[Snort-users] Error getting during snort installation steps on windows (Not able to run snortstart.bat file)

Joel Esler jesler at ...1935...
Wed May 20 09:19:50 EDT 2009


I suggest you take a look in your snort.conf file, look for the word
"syslog".

You won't want to use the -v option.

Joel

On Wed, May 20, 2009 at 9:00 AM, Sadanand Ghagare <sadanandgh at ...11827...>wrote:

> Hi Joel,
>
> After enabling verbose mode, I am getting some output. Following change I
> made in snortstart.bat
>
> c:\snort\bin\snort -v -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
>
> but still I am not getting that out put in kiwi. I am new to snort. Can you
> please to let me know the steps to enable syslog output.
> I have installed kiwi syslog server v8.3.52 on the same machine on which I
> have snort installed.
>
> Thanks,
> Sadanand
>
> On Wed, May 20, 2009 at 6:10 PM, Joel Esler <jesler at ...1935...> wrote:
>
>> Sadanand,
>>
>> That's the successful completion start up lines.  I see no errors there.
>> I see nothing to indicate that you *should* be receiving alerts in Kiwi, as
>> you don't have the syslog output enabled.  Try configuring that, and
>> restarting Snort.
>>
>> Joel
>>
>> On Wed, May 20, 2009 at 7:05 AM, Sadanand Ghagare <sadanandgh at ...11827...>wrote:
>>
>>> Hi
>>>
>>> I followed steps to install snort on windows 2003 standard edition. For
>>> this, I used method of installing snort on win xp.
>>> After installation, when I tried to run snortstart.bat file as per steps
>>> 12, it got stuck on following prompt and I cant see snort piggy as well not
>>> I am getting any output in Kiwi.
>>>
>>>         --== Initialization Complete ==--
>>>
>>>    ,,_     -*> Snort! <*-
>>>   o"  )~   Version 2.8.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 26)
>>>    ''''    By Martin Roesch & The Snort Team:
>>> http://www.snort.org/team.html
>>>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>>>            Using PCRE version: 7.4 2007-09-21
>>>
>>>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.10  <Build
>>> 16>
>>>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 2>
>>>            Preprocessor Object: SF_SSH  Version 1.1  <Build 1>
>>>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 7>
>>>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 11>
>>>            Preprocessor Object: SF_DNS  Version 1.1  <Build 2>
>>>            Preprocessor Object: SF_DCERPC  Version 1.1  <Build 4>
>>>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 1>
>>> Not Using PCAP_FRAMES
>>>
>>> ===================================
>>>
>>> Here is my snortstart.conf file:
>>>
>>> c:\snort\bin\snort -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
>>>
>>> ================================
>>>
>>> Here is my snort.conf file:
>>>
>>> #VERSION:284
>>> #--------------------------------------------------
>>> #   http://www.snort.org     Snort current Ruleset
>>> #     Contact: snort-sigs at lists.sourceforge.net
>>> #--------------------------------------------------
>>> # $Id: snort.conf,v 1.183.4.6 2009/04/08 21:40:16 mwatchinski Exp $
>>> #
>>> ###################################################
>>> # This file contains a sample snort configuration.
>>> # You can take the following steps to create your own custom
>>> configuration:
>>> #
>>> #  1) Set the variables for your network
>>> #  2) Configure dynamic loaded libraries
>>> #  3) Configure preprocessors
>>> #  4) Configure output plugins
>>> #  5) Add any runtime config directives
>>> #  6) Customize your rule set
>>> #
>>> ###################################################
>>> # Step #1: Set the network variables:
>>> #
>>> # You must change the following variables to reflect your local network.
>>> The
>>> # variable is currently setup for an RFC 1918 address space.
>>> #
>>> # You can specify it explicitly as:
>>> #
>>> # var HOME_NET 10.1.1.0/24
>>> #
>>> # or use global variable $<interfacename>_ADDRESS which will be always
>>> # initialized to IP address and netmask of the network interface which
>>> you run
>>> # snort at.  Under Windows, this must be specified as
>>> # $(<interfacename>_ADDRESS), such as:
>>> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
>>> #
>>> # var HOME_NET $eth0_ADDRESS
>>> #
>>> # You can specify lists of IP addresses for HOME_NET
>>> # by separating the IPs with commas like this:
>>> #
>>> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>>> #
>>> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>>> #
>>> # or you can specify the variable to be any IP address
>>> # like this:
>>>
>>> # Set up network addresses you are protecting.  A simple start might be
>>> RFC1918
>>> var HOME_NET any
>>>
>>> # Set up the external network addresses as well.  A good start may be
>>> "any"
>>> var EXTERNAL_NET any
>>>
>>> # Configure your server lists.  This allows snort to only look for
>>> attacks to
>>> # systems that have a service up.  Why look for HTTP attacks if you are
>>> not
>>> # running a web server?  This allows quick filtering based on IP
>>> addresses
>>> # These configurations MUST follow the same configuration scheme as
>>> defined
>>> # above for $HOME_NET.
