[Snort-users] Use two nics

John M. Krumenacker krums at ...14015...
Wed Jan 3 19:08:27 EST 2007


looks like adding port 1 was the key - just tested some attacks and it
is showing up! Thanks soo much for the help.


On Wed, 2007-01-03 at 18:26 -0500, John M. Krumenacker wrote:
> I totally forgot all about that - thanks. 
> 
> I enabled SPAN on the port that the SNORT interface is plugged into and
> pointed it to VLAN1. Figured this will give me all the traffic for
> VLAN1.
> 
> Here is this issue - 
> 
> For the past five hours BASE sees:
> 
> TCP 0%
> UDP 0%
> ICMP 12%
> Portscan 88%
> 
> These are the values from when i was testing. They have not changed in 5
> hours - even with all we have went through - which is the indication
> that something is misconfigured. It worked when i used eth0 only - but
> then when I attempted eth1 it seems things got worse.
> 
> I have now added the uplink port to the router. so, in the switch now -
> 
> interface VLAN1
>  ip address 192.168.1.10 255.255.255.0
>  no ip route-cache
> !
> interface FastEthernet0/1
>  description Uplink
>  speed 100
>  duplex full
> !
> interface FastEthernet0/14
>  port monitor FastEthernet0/1
>  port monitor VLAN1
> !
> 
> did I miss something?
> 
> 
> 
> On Wed, 2007-01-03 at 16:11 -0600, Bush, Jason R CTR NAVSURFWARCENDIV,
> NSWC Crane wrote:
> > I thought of something else.
> > 
> > Have you configured your switch to SPAN?  Basically, you need to send a
> > copy of the traffic to the port your eth1 is plugged into so it can
> > listen to everything.  You can get more information on how to SPAN for
> > 2900 switches at
> > http://www.cisco.com/en/US/products/hw/switches/ps637/products_configura
> > tion_guide_chapter09186a00800d9d3d.html.  You can also use a hub, but by
> > doing so, you create a small collision domain.
> > 
> > 
> > Jason R. Bush 
> > 
> > 
> > -----Original Message-----
> > From: snort-users-bounces at lists.sourceforge.net
> > [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of John M.
> > Krumenacker
> > Sent: Wednesday, January 03, 2007 3:47 PM
> > To: snort
> > Subject: Re: [Snort-users] Use two nics
> > 
> > 
> > specifically - what output would you like to see- I can send anything 
> > 
> > 
> > On Wed, 2007-01-03 at 22:23 +0100, rmkml wrote:
> > > Hi John,
> > > Happy New Year,
> > > Your conf is good,
> > > please send snort output please
> > > Regards
> > > Rmkml
> > > 
> > > 
> > > On Wed, 3 Jan 2007, John M. Krumenacker wrote:
> > > 
> > > > Date: Wed, 03 Jan 2007 16:16:35 -0500
> > > > From: John M. Krumenacker <krums at ...14015...>
> > > > To: snort <snort-users at lists.sourceforge.net>
> > > > Subject: [Snort-users] Use two nics
> > > > 
> > > > Hello -
> > > >
> > > > I would like to be able to use two NICS with my snort machine but 
> > > > for some reason I have not been able to get this to work properly. 
> > > > Is there a default way to set this up or is it more complicated?
> > > >
> > > > eth0 - management (192.168.1.0/24 subnet)
> > > > eth1 - NIDS (no IP)
> > > >
> > > > Both are in the same switch - a cisco 2900
> > > >
> > > > I have configured (on Fedora 5) /etc/init.d/snort to use eth0
> > > >
> > > > I will attach here the contents of /etc/init.d/snort
> > > > and /etc/snort/snort.conf. Can you kindly have a look and see what I
> > 
> > > > may have messed up?
> > > > ********************************************************************
> > > > ******************
> > > > (the stars are here for a separator and not in the actual file)
> > > >
> > ************************************************************************
> > **************
> > > > #!/bin/sh
> > > > #
> > > > # chkconfig: 2345 99 82
> > > > # description: Starts and stops the snort intrusion detection system
> > > > #
> > > > # config: /etc/snort/snort.conf
> > > > # processname: snort
> > > >
> > > > # Source function library
> > > > . /etc/rc.d/init.d/functions
> > > >
> > > > BASE=snort
> > > > DAEMON="-D"
> > > > INTERFACE="-i eth1"
> > > > CONF="/etc/snort/snort.conf"
> > > >
> > > > # Check that $BASE exists.
> > > > [ -f /usr/local/bin/$BASE ] || exit 0
> > > >
> > > > # Source networking configuration.
> > > > . /etc/sysconfig/network
> > > >
> > > > # Check that networking is up.
> > > > [ ${NETWORKING} = "no" ] && exit 0
> > > >
> > > > RETVAL=0
> > > > # See how we were called.
> > > > case "$1" in
> > > >  start)
> > > >        if [ -n "`/sbin/pidof $BASE`" ]; then
> > > >                echo -n $"$BASE: already running"
> > > >                echo ""
> > > >                exit $RETVAL
> > > >        fi
> > > >        echo -n "Starting snort service: "
> > > >        /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON
> > > >        sleep 1
> > > >        action "" /sbin/pidof $BASE
> > > >        RETVAL=$?
> > > >        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
> > > >        ;;
> > > >  stop)
> > > >        echo -n "Shutting down snort service: "
> > > >        killproc $BASE
> > > >        RETVAL=$?
> > > >        echo
> > > >        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
> > > >        ;;
> > > >  restart|reload)
> > > >        $0 stop
> > > >        $0 start
> > > >        RETVAL=$?
> > > >        ;;
> > > >  status)
> > > >        status $BASE
> > > >        RETVAL=$?
> > > >        ;;
> > > >  *)
> > > >        echo "Usage: snort {start|stop|restart|reload|status}"
> > > >        exit 1
> > > > esac
> > > >
> > > > exit $RETVAL
> > > >
> > > >
> > > > ********************************************************************
> > > > ******************
> > > > end of /etc/init.d/snort
> > > >
> > ************************************************************************
> > **************
> > > >
> > > > ********************************************************************
> > > > ******************
> > > > Begin /etc/snort/snort.conf
> > > >
> > ************************************************************************
> > **************
> > > >
> > > > #--------------------------------------------------
> > > > #   http://www.snort.org     Snort 2.6.1.2 Ruleset
> > > > #     Contact: snort-sigs at lists.sourceforge.net
> > > > #--------------------------------------------------
> > > > # $Id$
> > > > #
> > > > ###################################################
> > > > # This file contains a sample snort configuration.
