+;)
> > >
> > > #
> > > # Include classification & priority settings
> > > # Note for Windows users:  You are advised to make this an absolute
> > > path,
> > > # such as:  c:\snort\etc\classification.config
> > > #
> > >
> > > include classification.config
> > >
> > > #
> > > # Include reference systems
> > > # Note for Windows users:  You are advised to make this an absolute
> > > path,
> > > # such as:  c:\snort\etc\reference.config
> > > #
> > >
> > > include reference.config
> > >
> > > ####################################################################
> > > # Step #5: Configure snort with config statements
> > > #
> > > # See the snort manual for a full set of configuration references
> > > #
> > > # config flowbits_size: 64
> > > #
> > > # New global ignore_ports config option from Andy Mullican
> > > #
> > > # config ignore_ports: <tcp|udp> <list of ports separated by
> whitespace>
> > > # config ignore_ports: tcp 21 6667:6671 1356
> > > # config ignore_ports: udp 1:17 53
> > >
> > >
> > > ####################################################################
> > > # Step #6: Customize your rule set
> > > #
> > > # Up to date snort rules are available at http://www.snort.org
> > > #
> > > # The snort web site has documentation about how to write your own
> > > custom snort
> > > # rules.
> > >
> > > #=========================================
> > > # Include all relevant rulesets here
> > > #
> > > # The following rulesets are disabled by default:
> > > #
> > > #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
> > > virus,
> > > #   chat, multimedia, and p2p
> > > #
> > > # These rules are either site policy specific or require tuning in
> order
> > > to not
> > > # generate false positive alerts in most enviornments.
> > > #
> > > # Please read the specific include file for more information and
> > > # README.alert_order for how rule ordering affects how alerts are
> > > triggered.
> > > #=========================================
> > >
> > > include $RULE_PATH/local.rules
> > > include $RULE_PATH/bad-traffic.rules
> > > include $RULE_PATH/exploit.rules
> > > include $RULE_PATH/scan.rules
> > > include $RULE_PATH/finger.rules
> > > include $RULE_PATH/ftp.rules
> > > include $RULE_PATH/telnet.rules
> > > include $RULE_PATH/rpc.rules
> > > include $RULE_PATH/rservices.rules
> > > include $RULE_PATH/dos.rules
> > > include $RULE_PATH/ddos.rules
> > > include $RULE_PATH/dns.rules
> > > include $RULE_PATH/tftp.rules
> > >
> > > include $RULE_PATH/web-cgi.rules
> > > include $RULE_PATH/web-coldfusion.rules
> > > include $RULE_PATH/web-iis.rules
> > > include $RULE_PATH/web-frontpage.rules
> > > include $RULE_PATH/web-misc.rules
> > > include $RULE_PATH/web-client.rules
> > > include $RULE_PATH/web-php.rules
> > >
> > > include $RULE_PATH/sql.rules
> > > include $RULE_PATH/x11.rules
> > > include $RULE_PATH/icmp.rules
> > > include $RULE_PATH/netbios.rules
> > > include $RULE_PATH/misc.rules
> > > include $RULE_PATH/attack-responses.rules
> > > include $RULE_PATH/oracle.rules
> > > include $RULE_PATH/mysql.rules
> > > include $RULE_PATH/snmp.rules
> > >
> > > include $RULE_PATH/smtp.rules
> > > include $RULE_PATH/imap.rules
> > > include $RULE_PATH/pop2.rules
> > > include $RULE_PATH/pop3.rules
> > >
> > > include $RULE_PATH/nntp.rules
> > > include $RULE_PATH/other-ids.rules
> > > # include $RULE_PATH/web-attacks.rules
> > > # include $RULE_PATH/backdoor.rules
> > > # include $RULE_PATH/shellcode.rules
> > > # include $RULE_PATH/policy.rules
> > > # include $RULE_PATH/porn.rules
> > > # include $RULE_PATH/info.rules
> > > # include $RULE_PATH/icmp-info.rules
> > > # include $RULE_PATH/virus.rules
> > > # include $RULE_PATH/chat.rules
> > > # include $RULE_PATH/multimedia.rules
> > > # include $RULE_PATH/p2p.rules
> > > # include $RULE_PATH/spyware-put.rules
> > > include $RULE_PATH/experimental.rules
> > >
> > > # Include any thresholding or suppression commands. See
> threshold.conf
> > > in the
> > > # <snort src>/etc directory for details. Commands don't necessarily
> need
> > > to be
> > > # contained in this conf, but a separate conf makes it easier to
> > > maintain them.
> > > # Note for Windows users:  You are advised to make this an absolute
> > > path,
> > > # such as:  c:\snort\etc\threshold.conf
> > > # Uncomment if needed.
> > > # include threshold.conf
> > >
> > >
> > >
> ------------------------------------------------------------------------
> -
> > > Take Surveys. Earn Cash. Influence the Future of IT
> > > Join SourceForge.net's Techsay panel and you'll get the chance to
> share your
> > > opinions on IT & business topics through brief surveys - and earn
> cash
> > >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
> V
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> 
> ------------------------------------------------------------------------
> -
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
> V
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list