>>>
>>> # List of DNS servers on your network
>>> var DNS_SERVERS $HOME_NET
>>>
>>> # List of SMTP servers on your network
>>> var SMTP_SERVERS $HOME_NET
>>>
>>> # List of web servers on your network
>>> var HTTP_SERVERS $HOME_NET
>>>
>>> # List of sql servers on your network
>>> var SQL_SERVERS $HOME_NET
>>>
>>> # List of telnet servers on your network
>>> var TELNET_SERVERS $HOME_NET
>>>
>>> # List of snmp servers on your network
>>> var SNMP_SERVERS $HOME_NET
>>>
>>> # List of ftp servers on your network
>>> var FTP_SERVERS $HOME_NET
>>>
>>> # List of ssh servers on your network
>>> var SSH_SERVERS $HOME_NET
>>>
>>> # List of pop2/3 servers on your network
>>> var POP_SERVERS $HOME_NET
>>>
>>> # List of imap servers on your network
>>> var IMAP_SERVERS $HOME_NET
>>>
>>> # List of SunRPC servers on your network
>>> var RPC_SERVERS $HOME_NET
>>>
>>> # List of web servers on your network
>>> var WWW_SERVERS $HOME_NET
>>>
>>> # AIM servers.  AOL has a habit of adding new AIM servers, so instead of
>>> # modifying the signatures when they do, we add them to this list of
>>> servers.
>>> var AIM_SERVERS [
>>> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>>> ]
>>>
>>>
>>> # Configure your service ports.  This allows snort to look for attacks
>>> destined
>>> # to a specific application only on the ports that application runs on.
>>> For
>>> # example, if you run a web server on port 8081, set your HTTP_PORTS
>>> variable
>>> # like this:
>>> #
>>> # var HTTP_PORTS 8081
>>> #
>>> # Port lists must either be continuous [eg 80:8080], or a single port [eg
>>> 80].
>>> # We will adding support for a real list of ports in the future.
>>>
>>> # Ports you run web servers on
>>> #
>>> # Please note:  [80,8080] does not work.
>>> # If you wish to define multiple HTTP ports, use the following convention
>>> # when customizing your rule set (as part of Step #6 below).  This should
>>> # not be done here, as the rules files may depend on the classifications
>>> # and/or references, which are included below.
>>> #
>>> ## var HTTP_PORTS 80
>>> ## include somefile.rules
>>> ## var HTTP_PORTS 8080
>>> ## include somefile.rules
>>>
>>> # HTTP Ports on your network
>>> portvar HTTP_PORTS [80,2301,3128,8000,8080,8180,8888]
>>>
>>> # Ports you want to look for SHELLCODE on.
>>> portvar SHELLCODE_PORTS !80
>>>
>>> # Ports you do oracle attacks on
>>> portvar ORACLE_PORTS 1521
>>>
>>> # Auth / ident
>>> portvar AUTH_PORTS 113
>>>
>>> # DNS
>>> portvar DNS_PORTS 53
>>>
>>> # Finger
>>> portvar FINGER_PORTS 79
>>>
>>> # Ftp
>>> portvar FTP_PORTS 21
>>>
>>> # Imap
>>> portvar IMAP_PORTS 143
>>>
>>> # IRC
>>> portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
>>>
>>> # MS-SQL
>>> portvar MSSQL_PORTS 1433
>>>
>>> # NNTP
>>> portvar NNTP_PORTS 119
>>>
>>> # POP2
>>> portvar POP2_PORTS 109
>>>
>>> # POP3
>>> portvar POP3_PORTS 110
>>>
>>> # PortMapper
>>> portvar SUNRPC_PORTS
>>> [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
>>>
>>> # rlogin
>>> portvar RLOGIN_PORTS 513
>>>
>>> # rsh
>>> portvar RSH_PORTS 514
>>>
>>> # smb
>>> portvar SMB_PORTS [139,445]
>>>
>>> # smtp
>>> portvar SMTP_PORTS 25
>>>
>>> # snmp
>>> portvar SNMP_PORTS 161
>>>
>>> # ssh
>>> portvar SSH_PORTS 22
>>>
>>> # telnet
>>> portvar TELNET_PORTS 23
>>>
>>> # mail this for compatability with versions of snort that support port
>>> lists
>>> portvar MAIL_PORTS [25,143,465,691]
>>>
>>> # SSL Ports
>>> portvar SSL_PORTS [25,443,465,636,993,995]
>>>
>>> # DCERPC NCACN-IP-TCP
>>> portvar DCERPC_NCACN_IP_TCP [139,445]
>>> portvar DCERPC_NCADG_IP_UDP [138,1024:]
>>> portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
>>> portvar DCERPC_NCACN_UDP_LONG [135,1024:]
>>> portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
>>> portvar DCERPC_NCACN_TCP [2103,2105,2107]
>>> portvar DCERPC_BRIGHTSTORE [6503,6504]
>>>
>>> # Path to your rules files (this can be a relative path)
>>> # Note for Windows users:  You are advised to make this an absolute path,
>>> # such as:  c:\snort\rules
>>> var RULE_PATH C:\snort\rules
>>>
>>> # Configure the snort decoder
>>> # ============================
>>> #
>>> # Snort's decoder will alert on lots of things such as header
>>> # truncation or options of unusual length or infrequently used tcp
>>> options
>>> #
>>> #
>>> # Stop generic decode events:
>>> #
>>> # config disable_decode_alerts
>>> #
>>> # Stop Alerts on experimental TCP options
>>> #
>>> # config disable_tcpopt_experimental_alerts
>>> #
>>> # Stop Alerts on obsolete TCP options
>>> #
>>> # config disable_tcpopt_obsolete_alerts
>>> #
>>> # Stop Alerts on T/TCP alerts
>>> #
>>> # In snort 2.0.1 and above, this only alerts when a TCP option is
>>> detected
>>> # that shows T/TCP being actively used on the network.  If this is normal
>>> # behavior for your network, disable the next option.