> > > > # You can take the following steps to create your own custom
> > > > configuration:
> > > > #
> > > > #  1) Set the variables for your network
> > > > #  2) Configure dynamic loaded libraries
> > > > #  3) Configure preprocessors
> > > > #  4) Configure output plugins
> > > > #  5) Add any runtime config directives
> > > > #  6) Customize your rule set
> > > > #
> > > > ###################################################
> > > > # Step #1: Set the network variables:
> > > > #
> > > > # You must change the following variables to reflect your local 
> > > > network. The # variable is currently setup for an RFC 1918 address 
> > > > space. #
> > > > # You can specify it explicitly as:
> > > > #
> > > > var HOME_NET 192.168.1.0/24
> > > > #
> > > > # or use global variable $<interfacename>_ADDRESS which will be
> > always
> > > > # initialized to IP address and netmask of the network interface
> > which
> > > > you run
> > > > # snort at.  Under Windows, this must be specified as
> > > > # $(<interfacename>_ADDRESS), such as:
> > > > # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> > > > #
> > > > # var HOME_NET $eth0_ADDRESS
> > > > #
> > > > # You can specify lists of IP addresses for HOME_NET
> > > > # by separating the IPs with commas like this:
> > > > #
> > > > # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> > > > #
> > > > # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> > > > #
> > > > # or you can specify the variable to be any IP address
> > > > # like this:
> > > >
> > > > #var HOME_NET any
> > > >
> > > > # Set up the external network addresses as well.  A good start may 
> > > > be "any" var EXTERNAL_NET !$HOME_NET
> > > >
> > > > # Configure your server lists.  This allows snort to only look for 
> > > > attacks to # systems that have a service up.  Why look for HTTP 
> > > > attacks if you are not
> > > > # running a web server?  This allows quick filtering based on IP
> > > > addresses
> > > > # These configurations MUST follow the same configuration scheme as
> > > > defined
> > > > # above for $HOME_NET.
> > > >
> > > > # List of DNS servers on your network
> > > > var DNS_SERVERS $HOME_NET
> > > >
> > > > # List of SMTP servers on your network
> > > > var SMTP_SERVERS $HOME_NET
> > > >
> > > > # List of web servers on your network
> > > > var HTTP_SERVERS $HOME_NET
> > > >
> > > > # List of sql servers on your network
> > > > var SQL_SERVERS $HOME_NET
> > > >
> > > > # List of telnet servers on your network
> > > > var TELNET_SERVERS $HOME_NET
> > > >
> > > > # List of snmp servers on your network
> > > > var SNMP_SERVERS $HOME_NET
> > > >
> > > > # Configure your service ports.  This allows snort to look for 
> > > > attacks destined # to a specific application only on the ports that 
> > > > application runs on. For
> > > > # example, if you run a web server on port 8081, set your HTTP_PORTS
> > > > variable
> > > > # like this:
> > > > #
> > > > # var HTTP_PORTS 8081
> > > > #
> > > > # Port lists must either be continuous [eg 80:8080], or a single
> > port
> > > > [eg 80].
> > > > # We will adding support for a real list of ports in the future.
> > > >
> > > > # Ports you run web servers on
> > > > #
> > > > # Please note:  [80,8080] does not work.
> > > > # If you wish to define multiple HTTP ports, use the following 
> > > > convention # when customizing your rule set (as part of Step #6 
> > > > below).  This should
> > > > # not be done here, as the rules files may depend on the
> > classifications
> > > > # and/or references, which are included below.
> > > > #
> > > > ## var HTTP_PORTS 80
> > > > ## include somefile.rules
> > > > ## var HTTP_PORTS 8080
> > > > ## include somefile.rules
> > > > var HTTP_PORTS 80
> > > >
> > > > # Ports you want to look for SHELLCODE on.
> > > > var SHELLCODE_PORTS !80
> > > >
> > > > # Ports you do oracle attacks on
> > > > var ORACLE_PORTS 1521
> > > >
> > > > # other variables
> > > > #
> > > > # AIM servers.  AOL has a habit of adding new AIM servers, so 
> > > > instead of # modifying the signatures when they do, we add them to 
> > > > this list of servers. var AIM_SERVERS
> > > >
> > [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/2
> > 4,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.15
> > 3.0/24,205.188.179.0/24,205.188.248.0/24]
> > > >
> > > > # Path to your rules files (this can be a relative path)
> > > > # Note for Windows users:  You are advised to make this an absolute 
> > > > path, # such as:  c:\snort\rules
> > > > var RULE_PATH /etc/snort/rules
> > > >
> > > > # Configure the snort decoder
> > > > # ============================
> > > > #
> > > > # Snort's decoder will alert on lots of things such as header # 
> > > > truncation or options of unusual length or infrequently used tcp 
> > > > options #
> > > > #
> > > > # Stop generic decode events:
> > > > #
> > > > # config disable_decode_alerts
> > > > #
> > > > # Stop Alerts on experimental TCP options
> > > > #
> > > > # config disable_tcpopt_experimental_alerts
> > > > #
> > > > # Stop Alerts on obsolete TCP options
> > > > #
> > > > # config disable_tcpopt_obsolete_alerts
> > > > #
> > > > # Stop Alerts on T/TCP alerts
> > > > #
> > > > # In snort 2.0.1 and above, this only alerts when a TCP option is
> > > > detected
> > > > # that shows T/TCP being actively used on the network.  If this is
> > > > normal
> > > > # behavior for your network, disable the next option.
> > > > #
> > > > # config disable_tcpopt_ttcp_alerts
> > > > #
> > > > # Stop Alerts on all other TCPOption type events:
> > > > #
> > > > # config disable_tcpopt_alerts
> > > > #
> > > > # Stop Alerts on invalid ip options
> > > > #
> > > > # config disable_ipopt_alerts
> > > > #
> > > > # Alert if value in length field (IP, TCP, UDP) is greater than the
> > > > # actual length of the captured portion of the packet that the
> > length
> > > > # is supposed to represent:
> > > > #
> > > > # config enable_decode_oversized_alerts
> > > > #
> > > > # Same as above, but drop packet if in Inline mode -
> > > > # enable_decode_oversized_alerts must be enabled for this to work:
> > > > #
> > > > # config enable_decode_oversized_drops
> > > > #
> > > >
> > > > # Configure the detection engine
> > > > # ===============================
> > > > #
> > > > # Use a different pattern matcher in case you have a machine with 
> > > > very limited # resources:
> > > > #
> > > > # config detection: search-method lowmem
> > > >
> > > > # Configure Inline Resets
> > > > # ========================
> > > > #
> > > > # If running an iptables firewall with snort in InlineMode() we can 
> > > > now # perform resets via a physical device. We grab the indev from 
> > > > iptables # and use this for the interface on which to send resets. 
> > > > This config # option takes an argument for the src mac address you 
> > > > want to use in the # reset packet.  This way the bridge can remain 
> > > > stealthy. If the src mac # option is not set we use the mac address 
> > > > of the indev device. If we # don't set this option we will default 
> > > > to sending resets via raw socket,
> > > > # which needs an ipaddress to be assigned to the int.