>>> #
>>> # config disable_tcpopt_ttcp_alerts
>>> #
>>> # Stop Alerts on all other TCPOption type events:
>>> #
>>> # config disable_tcpopt_alerts
>>> #
>>> # Stop Alerts on invalid ip options
>>> #
>>> # config disable_ipopt_alerts
>>> #
>>> # Alert if value in length field (IP, TCP, UDP) is greater than the
>>> # actual length of the captured portion of the packet that the length
>>> # is supposed to represent:
>>> #
>>> # config enable_decode_oversized_alerts
>>> #
>>> # Same as above, but drop packet if in Inline mode -
>>> # enable_decode_oversized_alerts must be enabled for this to work:
>>> #
>>> # config enable_decode_oversized_drops
>>> #
>>> config checksum_mode: all
>>> config disable_decode_alerts
>>> config disable_tcpopt_experimental_alerts
>>> config disable_tcpopt_obsolete_alerts
>>> config disable_ttcp_alerts
>>> config disable_tcpopt_alerts
>>> config disable_ipopt_alerts
>>> config disable_decode_drops
>>>
>>> # Configure the detection engine
>>> # ===============================
>>> #
>>> # Use a different pattern matcher in case you have a machine with very
>>> limited
>>> # resources:
>>> #
>>> # config detection: search-method lowmem
>>>
>>> config detection: search-method ac-bnfa
>>> config detection: max_queue_events 5
>>> config event_queue: max_queue 8 log 3 order_events content_length
>>>
>>> # Configure Inline Resets
>>> # ========================
>>> #
>>> # If running an iptables firewall with snort in InlineMode() we can now
>>> # perform resets via a physical device. We grab the indev from iptables
>>> # and use this for the interface on which to send resets. This config
>>> # option takes an argument for the src mac address you want to use in the
>>> # reset packet.  This way the bridge can remain stealthy. If the src mac
>>> # option is not set we use the mac address of the indev device. If we
>>> # don't set this option we will default to sending resets via raw socket,
>>> # which needs an ipaddress to be assigned to the int.
>>> #
>>> # config layer2resets: 00:06:76:DD:5F:E3
>>>
>>> ###################################################
>>> # Step #2: Configure dynamic loaded libraries
>>> #
>>> # If snort was configured to use dynamically loaded libraries,
>>> # those libraries can be loaded here.
>>> #
>>> # Each of the following configuration options can be done via
>>> # the command line as well.
>>> #
>>> # Load all dynamic preprocessors from the install path
>>> # (same as command line option --dynamic-preprocessor-lib-dir)
>>> #
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
>>> dynamicpreprocessor file
>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
>>>
>>> # Comment out above and uncomment this if running OSX
>>> #
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.dylib
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.dylib
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.dylib
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.dylib
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.dylib
>>> #dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.dylib
>>>
>>> #
>>> # Load a specific dynamic preprocessor library from the install path
>>> # (same as command line option --dynamic-preprocessor-lib)
>>> #
>>> # dynamicpreprocessor file
>>> /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
>>> #
>>> # Load a dynamic engine from the install path
>>> # (same as command line option --dynamic-engine-lib)
>>> #
>>> dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
>>> #
>>> # Load all dynamic rules libraries from the install path
>>> # (same as command line option --dynamic-detection-lib-dir)
>>> #
>>> # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
>>> #
>>> # Load a specific dynamic rule library from the install path
>>> # (same as command line option --dynamic-detection-lib)
>>> #
>>> # Rule packages from the VRT contain a so_rules directory that contains
>>> these rules
>>> # you need to compile them using the makefile in the rules package and
>>> place
>>> # them here and add them.
>>> #
>>>
>>> # Uncomment if you are using the default VRT SO rules and have them in
>>> this directory.
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/bad-traffic.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/chat.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/dos.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/exploit.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/imap.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/misc.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/multimedia.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/netbios.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/nntp.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/p2p.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/smtp.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/sql.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-client.so
>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-misc.so
>>>
>>>
>>> ###################################################
>>> # Step #3: Configure preprocessors
>>> #
>>> # General configuration for preprocessors is of
>>> # the form
>>> # preprocessor <name_of_processor>: <configuration_options>
>>>
>>> # frag3: Target-based IP defragmentation
>>> # --------------------------------------
>>> #
>>> # Frag3 is a brand new IP defragmentation preprocessor that is capable of
>>> # performing "target-based" processing of IP fragments.  Check out the
>>> # README.frag3 file in the doc directory for more background and
>>> configuration
>>> # information.
>>> #
>>> # Frag3 configuration is a two step process, a global initialization
>>> phase
>>> # followed by the definition of a set of defragmentation engines.
>>> #
>>> # Global configuration defines the number of fragmented packets that
>>> Snort can
>>> # track at the same time and gives you options regarding the memory cap
>>> for the
>>> # subsystem or, optionally, allows you to preallocate all the memory for
>>> the
>>> # entire frag3 system.
>>> #
>>> # frag3_global options:
>>> #   max_frags: Maximum number of frag trackers that may be active at
>>> once.
>>> #              Default value is 8192.
>>> #   memcap: Maximum amount of memory that frag3 may access at any given
>>> time.
>>> #           Default value is 4MB.
>>> #   prealloc_frags: Maximum number of individual fragments that may be
>>> processed
>>> #                   at once.  This is instead of the memcap system, uses
>>> static
>>> #                   allocation to increase performance.  No default
>>> value.  Each
>>> #                   preallocated fragment eats ~1550 bytes.
>>> #
>>> # Target-based behavior is attached to an engine as a "policy" for
>>> handling
>>> # overlaps and retransmissions as enumerated in the Paxson paper.  There
>>> are
>>> # currently five policy types available: "BSD", "BSD-right", "First",
>>> "Linux"
>>> # and "Last".  Engines can be bound to standard Snort CIDR blocks or
>>> # IP lists.