> > > > #
> > > > # config layer2resets: 00:06:76:DD:5F:E3
> > > >
> > > > ###################################################
> > > > # Step #2: Configure dynamic loaded libraries
> > > > #
> > > > # If snort was configured to use dynamically loaded libraries, # 
> > > > those libraries can be loaded here. #
> > > > # Each of the following configuration options can be done via
> > > > # the command line as well.
> > > > #
> > > > # Load all dynamic preprocessors from the install path
> > > > # (same as command line option --dynamic-preprocessor-lib-dir)
> > > > #
> > > > dynamicpreprocessor directory
> > /usr/local/lib/snort_dynamicpreprocessor/
> > > > #
> > > > # Load a specific dynamic preprocessor library from the install path
> > > > # (same as command line option --dynamic-preprocessor-lib)
> > > > #
> > > > # dynamicpreprocessor
> > > > file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
> > > > #
> > > > # Load a dynamic engine from the install path
> > > > # (same as command line option --dynamic-engine-lib)
> > > > #
> > > > dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> > > > #
> > > > # Load all dynamic rules libraries from the install path
> > > > # (same as command line option --dynamic-detection-lib-dir)
> > > > #
> > > > # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
> > > > #
> > > > # Load a specific dynamic rule library from the install path
> > > > # (same as command line option --dynamic-detection-lib)
> > > > #
> > > > # dynamicdetection
> > > > file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
> > > > #
> > > >
> > > > ###################################################
> > > > # Step #3: Configure preprocessors
> > > > #
> > > > # General configuration for preprocessors is of
> > > > # the form
> > > > # preprocessor <name_of_processor>: <configuration_options>
> > > >
> > > > # Configure Flow tracking module
> > > > # -------------------------------
> > > > #
> > > > # The Flow tracking module is meant to start unifying the state 
> > > > keeping # mechanisms of snort into a single place. Right now, only a
> > 
> > > > portscan detector # is implemented but in the long term,  many of 
> > > > the stateful subsystems of
> > > > # snort will be migrated over to becoming flow plugins. This must be
> > > > enabled
> > > > # for flow-portscan to work correctly.
> > > > #
> > > > # See README.flow for additional information
> > > > #
> > > > preprocessor flow: stats_interval 0 hash 2
> > > >
> > > > # frag2: IP defragmentation support
> > > > # -------------------------------
> > > > # This preprocessor performs IP defragmentation.  This plugin will 
> > > > also detect # people launching fragmentation attacks (usually DoS) 
> > > > against hosts. No
> > > > # arguments loads the default configuration of the preprocessor,
> > which
> > > > is a 60
> > > > # second timeout and a 4MB fragment buffer.
> > > >
> > > > # The following (comma delimited) options are available for frag2
> > > > #    timeout [seconds] - sets the number of [seconds] that an
> > > > unfinished
> > > > #                        fragment will be kept around waiting for
> > > > completion,
> > > > #                        if this time expires the fragment will be
> > > > flushed
> > > > #    memcap [bytes] - limit frag2 memory usage to [number] bytes
> > > > #                      (default:  4194304)
> > > > #
> > > > #    min_ttl [number] - minimum ttl to accept
> > > > #
> > > > #    ttl_limit [number] - difference of ttl to accept without
> > alerting
> > > > #                         will cause false positves with router flap
> > > > #
> > > > # Frag2 uses Generator ID 113 and uses the following SIDS
> > > > # for that GID:
> > > > #  SID     Event description
> > > > # -----   -------------------
> > > > #   1       Oversized fragment (reassembled frag > 64k bytes)
> > > > #   2       Teardrop-type attack
> > > >
> > > > #preprocessor frag2
> > > >
> > > > # frag3: Target-based IP defragmentation
> > > > # --------------------------------------
> > > > #
> > > > # Frag3 is a brand new IP defragmentation preprocessor that is 
> > > > capable of # performing "target-based" processing of IP fragments.  
> > > > Check out the # README.frag3 file in the doc directory for more 
> > > > background and configuration
> > > > # information.
> > > > #
> > > > # Frag3 configuration is a two step process, a global initialization
> > > > phase
> > > > # followed by the definition of a set of defragmentation engines.
> > > > #
> > > > # Global configuration defines the number of fragmented packets that
> > > > Snort can
> > > > # track at the same time and gives you options regarding the memory
> > cap
> > > > for the
> > > > # subsystem or, optionally, allows you to preallocate all the memory
> > for
> > > > the
> > > > # entire frag3 system.
> > > > #
> > > > # frag3_global options:
> > > > #   max_frags: Maximum number of frag trackers that may be active at
> > > > once.
> > > > #              Default value is 8192.
> > > > #   memcap: Maximum amount of memory that frag3 may access at any
> > given
> > > > time.
> > > > #           Default value is 4MB.
> > > > #   prealloc_frags: Maximum number of individual fragments that may
> > be
> > > > processed
> > > > #                   at once.  This is instead of the memcap system,
> > uses
> > > > static
> > > > #                   allocation to increase performance.  No default
> > > > value.  Each
> > > > #                   preallocated fragment eats ~1550 bytes.
> > > > #
> > > > # Target-based behavior is attached to an engine as a "policy" for
> > > > handling
> > > > # overlaps and retransmissions as enumerated in the Paxson paper.
> > There
> > > > are
> > > > # currently five policy types available: "BSD", "BSD-right",
> > "First",
> > > > "Linux"
> > > > # and "Last".  Engines can be bound to bound to standard Snort CIDR
> > > > blocks or
> > > > # IP lists.
> > > > #
> > > > # frag3_engine options:
> > > > #   timeout: Amount of time a fragmented packet may be active before
> > > > expiring.
> > > > #            Default value is 60 seconds.
> > > > #   ttl_limit: Limit of delta allowable for TTLs of packets in the
> > > > fragments.
> > > > #              Based on the initial received fragment TTL.
> > > > #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs
> > > > below this
> > > > #            value will be discarded.  Default value is 0.
> > > > #   detect_anomalies: Activates frag3's anomaly detection
> > mechanisms.
> > > > #   policy: Target-based policy to assign to this engine.  Default
> > is
> > > > BSD.
> > > > #   bind_to: IP address set to bind this engine to.  Default is all
> > > > hosts.
> > > > #
> > > > # Frag3 configuration example:
> > > > #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
> > > > #preprocessor frag3_engine: policy linux \
> > > > #                           bind_to [10.1.1.12/32,10.1.1.13/32] \
> > > > #                           detect_anomalies
> > > > #preprocessor frag3_engine: policy first \
> > > > #                           bind_to 10.2.1.0/24 \
> > > > #                           detect_anomalies
> > > > #preprocessor frag3_engine: policy last \
> > > > #                           bind_to 10.3.1.0/24
> > > > #preprocessor frag3_engine: policy bsd
> > > >
> > > > preprocessor frag3_global: max_frags 65536
> > > > preprocessor frag3_engine: policy first detect_anomalies
> > > >
> > > >
> > > > # stream4: stateful inspection/stream reassembly for Snort
> > > > #-------------------------------------------------------------------
> > > > ---
> > > > # Use in concert with the -z [all|est] command line switch to defeat
> > > > stick/snot
> > > > # against TCP rules.  Also performs full TCP stream reassembly,
> > stateful
> > > > # inspection of TCP streams, etc.  Can statefully detect various
> > > > portscan
> > > > # types, fingerprinting, ECN, etc.