>>> #
>>> # frag3_engine options:
>>> #   timeout: Amount of time a fragmented packet may be active before
>>> expiring.
>>> #            Default value is 60 seconds.
>>> #   ttl_limit: Limit of delta allowable for TTLs of packets in the
>>> fragments.
>>> #              Based on the initial received fragment TTL.
>>> #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below
>>> this
>>> #            value will be discarded.  Default value is 0.
>>> #   detect_anomalies: Activates frag3's anomaly detection mechanisms.
>>> #   policy: Target-based policy to assign to this engine.  Default is
>>> Windows.
>>> #   bind_to: IP address set to bind this engine to.  Default is all
>>> hosts.
>>> #
>>> # Frag3 configuration example:
>>> #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
>>> #preprocessor frag3_engine: policy linux \
>>> #                           bind_to [10.1.1.12/32,10.1.1.13/32] \
>>> #                           detect_anomalies
>>> #preprocessor frag3_engine: policy first \
>>> #                           bind_to 10.2.1.0/24 \
>>> #                           detect_anomalies
>>> #preprocessor frag3_engine: policy last \
>>> #                           bind_to 10.3.1.0/24
>>> #preprocessor frag3_engine: policy bsd
>>>
>>> preprocessor frag3_global: max_frags 65536
>>> preprocessor frag3_engine: policy windows timeout 180
>>>
>>> # stream5: Target Based stateful inspection/stream reassembly for Snort
>>> # ---------------------------------------------------------------------
>>> # Stream5 is a target-based stream engine for Snort.  Its functionality
>>> # replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5
>>> # cannot be used simultaneously.  Comment out the stream4 configurations
>>> # above to use Stream5.
>>> #
>>> # See README.stream5 for details on the configuration options.
>>> #
>>> # Example config (that emulates Stream4 with UDP support compiled in)
>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>>>                              track_udp yes
>>> preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \
>>>                           ports client 21 23 25 42 53 80 135 136 137 139
>>> 143 110 111 445 465 513 691 1433 1521 2100 2301 3128 3306 8000 8080 8180
>>> 8888, \
>>>                           ports both 443 465 563 636 989 992 993 994 995
>>> preprocessor stream5_udp: ignore_any_rules
>>>
>>>
>>> # Performance Statistics
>>> # ----------------------
>>> # Documentation for this is provided in the Snort Manual.  You should
>>> read it.
>>> # It is included in the release distribution as doc/snort_manual.pdf
>>> #
>>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
>>> 10000
>>>
>>> # http_inspect: normalize and detect HTTP traffic and protocol anomalies
>>> #
>>> # lots of options available here. See doc/README.http_inspect.
>>> # unicode.map should be wherever your snort.conf lives, or given
>>> # a full path to where snort can find it.
>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>> preprocessor http_inspect_server: \
>>>     server default \
>>>     apache_whitespace no \
>>>     ascii no \
>>>     bare_byte no \
>>>     chunk_length 500000 \
>>>     flow_depth 1460 \
>>>     directory no \
>>>     double_decode no \
>>>     iis_backslash no \
>>>     iis_delimiter no \
>>>     iis_unicode no \
>>>     multi_slash no \
>>>     non_strict \
>>>     oversize_dir_length 500 \
>>>     ports { 80 2301 3128 8000 8080 8180 8888 } \
>>>     u_encode yes \
>>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>     webroot no
>>>
>>> #
>>> #  Example unique server configuration
>>> #
>>> #preprocessor http_inspect_server: server 1.1.1.1 \
>>> #    ports { 80 3128 8080 } \
>>> #    flow_depth 0 \
>>> #    ascii no \
>>> #    double_decode yes \
>>> #    non_rfc_char { 0x00 } \
>>> #    chunk_length 500000 \
>>> #    non_strict \
>>> #    oversize_dir_length 300 \
>>> #    no_alerts
>>>
>>>
>>> # rpc_decode: normalize RPC traffic
>>> # ---------------------------------
>>> # RPC may be sent in alternate encodings besides the usual 4-byte
>>> encoding
>>> # that is used by default. This plugin takes the port numbers that RPC
>>> # services are running on as arguments - it is assumed that the given
>>> ports
>>> # are actually running this type of service. If not, change the ports or
>>> turn
>>> # it off.
>>> # The RPC decode preprocessor uses generator ID 106
>>> #
>>> # arguments: space separated list
>>> # alert_fragments - alert on any rpc fragmented TCP data
>>> # no_alert_multiple_requests - don't alert when >1 rpc query is in a
>>> packet
>>> # no_alert_large_fragments - don't alert when the fragmented
>>> #                            sizes exceed the current packet size
>>> # no_alert_incomplete - don't alert when a single segment
>>> #                       exceeds the current packet size
>>>
>>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
>>> 32777 32778 32779
>>>
>>> # bo: Back Orifice detector
>>> # -------------------------
>>> # Detects Back Orifice traffic on the network.