> > > >
> > > > # stateful inspection directive
> > > > # no arguments loads the defaults (timeout 30, memcap 8388608) # 
> > > > options (options are comma delimited):
> > > > #   detect_scans - stream4 will detect stealth portscans and
> > generate
> > > > alerts
> > > > #                  when it sees them when this option is set
> > > > #   detect_state_problems - detect TCP state problems, this tends to
> > be
> > > > very
> > > > #                           noisy because there are a lot of crappy
> > ip
> > > > stack
> > > > #                           implementations out there
> > > > #
> > > > #   disable_evasion_alerts - turn off the possibly noisy mitigation
> > of
> > > > #                            overlapping sequences.
> > > > #
> > > > #   ttl_limit [number]     - differential of the initial ttl on a
> > > > session versus
> > > > #                             the normal that someone may be playing
> > > > games.
> > > > #                             Routing flap may cause lots of false
> > > > positives.
> > > > #
> > > > #   keepstats [machine|binary] - keep session statistics, add
> > "machine"
> > > > to
> > > > #                         get them in a flat format for machine
> > reading,
> > > > add
> > > > #                         "binary" to get them in a unified binary
> > > > output
> > > > #                         format
> > > > #   noinspect - turn off stateful inspection only
> > > > #   timeout [number] - set the session timeout counter to [number]
> > > > seconds,
> > > > #                      default is 30 seconds
> > > > #   max_sessions [number] - limit the number of sessions stream4
> > keeps
> > > > #                         track of
> > > > #   memcap [number] - limit stream4 memory usage to [number] bytes
> > (does
> > > > #                     not include session tracking, which is set by
> > the
> > > > #                     max_sessions option)
> > > > #   log_flushed_streams - if an event is detected on a stream this
> > > > option will
> > > > #                         cause all packets that are stored in the
> > > > stream4
> > > > #                         packet buffers to be flushed to disk.
> > This
> > > > only
> > > > #                         works when logging in pcap mode!
> > > > #   server_inspect_limit [bytes] - Byte limit on server side
> > inspection.
> > > > #   enable_udp_sessions - turn on tracking of "sessions" over UDP.
> > > > Requires
> > > > #                         configure --enable-stream4udp.  UDP
> > sessions
> > > > are
> > > > #                         only created when there is a rule for the
> > > > sender or
> > > > #                         responder that has a flow or flowbits
> > keyword.
> > > > #   max_udp_sessions [number] - limit the number of simultaneous UDP
> > > > sessions
> > > > #                               to track
> > > > #   udp_ignore_any - Do not inspect UDP packets unless there is a
> > port
> > > > specific
> > > > #                    rule for a given port.  This is a performance
> > > > improvement
> > > > #                    and turns off inspection for udp xxx any -> xxx
> > any
> > > > rules
> > > > #   cache_clean_sessions [number] - Cleanup the session cache by
> > number
> > > > sessions
> > > > #                                   at a time.  The larger the
> > value,
> > > > the
> > > > #                                   more sessions are purged from
> > the
> > > > cache when
> > > > #                                   the session limit or memcap is
> > > > reached.
> > > > #                                   Defaults to 5.
> > > > #
> > > > #
> > > > #
> > > > # Stream4 uses Generator ID 111 and uses the following SIDS # for 
> > > > that GID:
> > > > #  SID     Event description
> > > > # -----   -------------------
> > > > #   1       Stealth activity
> > > > #   2       Evasive RST packet
> > > > #   3       Evasive TCP packet retransmission
> > > > #   4       TCP Window violation
> > > > #   5       Data on SYN packet
> > > > #   6       Stealth scan: full XMAS
> > > > #   7       Stealth scan: SYN-ACK-PSH-URG
> > > > #   8       Stealth scan: FIN scan
> > > > #   9       Stealth scan: NULL scan
> > > > #   10      Stealth scan: NMAP XMAS scan
> > > > #   11      Stealth scan: Vecna scan
> > > > #   12      Stealth scan: NMAP fingerprint scan stateful detect
> > > > #   13      Stealth scan: SYN-FIN scan
> > > > #   14      TCP forward overlap
> > > >
> > > > preprocessor stream4: disable_evasion_alerts
> > > >
> > > > # tcp stream reassembly directive
> > > > # no arguments loads the default configuration
> > > > #   Only reassemble the client,
> > > > #   Only reassemble the default list of ports (See below),
> > > > #   Give alerts for "bad" streams
> > > > #
> > > > # Available options (comma delimited):
> > > > #   clientonly - reassemble traffic for the client side of a
> > connection
> > > > only
> > > > #   serveronly - reassemble traffic for the server side of a
> > connection
> > > > only
> > > > #   both - reassemble both sides of a session
> > > > #   noalerts - turn off alerts from the stream reassembly stage of
> > > > stream4
> > > > #   ports [list] - use the space separated list of ports in [list],
> > > > "all"
> > > > #                  will turn on reassembly for all ports, "default"
> > will
> > > > turn
> > > > #                  on reassembly for ports 21, 23, 25, 42, 53, 80,
> > 110,
> > > > #                  111, 135, 136, 137, 139, 143, 445, 513, 1433,
> > 1521,
> > > > #                  and 3306
> > > > #   favor_old - favor an old segment (based on sequence number) over
> > a
> > > > new one.
> > > > #               This is the default.
> > > > #   favor_new - favor an new segment (based on sequence number) over
> > an
> > > > old one.
> > > > #   overlap_limit [number] - limit on overlaping segments for a
> > session.
> > > > #   flush_on_alert - flushes stream when an alert is generated for a
> > > > session.
> > > > #   flush_behavior [mode] -
> > > > #           default      - use old static flushpoints (default)
> > > > #           large_window - use new larger static flushpoints
> > > > #           random       - use random flushpoints defined by
> > > > flush_base,
> > > > #                          flush_seed and flush_range
> > > > #   flush_base [number] - lowest allowed random flushpoint (512 by
> > > > default)
> > > > #   flush_range [number] - number is the space within which random
> > > > flushpoints
> > > > #                          are generated (default 1213)
> > > > #   flush_seed [number] - seed for the random number generator,
> > defaults
> > > > to
> > > > #                         Snort PID + time
> > > > #
> > > > # Using the default random flushpoints, the smallest flushpoint is 
> > > > 512, # and the largest is 1725 bytes. preprocessor 
> > > > stream4_reassemble preprocessor stream4_reassemble: both,ports 21 23
> > 
> > > > 25 53 80 110 111 139 143 445 513 1433
> > > >
> > > > # stream5: Target Based stateful inspection/stream reassembly for 
> > > > Snort # 
> > > >
> > ---------------------------------------------------------------------
> > > > # EXPERIMENTAL CODE!!!
> > > > #
> > > > # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
> > > > # USE AT YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS.
> > > > # YOU HAVE BEEN WARNED.
> > > > #
> > > > # Stream5 is a target-based stream engine for Snort.  Its
> > functionality
> > > > # replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5
> > > > # cannot be used simultaneously.  Comment out the stream4
> > configurations
> > > > # above to use Stream5.
> > > > #
> > > > # See README.stream for details on the configuration options.
> > > > #
> > > > # Example config (that emulates Stream4 with UDP support compiled
> > in)
> > > > # preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> > > > #                              track_udp yes
> > > > # preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> > > > # preprocessor stream5_udp: ignore_any_rules
> > > >
> > > >
> > > > # Performance Statistics
> > > > # ----------------------
> > > > # Documentation for this is provided in the Snort Manual.  You 
> > > > should read it. # It is included in the release distribution as 
> > > > doc/snort_manual.pdf #
> > > > # preprocessor perfmonitor: time 300 file /var/snort/snort.stats
> > pktcnt
> > > > 10000
> > > >
> > > > # http_inspect: normalize and detect HTTP traffic and protocol 
> > > > anomalies # # lots of options available here. See 
> > > > doc/README.http_inspect. # unicode.map should be wherever your 
> > > > snort.conf lives, or given # a full path to where snort can find it.
> > > > preprocessor http_inspect: global \
> > > >    iis_unicode_map unicode.map 1252
> > > >
> > > > preprocessor http_inspect_server: server default \
> > > >    profile all ports { 80 8080 8180 } oversize_dir_length 500
> > > >
> > > > #
> > > > #  Example unique server configuration
> > > > #
> > > > #preprocessor http_inspect_server: server 1.1.1.1 \
> > > > #    ports { 80 3128 8080 } \
> > > > #    flow_depth 0 \
> > > > #    ascii no \
> > > > #    double_decode yes \
> > > > #    non_rfc_char { 0x00 } \
> > > > #    chunk_length 500000 \
> > > > #    non_strict \
> > > > #    oversize_dir_length 300 \
> > > > #    no_alerts
> > > >
> > > >
> > > > # rpc_decode: normalize RPC traffic
> > > > # ---------------------------------
> > > > # RPC may be sent in alternate encodings besides the usual 4-byte 
> > > > encoding # that is used by default. This plugin takes the port 
> > > > numbers that RPC # services are running on as arguments - it is 
> > > > assumed that the given ports
> > > > # are actually running this type of service. If not, change the
> > ports or
> > > > turn
> > > > # it off.
> > > > # The RPC decode preprocessor uses generator ID 106
> > > > #
> > > > # arguments: space separated list
> > > > # alert_fragments - alert on any rpc fragmented TCP data
> > > > # no_alert_multiple_requests - don't alert when >1 rpc query is in a
> > > > packet
> > > > # no_alert_large_fragments - don't alert when the fragmented
> > > > #                            sizes exceed the current packet size
> > > > # no_alert_incomplete - don't alert when a single segment
> > > > #                       exceeds the current packet size
> > > >
> > > > preprocessor rpc_decode: 111 32771
> > > >
> > > > # bo: Back Orifice detector
> > > > # -------------------------
> > > > # Detects Back Orifice traffic on the network.
> > > > #
> > > > # arguments:
> > > > #   syntax:
> > > > #     preprocessor bo: noalert { client | server | general |
> > > > snort_attack } \
> > > > #                      drop    { client | server | general |
> > > > snort_attack }
> > > > #   example:
> > > > #     preprocessor bo: noalert { general server } drop {
> > snort_attack }
> > > >
> > > > #
> > > > # The Back Orifice detector uses Generator ID 105 and uses the # 
> > > > following SIDS for that GID:
> > > > #  SID     Event description
> > > > # -----   -------------------
> > > > #   1       Back Orifice traffic detected
> > > > #   2       Back Orifice Client Traffic Detected
> > > > #   3       Back Orifice Server Traffic Detected
> > > > #   4       Back Orifice Snort Buffer Attack
> > > >
> > > > preprocessor bo
> > > >
> > > > # telnet_decode: Telnet negotiation string normalizer
> > > > # ---------------------------------------------------
> > > > # This preprocessor "normalizes" telnet negotiation strings from 
> > > > telnet and ftp # traffic.  It works in much the same way as the 
> > > > http_decode preprocessor,
> > > > # searching for traffic that breaks up the normal data stream of a
> > > > protocol and
> > > > # replacing it with a normalized representation of that traffic so
> > that
> > > > the
> > > > # "content" pattern matching keyword can work without requiring
> > > > modifications.
> > > > # This preprocessor requires no arguments.
> > > > #
> > > > # DEPRECATED in favor of ftp_telnet dynamic preprocessor
> > > > #preprocessor telnet_decode
> > > > #
> > > > # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff
> > > > overflow
> > > > #
> > > >
> > ------------------------------------------------------------------------
> > ---
> > > > # This preprocessor normalizes telnet negotiation strings from
> > telnet
> > > > and
> > > > # ftp traffic.  It looks for traffic that breaks the normal data
> > stream
> > > > # of the protocol, replacing it with a normalized representation of
> > that
> > > > # traffic so that the "content" pattern matching keyword can work
> > > > without
> > > > # requiring modifications.
> > > > #
> > > > # It also performs protocol correctness checks for the FTP command
> > > > channel,
> > > > # and identifies open FTP data transfers.
> > > > #
> > > > # FTPTelnet has numerous options available, please read
> > > > # README.ftptelnet for help configuring the options for the global
> > > > # telnet, ftp server, and ftp client sections for the protocol.
> > > >
> > > > #####
> > > > # Per Step #2, set the following to load the ftptelnet preprocessor 
> > > > # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so> # or
> > 
> > > > use commandline option # --dynamic-preprocessor-lib <full path to 
> > > > libsf_ftptelnet_preproc.so>
> > > >
> > > > preprocessor ftp_telnet: global \
> > > >   encrypted_traffic yes \
> > > >   inspection_type stateful
> > > >
> > > > preprocessor ftp_telnet_protocol: telnet \
> > > >   normalize \
> > > >   ayt_attack_thresh 200
> > > >
> > > > # This is consistent with the FTP rules as of 18 Sept 2004. # CWD 
> > > > can have param length of 200 # MODE has an additional mode of Z 
> > > > (compressed) # Check for string formats in USER & PASS commands
> > > > # Check nDTM commands that set modification time on the file.