>>> #
>>> # arguments:
>>> #   syntax:
>>> #     preprocessor bo: noalert { client | server | general | snort_attack
>>> } \
>>> #                      drop    { client | server | general | snort_attack
>>> }
>>> #   example:
>>> #     preprocessor bo: noalert { general server } drop { snort_attack }
>>>
>>> #
>>> # The Back Orifice detector uses Generator ID 105 and uses the
>>> # following SIDS for that GID:
>>> #  SID     Event description
>>> # -----   -------------------
>>> #   1       Back Orifice traffic detected
>>> #   2       Back Orifice Client Traffic Detected
>>> #   3       Back Orifice Server Traffic Detected
>>> #   4       Back Orifice Snort Buffer Attack
>>>
>>> preprocessor bo
>>>
>>> # telnet_decode: Telnet negotiation string normalizer
>>> # ---------------------------------------------------
>>> # This preprocessor "normalizes" telnet negotiation strings from telnet
>>> and ftp
>>> # traffic.  It works in much the same way as the http_decode
>>> preprocessor,
>>> # searching for traffic that breaks up the normal data stream of a
>>> protocol and
>>> # replacing it with a normalized representation of that traffic so that
>>> the
>>> # "content" pattern matching keyword can work without requiring
>>> modifications.
>>> # This preprocessor requires no arguments.
>>> #
>>> # DEPRECATED in favor of ftp_telnet dynamic preprocessor
>>> #preprocessor telnet_decode
>>> #
>>> # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff
>>> overflow
>>> #
>>> ---------------------------------------------------------------------------
>>> # This preprocessor normalizes telnet negotiation strings from telnet and
>>> # ftp traffic.  It looks for traffic that breaks the normal data stream
>>> # of the protocol, replacing it with a normalized representation of that
>>> # traffic so that the "content" pattern matching keyword can work without
>>> # requiring modifications.
>>> #
>>> # It also performs protocol correctness checks for the FTP command
>>> channel,
>>> # and identifies open FTP data transfers.
>>> #
>>> # FTPTelnet has numerous options available, please read
>>> # README.ftptelnet for help configuring the options for the global
>>> # telnet, ftp server, and ftp client sections for the protocol.
>>>
>>> #####
>>> # Per Step #2, set the following to load the ftptelnet preprocessor
>>> # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
>>> # or use commandline option
>>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>> preprocessor ftp_telnet: \
>>>     global \
>>>     encrypted_traffic yes \
>>>     check_encrypted \
>>>     inspection_type stateful
>>>
>>> preprocessor ftp_telnet_protocol: \
>>>     telnet \
>>>     ayt_attack_thresh 20 \
>>>     normalize ports { 23 } \
>>>     detect_anomalies
>>>
>>> preprocessor ftp_telnet_protocol: \
>>>     ftp server default \
>>>     def_max_param_len 100 \
>>>     ports { 21 2100 } \
>>>     ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU
>>> MODE } \
>>>     ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD
>>> PWD } \
>>>     ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
>>>     ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
>>>     ftp_cmds { FEAT OPTS CEL CMD MACB } \
>>>     ftp_cmds { MDTM REST SIZE MLST MLSD } \
>>>     ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>>>     alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
>>>     alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD
>>> SYST TEST STAT MACB EPSV CLNT LPRT } \
>>>     alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR
>>> HELP } \
>>>     alt_max_param_len 256 { RNTO CWD } \
>>>     alt_max_param_len 400 { PORT } \
>>>     alt_max_param_len 512 { SIZE } \
>>>     chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
>>>     chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD }
>>> \
>>>     chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
>>>     chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
>>>     chk_str_fmt { FEAT OPTS CEL CMD } \
>>>     chk_str_fmt { MDTM REST SIZE MLST MLSD } \
>>>     chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>>>     cmd_validity MODE < char ASBCZ > \
>>>     cmd_validity STRU < char FRP > \
>>>     cmd_validity ALLO < int [ char R int ] > \
>>>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number
>>> ] } > \
>>>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>>     cmd_validity PORT < host_port >
>>>
>>> preprocessor ftp_telnet_protocol: \
>>>     ftp client default \
>>>     max_resp_len 200 \
>>>     bounce yes \
>>>     telnet_cmds no
>>>
>>> # smtp: SMTP normalizer, protocol enforcement and buffer overflow
>>> #
>>> ---------------------------------------------------------------------------
>>> # This preprocessor normalizes SMTP commands by removing extraneous
>>> spaces.
>>> # It looks for overly long command lines, response lines, and data header
>>> lines.
>>> # It can alert on invalid commands, or specific valid commands.  It can
>>> optionally
>>> # ignore mail data, and can ignore TLS encrypted data.
>>> #
>>> # SMTP has numerous options available, please read README.SMTP for help
>>> # configuring options.
>>>
>>> #####
>>> # Per Step #2, set the following to load the smtp preprocessor
>>> # dynamicpreprocessor <full path to libsf_smtp_preproc.so>
>>> # or use commandline option
>>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>>
>>> preprocessor SMTP: \
>>>     ports { 25 465 691 } \
>>>     inspection_type stateful \
>>>     normalize cmds \
>>>     valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT
>>> DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN
>>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME
>>> VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA
>>> XTRN XUSR } \
>>>     normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE
>>> BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN
>>> ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME
>>> TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU
>>> XSTA XTRN XUSR } \
>>>     max_header_line_len 1000 \
>>>     max_response_line_len 512 \
>>>     alt_max_command_line_len 260 { MAIL } \
>>>     alt_max_command_line_len 300 { RCPT } \
>>>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>>>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
>>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>>>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN
>>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
>>>     alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB
>>> X-EXPS X-LINK2STATE XADR } \
>>>     alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU
>>> XSTA XTRN XUSR } \
>>>     xlink2state { enable }
>>>
>>> # sfPortscan
>>> # ----------
>>> # Portscan detection module.  Detects various types of portscans and
>>> # portsweeps.  For more information on detection philosophy, alert types,
>>> # and detailed portscan information, please refer to the
>>> README.sfportscan.