> > > > preprocessor ftp_telnet_protocol: ftp server default \
> > > >   def_max_param_len 100 \
> > > >   alt_max_param_len 200 { CWD } \
> > > >   cmd_validity MODE < char ASBCZ > \
> > > >   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> > > >   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> > > >   telnet_cmds yes \
> > > >   data_chan
> > > >
> > > > preprocessor ftp_telnet_protocol: ftp client default \
> > > >   max_resp_len 256 \
> > > >   bounce yes \
> > > >   telnet_cmds yes
> > > >
> > > > # smtp: SMTP normalizer, protocol enforcement and buffer overflow #
> > > >
> > ------------------------------------------------------------------------
> > ---
> > > > # This preprocessor normalizes SMTP commands by removing extraneous
> > > > spaces.
> > > > # It looks for overly long command lines, response lines, and data
> > > > header lines.
> > > > # It can alert on invalid commands, or specific valid commands.  It
> > can
> > > > optionally
> > > > # ignore mail data, and can ignore TLS encrypted data.
> > > > #
> > > > # SMTP has numerous options available, please read README.SMTP for
> > help
> > > > # configuring options.
> > > >
> > > > #####
> > > > # Per Step #2, set the following to load the smtp preprocessor # 
> > > > dynamicpreprocessor <full path to libsf_smtp_preproc.so> # or use 
> > > > commandline option # --dynamic-preprocessor-lib <full path to 
> > > > libsf_smtp_preproc.so>
> > > >
> > > > preprocessor smtp: \
> > > >  ports { 25 } \
> > > >  inspection_type stateful \
> > > >  normalize cmds \
> > > >  normalize_cmds { EXPN VRFY RCPT } \  alt_max_command_line_len 260 {
> > 
> > > > MAIL } \  alt_max_command_line_len 300 { RCPT } \
> > > >  alt_max_command_line_len 500 { HELP HELO ETRN } \
> > > >  alt_max_command_line_len 255 { EXPN VRFY }
> > > >
> > > > # sfPortscan
> > > > # ----------
> > > > # Portscan detection module.  Detects various types of portscans and
> > 
> > > > # portsweeps.  For more information on detection philosophy, alert 
> > > > types, # and detailed portscan information, please refer to the
> > > > README.sfportscan.
> > > > #
> > > > # -configuration options-
> > > > #     proto { tcp udp icmp ip all }
> > > > #       The arguments to the proto option are the types of protocol
> > > > scans that
> > > > #       the user wants to detect.  Arguments should be separated by
> > > > spaces and
> > > > #       not commas.
> > > > #     scan_type { portscan portsweep decoy_portscan
> > distributed_portscan
> > > > all }
> > > > #       The arguments to the scan_type option are the scan types
> > that
> > > > the
> > > > #       user wants to detect.  Arguments should be separated by
> > spaces
> > > > and not
> > > > #       commas.
> > > > #     sense_level { low|medium|high }
> > > > #       There is only one argument to this option and it is the
> > level of
> > > > #       sensitivity in which to detect portscans.  The 'low'
> > sensitivity
> > > > #       detects scans by the common method of looking for response
> > > > errors, such
> > > > #       as TCP RSTs or ICMP unreachables.  This level requires the
> > least
> > > > #       tuning.  The 'medium' sensitivity level detects portscans
> > and
> > > > #       filtered portscans (portscans that receive no response).
> > This
> > > > #       sensitivity level usually requires tuning out scan events
> > from
> > > > NATed
> > > > #       IPs, DNS cache servers, etc.  The 'high' sensitivity level
> > has
> > > > #       lower thresholds for portscan detection and a longer time
> > window
> > > > than
> > > > #       the 'medium' sensitivity level.  Requires more tuning and
> > may be
> > > > noisy
> > > > #       on very active networks.  However, this sensitivity levels
> > > > catches the
> > > > #       most scans.
> > > > #     memcap { positive integer }
> > > > #       The maximum number of bytes to allocate for portscan
> > detection.
> > > > The
> > > > #       higher this number the more nodes that can be tracked.
> > > > #     logfile { filename }
> > > > #       This option specifies the file to log portscan and detailed
> > > > portscan
> > > > #       values to.  If there is not a leading /, then snort logs to
> > the
> > > > #       configured log directory.  Refer to README.sfportscan for
> > > > details on
> > > > #       the logged values in the logfile.
> > > > #     watch_ip { Snort IP List }
> > > > #     ignore_scanners { Snort IP List }
> > > > #     ignore_scanned { Snort IP List }
> > > > #       These options take a snort IP list as the argument.  The
> > > > 'watch_ip'
> > > > #       option specifies the IP(s) to watch for portscan.  The
> > > > #       'ignore_scanners' option specifies the IP(s) to ignore as
> > > > scanners.
> > > > #       Note that these hosts are still watched as scanned hosts.
> > The
> > > > #       'ignore_scanners' option is used to tune alerts from very
> > active
> > > > #       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned'
> > > > option
> > > > #       specifies the IP(s) to ignore as scanned hosts.  Note that
> > these
> > > > hosts
> > > > #       are still watched as scanner hosts.  The 'ignore_scanned'
> > option
> > > > is
> > > > #       used to tune alerts from very active hosts such as syslog
> > > > servers, etc.
> > > > #     detect_ack_scans
> > > > #       This option will include sessions picked up in midstream by
> > the
> > > > stream
> > > > #       module, which is necessary to detect ACK scans.  However,
> > this
> > > > can lead to
> > > > #       false alerts, especially under heavy load with dropped
> > packets;
> > > > which is why
> > > > #       the option is off by default.
> > > > #
> > > > preprocessor sfportscan: proto  { all } \
> > > >                         memcap { 10000000 } \
> > > >                         sense_level { low }
> > > >
> > > > # arpspoof
> > > > #----------------------------------------
> > > > # Experimental ARP detection code from Jeff Nathan, detects ARP 
> > > > attacks, # unicast ARP requests, and specific ARP mapping 
> > > > monitoring.  To make use of # this preprocessor you must specify the
> > 
> > > > IP and hardware address of hosts on
> > > > # the same layer 2 segment as you.  Specify one host IP MAC combo
> > per
> > > > line.
> > > > # Also takes a "-unicast" option to turn on unicast ARP request
> > > > detection.
> > > > # Arpspoof uses Generator ID 112 and uses the following SIDS for
> > that
> > > > GID:
> > > >
> > > > #  SID     Event description
> > > > # -----   -------------------
> > > > #   1       Unicast ARP request
> > > > #   2       Etherframe ARP mismatch (src)
> > > > #   3       Etherframe ARP mismatch (dst)
> > > > #   4       ARP cache overwrite attack
> > > >
> > > > #preprocessor arpspoof
> > > > #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
> > > >
> > > > # ssh
> > > > #----------------------------------------
> > > > # EXPERIMENTAL CODE!!!
> > > > #
> > > > # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE! # 
> > > > USE AT YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS. # YOU 
> > > > HAVE BEEN WARNED. #
> > > > # The SSH preprocessor detects the following exploits: Gobbles, CRC
> > 32,
> > > > # Secure CRT, and the Protocol Mismatch exploit.
> > > > #
> > > > # Both Gobbles and CRC 32 attacks occur after the key exchange, and
> > are
> > > > # therefore encrypted.  Both attacks involve sending a large payload
> > > > # (20kb+) to the server immediately after the authentication
> > challenge.