>>> #
>>> # -configuration options-
>>> #     proto { tcp udp icmp ip all }
>>> #       The arguments to the proto option are the types of protocol scans
>>> that
>>> #       the user wants to detect.  Arguments should be separated by
>>> spaces and
>>> #       not commas.
>>> #     scan_type { portscan portsweep decoy_portscan distributed_portscan
>>> all }
>>> #       The arguments to the scan_type option are the scan types that the
>>> #       user wants to detect.  Arguments should be separated by spaces
>>> and not
>>> #       commas.
>>> #     sense_level { low|medium|high }
>>> #       There is only one argument to this option and it is the level of
>>> #       sensitivity in which to detect portscans.  The 'low' sensitivity
>>> #       detects scans by the common method of looking for response
>>> errors, such
>>> #       as TCP RSTs or ICMP unreachables.  This level requires the least
>>> #       tuning.  The 'medium' sensitivity level detects portscans and
>>> #       filtered portscans (portscans that receive no response).  This
>>> #       sensitivity level usually requires tuning out scan events from
>>> NATed
>>> #       IPs, DNS cache servers, etc.  The 'high' sensitivity level has
>>> #       lower thresholds for portscan detection and a longer time window
>>> than
>>> #       the 'medium' sensitivity level.  Requires more tuning and may be
>>> noisy
>>> #       on very active networks.  However, this sensitivity levels
>>> catches the
>>> #       most scans.
>>> #     memcap { positive integer }
>>> #       The maximum number of bytes to allocate for portscan detection.
>>> The
>>> #       higher this number the more nodes that can be tracked.
>>> #     logfile { filename }
>>> #       This option specifies the file to log portscan and detailed
>>> portscan
>>> #       values to.  If there is not a leading /, then snort logs to the
>>> #       configured log directory.  Refer to README.sfportscan for details
>>> on
>>> #       the logged values in the logfile.
>>> #     watch_ip { Snort IP List }
>>> #     ignore_scanners { Snort IP List }
>>> #     ignore_scanned { Snort IP List }
>>> #       These options take a snort IP list as the argument.  The
>>> 'watch_ip'
>>> #       option specifies the IP(s) to watch for portscan.  The
>>> #       'ignore_scanners' option specifies the IP(s) to ignore as
>>> scanners.
>>> #       Note that these hosts are still watched as scanned hosts.  The
>>> #       'ignore_scanners' option is used to tune alerts from very active
>>> #       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned'
>>> option
>>> #       specifies the IP(s) to ignore as scanned hosts.  Note that these
>>> hosts
>>> #       are still watched as scanner hosts.  The 'ignore_scanned' option
>>> is
>>> #       used to tune alerts from very active hosts such as syslog
>>> servers, etc.
>>> #     detect_ack_scans
>>> #       This option will include sessions picked up in midstream by the
>>> stream
>>> #       module, which is necessary to detect ACK scans.  However, this
>>> can lead to
>>> #       false alerts, especially under heavy load with dropped packets;
>>> which is why
>>> #       the option is off by default.
>>> #
>>> # Disabled by default
>>> #
>>> # preprocessor sfportscan: proto  { all } \
>>> #                         memcap { 10000000 } \
>>> #                         sense_level { low }
>>>
>>> # arpspoof
>>> #----------------------------------------
>>> # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
>>> # unicast ARP requests, and specific ARP mapping monitoring.  To make use
>>> of
>>> # this preprocessor you must specify the IP and hardware address of hosts
>>> on
>>> # the same layer 2 segment as you.  Specify one host IP MAC combo per
>>> line.
>>> # Also takes a "-unicast" option to turn on unicast ARP request
>>> detection.
>>> # Arpspoof uses Generator ID 112 and uses the following SIDS for that
>>> GID:
>>>
>>> #  SID     Event description
>>> # -----   -------------------
>>> #   1       Unicast ARP request
>>> #   2       Etherframe ARP mismatch (src)
>>> #   3       Etherframe ARP mismatch (dst)
>>> #   4       ARP cache overwrite attack
>>>
>>> #preprocessor arpspoof
>>> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>>>
>>> # ssh
>>> #----------------------------------------
>>> # EXPERIMENTAL CODE!!!
>>> #
>>> # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
>>> # USE AT YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS.
>>> # YOU HAVE BEEN WARNED.
>>> #
>>> # The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
>>> # Secure CRT, and the Protocol Mismatch exploit.
>>> #
>>> # Both Gobbles and CRC 32 attacks occur after the key exchange, and are
>>> # therefore encrypted.  Both attacks involve sending a large payload
>>> # (20kb+) to the server immediately after the authentication challenge.
>>> # To detect the attacks, the SSH preprocessor counts the number of bytes
>>> # transmitted to the server.  If those bytes exceed a pre-defined limit
>>> # within a pre-define number of packets, an alert is generated.  Since
>>> # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
>>> # version string exchange is used to distinguish the attacks.
>>> #
>>> # The Secure CRT and protocol mismatch exploits are observable before
>>> # the key exchange.
>>> #
>>> # SSH has numerous options available, please read README.ssh for help
>>> # configuring options.
>>>
>>> #####
>>> # Per Step #2, set the following to load the ssh preprocessor
>>> # dynamicpreprocessor <full path to libsf_ssh_preproc.so>
>>> # or use commandline option
>>> # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
>>> #
>>> #preprocessor ssh: server_ports { 22 } \
>>> #                  max_client_bytes 19600 \
>>> #                  max_encrypted_packets 20 \
>>> #                  disable_srvoverflow \
>>> #                  disable_protomismatch \
>>> #                  disable_badmsgdir
>>>
>>> #UPDATE HERE MEW#
>>> #----------------------------------------
>>> # SSL Preprocessor configuration
>>> #
>>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 },
>>> trustservers, noinspect_encrypted
>>>
>>> # DCE/RPC
>>> #----------------------------------------
>>> #
>>> # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
>>> # It is primarily interested in DCE/RPC data, and only decodes SMB
>>> # to get at the DCE/RPC data carried by the SMB layer.
>>> #
>>> # Currently, the preprocessor only handles reassembly of fragmentation
>>> # at both the SMB and DCE/RPC layer.  Snort rules can be evaded by
>>> # using both types of fragmentation; with the preprocessor enabled
>>> # the rules are given a buffer with a reassembled SMB or DCE/RPC
>>> # packet to examine.
>>> #
>>> # At the SMB layer, only fragmentation using WriteAndX is currently
>>> # reassembled.  Other methods will be handled in future versions of
>>> # the preprocessor.
>>> #
>>> # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
>>> # the SMB data, as well as checking the NetBIOS header (which is always
>>> # present for SMB) for the type "SMB Session".
>>> #
>>> # Autodetection of DCE/RPC is not as reliable.  Currently, two bytes are
>>> # checked in the packet.  Assuming that the data is a DCE/RPC header,
>>> # one byte is checked for DCE/RPC version (5) and another for the type
>>> # "DCE/RPC Request".  If both match, the preprocessor proceeds with that
>>> # assumption that it is looking at DCE/RPC data.  If subsequent checks
>>> # are nonsensical, it ends processing.
>>> #
>>> # DCERPC has numerous options available, please read README.dcerpc for
>>> help
>>> # configuring options.
>>>
>>> #####
>>> # Per Step #2, set the following to load the dcerpc preprocessor
>>> # dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>
>>> # or use commandline option
>>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>>
>>> preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
>>> preprocessor dcerpc2_server: default, policy WinXP, \
>>>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
>>>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>>>     smb_max_chain 3
>>>
>>> # DNS
>>> #----------------------------------------
>>> # The dns preprocessor (currently) decodes DNS Response traffic
>>> # and detects a few vulnerabilities.
>>> #
>>> # DNS has a few options available, please read README.dns for
>>> # help configuring options.
>>>
>>> #####
>>> # Per Step #2, set the following to load the dns preprocessor
>>> # dynamicpreprocessor <full path to libsf_dns_preproc.so>
>>> # or use commandline option
>>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>>
>>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>>
>>> ####################################################################
>>> # Step #4: Configure output plugins
>>> #
>>> # Uncomment and configure the output plugins you decide to use.  General
>>> # configuration for output plugins is of the form:
>>> #
>>> # output <name_of_plugin>: <configuration_options>
>>> #
>>> # alert_syslog: log alerts to syslog
>>> # ----------------------------------
>>> # Use one or more syslog facilities as arguments.  Win32 can also
>>> optionally
>>> # specify a particular hostname/port.  Under Win32, the default hostname
>>> is
>>> # '127.0.0.1', and the default port is 514.
>>> #
>>> # [Unix flavours should use this format...]
>>> # output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT
>>> #
>>> # [Win32 can use any of these formats...]
>>> # output alert_syslog: LOG_AUTH LOG_ALERT
>>> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
>>> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>>>
>>> # log_tcpdump: log packets in binary tcpdump format
>>> # -------------------------------------------------
>>> # The only argument is the output file name.
>>> #
>>> # output log_tcpdump: tcpdump.log
>>>
>>> # database: log to a variety of databases
>>> # ---------------------------------------
>>> # See the README.database file for more information about configuring
>>> # and using this plugin.
>>> #
>>> # output database: log, mysql, user=root password=test dbname=db
>>> host=localhost
>>> # output database: alert, postgresql, user=snort dbname=snort
>>> # output database: log, odbc, user=snort dbname=snort
>>> # output database: log, mssql, dbname=snort user=snort password=test
>>> # output database: log, oracle, dbname=snort user=snort password=test
>>>
>>> # unified: Snort unified binary format alerting and logging
>>> # -------------------------------------------------------------
>>> # The unified output plugin provides two new formats for logging and
>>> generating
>>> # alerts from Snort, the "unified" format.  The unified format is a
>>> straight
>>> # binary format for logging data out of Snort that is designed to be fast
>>> and
>>> # efficient.  Used with barnyard (the new alert/log processor), most of
>>> the
>>> # overhead for logging and alerting to various slow storage mechanisms
>>> such as
>>> # databases or the network can now be avoided.
>>> #
>>> # Check out the spo_unified.h file for the data formats.
>>> #
>>> # Two arguments are supported.
>>> #    filename - base filename to write to (current time_t is appended)
>>> #    limit    - maximum size of spool file in MB (default: 128)
>>> #
>>> # output alert_unified: filename snort.alert, limit 128
>>> # output log_unified: filename snort.log, limit 128
>>>
>>>
>>> # prelude: log to the Prelude Hybrid IDS system
>>> # ---------------------------------------------
>>> #
>>> # profile = Name of the Prelude profile to use (default is snort).