> > > > # To detect the attacks, the SSH preprocessor counts the number of
> > bytes
> > > > # transmitted to the server.  If those bytes exceed a pre-defined
> > limit
> > > > # within a pre-define number of packets, an alert is generated.
> > Since
> > > > # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
> > > > # version string exchange is used to distinguish the attacks.
> > > > #
> > > > # The Secure CRT and protocol mismatch exploits are observable
> > before
> > > > # the key exchange.
> > > > #
> > > > # SSH has numerous options available, please read README.ssh for
> > help
> > > > # configuring options.
> > > >
> > > > #####
> > > > # Per Step #2, set the following to load the ssh preprocessor # 
> > > > dynamicpreprocessor <full path to libsf_ssh_preproc.so> # or use 
> > > > commandline option # --dynamic-preprocessor-lib <full path to 
> > > > libsf_ssh_preproc.so> #
> > > > #preprocessor ssh: server_ports { 22 } \
> > > > #                  max_client_bytes 19600 \
> > > > #                  max_encrypted_packets 20
> > > >
> > > > # DCE/RPC
> > > > #----------------------------------------
> > > > #
> > > > # The dcerpc preprocessor detects and decodes SMB and DCE/RPC 
> > > > traffic. # It is primarily interested in DCE/RPC data, and only 
> > > > decodes SMB # to get at the DCE/RPC data carried by the SMB layer. #
> > > > # Currently, the preprocessor only handles reassembly of
> > fragmentation
> > > > # at both the SMB and DCE/RPC layer.  Snort rules can be evaded by
> > > > # using both types of fragmentation; with the preprocessor enabled
> > > > # the rules are given a buffer with a reassembled SMB or DCE/RPC
> > > > # packet to examine.
> > > > #
> > > > # At the SMB layer, only fragmentation using WriteAndX is currently
> > > > # reassembled.  Other methods will be handled in future versions of
> > > > # the preprocessor.
> > > > #
> > > > # Autodetection of SMB is done by looking for "\xFFSMB" at the start
> > of
> > > > # the SMB data, as well as checking the NetBIOS header (which is
> > always
> > > > # present for SMB) for the type "SMB Session".
> > > > #
> > > > # Autodetection of DCE/RPC is not as reliable.  Currently, two bytes
> > are
> > > > # checked in the packet.  Assuming that the data is a DCE/RPC
> > header,
> > > > # one byte is checked for DCE/RPC version (5) and another for the
> > type
> > > > # "DCE/RPC Request".  If both match, the preprocessor proceeds with
> > that
> > > > # assumption that it is looking at DCE/RPC data.  If subsequent
> > checks
> > > > # are nonsensical, it ends processing.
> > > > #
> > > > # DCERPC has numerous options available, please read README.dcerpc
> > for
> > > > help
> > > > # configuring options.
> > > >
> > > > #####
> > > > # Per Step #2, set the following to load the dcerpc preprocessor # 
> > > > dynamicpreprocessor <full path to libsf_dcerpc_preproc.so> # or use 
> > > > commandline option # --dynamic-preprocessor-lib <full path to 
> > > > libsf_dcerpc_preproc.so>
> > > >
> > > > preprocessor dcerpc: \
> > > >    autodetect \
> > > >    max_frag_size 3000 \
> > > >    memcap 100000
> > > >
> > > > # DNS
> > > > #----------------------------------------
> > > > # The dns preprocessor (currently) decodes DNS Response traffic # 
> > > > and detects a few vulnerabilities. #
> > > > # DNS has a few options available, please read README.dns for
> > > > # help configuring options.
> > > >
> > > > #####
> > > > # Per Step #2, set the following to load the dns preprocessor # 
> > > > dynamicpreprocessor <full path to libsf_dns_preproc.so> # or use 
> > > > commandline option # --dynamic-preprocessor-lib <full path to 
> > > > libsf_dns_preproc.so>
> > > >
> > > > preprocessor dns: \
> > > >    ports { 53 } \
> > > >    enable_rdata_overflow
> > > >
> > > > ####################################################################
> > > > # Step #4: Configure output plugins
> > > > #
> > > > # Uncomment and configure the output plugins you decide to use.  
> > > > General # configuration for output plugins is of the form: #
> > > > # output <name_of_plugin>: <configuration_options>
> > > > #
> > > > # alert_syslog: log alerts to syslog
> > > > # ----------------------------------
> > > > # Use one or more syslog facilities as arguments.  Win32 can also
> > > > optionally
> > > > # specify a particular hostname/port.  Under Win32, the default
> > hostname
> > > > is
> > > > # '127.0.0.1', and the default port is 514.
> > > > #
> > > > # [Unix flavours should use this format...]
> > > > # output alert_syslog: LOG_AUTH LOG_ALERT
> > > > #
> > > > # [Win32 can use any of these formats...]
> > > > # output alert_syslog: LOG_AUTH LOG_ALERT
> > > > # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
> > > > # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> > > >
> > > > # log_tcpdump: log packets in binary tcpdump format
> > > > # -------------------------------------------------
> > > > # The only argument is the output file name.
> > > > #
> > > > # output log_tcpdump: tcpdump.log
> > > >
> > > > # database: log to a variety of databases
> > > > # ---------------------------------------
> > > > # See the README.database file for more information about 
> > > > configuring # and using this plugin. #
> > > > output database: log, mysql, user=snort password=snortuser
> > dbname=snort
> > > > host=localhost
> > > > # output database: alert, postgresql, user=snort dbname=snort
> > > > # output database: log, odbc, user=snort dbname=snort
> > > > # output database: log, mssql, dbname=snort user=snort password=test
> > > > # output database: log, oracle, dbname=snort user=snort
> > password=test
> > > >
> > > > # unified: Snort unified binary format alerting and logging # 
> > > > -------------------------------------------------------------
> > > > # The unified output plugin provides two new formats for logging and
> > 
> > > > generating # alerts from Snort, the "unified" format.  The unified 
> > > > format is a straight
> > > > # binary format for logging data out of Snort that is designed to be
> > > > fast and
> > > > # efficient.  Used with barnyard (the new alert/log processor), most
> > of
> > > > the
> > > > # overhead for logging and alerting to various slow storage
> > mechanisms
> > > > such as
> > > > # databases or the network can now be avoided.
> > > > #
> > > > # Check out the spo_unified.h file for the data formats.
> > > > #
> > > > # Two arguments are supported.