>>> #
>>> # Snort priority to IDMEF severity mappings:
>>> # high < medium < low < info
>>> #
>>> # These are the default mapped from classification.config:
>>> # info   = 4
>>> # low    = 3
>>> # medium = 2
>>> # high   = anything below medium
>>> #
>>> # output alert_prelude
>>> # output alert_prelude: profile=snort-profile-name
>>>
>>>
>>> #
>>> # Include classification & priority settings
>>> # Note for Windows users:  You are advised to make this an absolute path,
>>> # such as:  c:\snort\etc\classification.config
>>> #
>>>
>>> include classification.config
>>>
>>> #
>>> # Include reference systems
>>> # Note for Windows users:  You are advised to make this an absolute path,
>>> # such as:  c:\snort\etc\reference.config
>>> #
>>>
>>> include reference.config
>>>
>>> ####################################################################
>>> # Step #5: Configure snort with config statements
>>> #
>>> # See the snort manual for a full set of configuration references
>>> #
>>> # config flowbits_size: 64
>>> #
>>> # New global ignore_ports config option from Andy Mullican
>>> #
>>> # config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
>>> # config ignore_ports: tcp 21 6667:6671 1356
>>> # config ignore_ports: udp 1:17 53
>>>
>>>
>>> ####################################################################
>>> # Step #6: Customize your rule set
>>> #
>>> # Up to date snort rules are available at http://www.snort.org
>>> #
>>> # The snort web site has documentation about how to write your own custom
>>> snort
>>> # rules.
>>>
>>> #=========================================
>>> # Include all relevant rulesets here
>>> #
>>> # The following rulesets are disabled by default:
>>> #
>>> #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
>>> virus,
>>> #   chat, multimedia, and p2p
>>> #
>>> # These rules are either site policy specific or require tuning in order
>>> to not
>>> # generate false positive alerts in most enviornments.
>>> #
>>> # Please read the specific include file for more information and
>>> # README.alert_order for how rule ordering affects how alerts are
>>> triggered.
>>> #=========================================
>>>
>>> include $RULE_PATH/local.rules
>>> # include $RULE_PATH/bad-traffic.rules
>>> include $RULE_PATH/exploit.rules
>>> # include $RULE_PATH/scan.rules
>>> # include $RULE_PATH/finger.rules
>>> include $RULE_PATH/ftp.rules
>>> include $RULE_PATH/telnet.rules
>>> include $RULE_PATH/rpc.rules
>>> include $RULE_PATH/rservices.rules
>>> include $RULE_PATH/dos.rules
>>> include $RULE_PATH/ddos.rules
>>> include $RULE_PATH/dns.rules
>>> # include $RULE_PATH/tftp.rules
>>>
>>> include $RULE_PATH/web-cgi.rules
>>> include $RULE_PATH/web-coldfusion.rules
>>> include $RULE_PATH/web-iis.rules
>>> include $RULE_PATH/web-frontpage.rules
>>> include $RULE_PATH/web-misc.rules
>>> include $RULE_PATH/web-client.rules
>>> include $RULE_PATH/web-php.rules
>>>
>>> include $RULE_PATH/sql.rules
>>> include $RULE_PATH/x11.rules
>>> # include $RULE_PATH/icmp.rules
>>> include $RULE_PATH/netbios.rules
>>> include $RULE_PATH/misc.rules
>>> include $RULE_PATH/attack-responses.rules
>>> include $RULE_PATH/oracle.rules
>>> include $RULE_PATH/mysql.rules
>>> # include $RULE_PATH/snmp.rules
>>>
>>> include $RULE_PATH/smtp.rules
>>> include $RULE_PATH/imap.rules
>>> include $RULE_PATH/pop2.rules
>>> include $RULE_PATH/pop3.rules
>>>
>>> include $RULE_PATH/nntp.rules
>>> # include $RULE_PATH/other-ids.rules
>>> # include $RULE_PATH/web-attacks.rules
>>> include $RULE_PATH/backdoor.rules
>>> # include $RULE_PATH/shellcode.rules
>>> # include $RULE_PATH/policy.rules
>>> # include $RULE_PATH/porn.rules
>>> # include $RULE_PATH/info.rules
>>> # include $RULE_PATH/icmp-info.rules
>>> # include $RULE_PATH/virus.rules
>>> # include $RULE_PATH/chat.rules
>>> # include $RULE_PATH/multimedia.rules
>>> # include $RULE_PATH/p2p.rules
>>> include $RULE_PATH/spyware-put.rules
>>> include $RULE_PATH/specific-threats.rules
>>> # include $RULE_PATH/experimental.rules
>>> # include $RULE_PATH/content-replace.rules
>>> include $RULE_PATH/voip.rules
>>>
>>> # If your using the so rules you need to do something like the following
>>> # cd into the so_rules directory where you built the so rules
>>> # cat *.rules >> so-rules.rules
>>> # cp to $RULE_PATH/so-rules.rules
>>> # uncomment this line
>>> # include $RULE_PATH/so-rules.rules
>>>
>>> # Include any thresholding or suppression commands. See threshold.conf in
>>> the
>>> # <snort src>/etc directory for details. Commands don't necessarily need
>>> to be
>>> # contained in this conf, but a separate conf makes it easier to maintain
>>> them.
>>> # Note for Windows users:  You are advised to make this an absolute path,
>>> # such as:  c:\snort\etc\threshold.conf
>>> # Uncomment if needed.
>>> # include threshold.conf
>>>
>>> =================================================
>>>
>>>
>>> --
>>>
>>>
>>> Thanks & Regards
>>>
>>> Sadanand G.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Crystal Reports - New Free Runtime and 30 Day Trial
>>> Check out the new simplified licensing option that enables
>>> unlimited royalty-free distribution of the report engine
>>> for externally facing server and web deployment.
>>> http://p.sf.net/sfu/businessobjects
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>> --
>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>>
>
>
>
> --
>
>
> Thanks & Regards
>
> Sadanand G.
>



-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090520/e4d3e5f5/attachment.html>


More information about the Snort-users mailing list