> > > > #    filename - base filename to write to (current time_t is
> > appended)
> > > > #    limit    - maximum size of spool file in MB (default: 128)
> > > > #
> > > > # output alert_unified: filename snort.alert, limit 128
> > > > # output log_unified: filename snort.log, limit 128
> > > >
> > > >
> > > > # prelude: log to the Prelude Hybrid IDS system
> > > > # ---------------------------------------------
> > > > #
> > > > # profile = Name of the Prelude profile to use (default is snort). #
> > > > # Snort priority to IDMEF severity mappings:
> > > > # high < medium < low < info
> > > > #
> > > > # These are the default mapped from classification.config:
> > > > # info   = 4
> > > > # low    = 3
> > > > # medium = 2
> > > > # high   = anything below medium
> > > > #
> > > > # output alert_prelude
> > > > # output alert_prelude: profile=snort-profile-name
> > > >
> > > >
> > > > # You can optionally define new rule types and associate one or more
> > > > output
> > > > # plugins specifically to that type.
> > > > #
> > > > # This example will create a type that will log to just tcpdump.
> > > > # ruletype suspicious
> > > > # {
> > > > #   type log
> > > > #   output log_tcpdump: suspicious.log
> > > > # }
> > > > #
> > > > # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
> > > > # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
> > > > Server";)
> > > > #
> > > > # This example will create a rule type that will log to syslog and a
> > > > mysql
> > > > # database:
> > > > # ruletype redalert
> > > > # {
> > > > #   type alert
> > > > #   output alert_syslog: LOG_AUTH LOG_ALERT
> > > > #   output database: log, mysql, user=snort dbname=snort
> > host=localhost
> > > > # }
> > > > #
> > > > # EXAMPLE RULE FOR REDALERT RULETYPE:
> > > > # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
> > > > #   (msg:"Someone is being LEET"; flags:A+;)
> > > >
> > > > #
> > > > # Include classification & priority settings
> > > > # Note for Windows users:  You are advised to make this an absolute
> > > > path,
> > > > # such as:  c:\snort\etc\classification.config
> > > > #
> > > >
> > > > include classification.config
> > > >
> > > > #
> > > > # Include reference systems
> > > > # Note for Windows users:  You are advised to make this an absolute
> > > > path,
> > > > # such as:  c:\snort\etc\reference.config
> > > > #
> > > >
> > > > include reference.config
> > > >
> > > > ####################################################################
> > > > # Step #5: Configure snort with config statements
> > > > #
> > > > # See the snort manual for a full set of configuration references
> > > > #
> > > > # config flowbits_size: 64
> > > > #
> > > > # New global ignore_ports config option from Andy Mullican
> > > > #
> > > > # config ignore_ports: <tcp|udp> <list of ports separated by
> > whitespace>
> > > > # config ignore_ports: tcp 21 6667:6671 1356
> > > > # config ignore_ports: udp 1:17 53
> > > >
> > > >
> > > > ####################################################################
> > > > # Step #6: Customize your rule set
> > > > #
> > > > # Up to date snort rules are available at http://www.snort.org
> > > > #
> > > > # The snort web site has documentation about how to write your own
> > > > custom snort
> > > > # rules.
> > > >
> > > > #=========================================
> > > > # Include all relevant rulesets here
> > > > #
> > > > # The following rulesets are disabled by default:
> > > > #
> > > > #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
> > > > virus,
> > > > #   chat, multimedia, and p2p
> > > > #
> > > > # These rules are either site policy specific or require tuning in
> > order
> > > > to not
> > > > # generate false positive alerts in most enviornments.
> > > > #
> > > > # Please read the specific include file for more information and
> > > > # README.alert_order for how rule ordering affects how alerts are
> > > > triggered.
> > > > #=========================================
> > > >
> > > > include $RULE_PATH/local.rules
> > > > include $RULE_PATH/bad-traffic.rules
> > > > include $RULE_PATH/exploit.rules
> > > > include $RULE_PATH/scan.rules
> > > > include $RULE_PATH/finger.rules
> > > > include $RULE_PATH/ftp.rules
> > > > include $RULE_PATH/telnet.rules
> > > > include $RULE_PATH/rpc.rules
> > > > include $RULE_PATH/rservices.rules
> > > > include $RULE_PATH/dos.rules
> > > > include $RULE_PATH/ddos.rules
> > > > include $RULE_PATH/dns.rules
> > > > include $RULE_PATH/tftp.rules
> > > >
> > > > include $RULE_PATH/web-cgi.rules
> > > > include $RULE_PATH/web-coldfusion.rules
> > > > include $RULE_PATH/web-iis.rules
> > > > include $RULE_PATH/web-frontpage.rules
> > > > include $RULE_PATH/web-misc.rules
> > > > include $RULE_PATH/web-client.rules
> > > > include $RULE_PATH/web-php.rules
> > > >
> > > > include $RULE_PATH/sql.rules
> > > > include $RULE_PATH/x11.rules
> > > > include $RULE_PATH/icmp.rules
> > > > include $RULE_PATH/netbios.rules
> > > > include $RULE_PATH/misc.rules
> > > > include $RULE_PATH/attack-responses.rules
> > > > include $RULE_PATH/oracle.rules
> > > > include $RULE_PATH/mysql.rules
> > > > include $RULE_PATH/snmp.rules
> > > >
> > > > include $RULE_PATH/smtp.rules
> > > > include $RULE_PATH/imap.rules
> > > > include $RULE_PATH/pop2.rules
> > > > include $RULE_PATH/pop3.rules
> > > >
> > > > include $RULE_PATH/nntp.rules
> > > > include $RULE_PATH/other-ids.rules
> > > > # include $RULE_PATH/web-attacks.rules
> > > > # include $RULE_PATH/backdoor.rules
> > > > # include $RULE_PATH/shellcode.rules
> > > > # include $RULE_PATH/policy.rules
> > > > # include $RULE_PATH/porn.rules
> > > > # include $RULE_PATH/info.rules
> > > > # include $RULE_PATH/icmp-info.rules
> > > > # include $RULE_PATH/virus.rules
> > > > # include $RULE_PATH/chat.rules
> > > > # include $RULE_PATH/multimedia.rules
> > > > # include $RULE_PATH/p2p.rules
> > > > # include $RULE_PATH/spyware-put.rules
> > > > include $RULE_PATH/experimental.rules
> > > >
> > > > # Include any thresholding or suppression commands. See
> > threshold.conf
> > > > in the
> > > > # <snort src>/etc directory for details. Commands don't necessarily
> > need
> > > > to be
> > > > # contained in this conf, but a separate conf makes it easier to
> > > > maintain them.
> > > > # Note for Windows users:  You are advised to make this an absolute
> > > > path,
> > > > # such as:  c:\snort\etc\threshold.conf
> > > > # Uncomment if needed.
> > > > # include threshold.conf
> > > >
> > > >
> > > >
> > ------------------------------------------------------------------------
> > -
> > > > Take Surveys. Earn Cash. Influence the Future of IT
> > > > Join SourceForge.net's Techsay panel and you'll get the chance to
> > share your
> > > > opinions on IT & business topics through brief surveys - and earn
> > cash
> > > >
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
> > V
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > 
> > ------------------------------------------------------------------------
> > -
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share
> > your
> > opinions on IT & business topics through brief surveys - and earn cash
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
> > V
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list