[Snort-users] Error getting during snort installation steps on windows (Not able to run snortstart.bat file)

Joel Esler jesler at ...1935...
Thu May 21 12:04:52 EDT 2009


I suggest you might check out the syslog documentation to figure this out.
I've only run Snort on Windows once, not by choice, by force, as a test, and
I never logged it to syslog.

J

On Thu, May 21, 2009 at 10:12 AM, Sadanand Ghagare <sadanandgh at ...11827...>wrote:

> Hi Joel,
>
> I have entered following line in snort.conf :
> output alert_syslog: host=127.0.0.1:514, LOG_Local7 LOG_ALERT
> But still not getting output in kiwi syslog server.
> could you help me please.
> I am using same Snort windows system for kiwi syslog server.
> Whether I should try any different syslog daemon. is yes, which one you
> recommend?
>
> Regards,
> sadanand
>
> On Wed, May 20, 2009 at 6:49 PM, Joel Esler <jesler at ...1935...> wrote:
>
>> I suggest you take a look in your snort.conf file, look for the word
>> "syslog".
>>
>> You won't want to use the -v option.
>>
>> Joel
>>
>>
>> On Wed, May 20, 2009 at 9:00 AM, Sadanand Ghagare <sadanandgh at ...11827...>wrote:
>>
>>> Hi Joel,
>>>
>>> After enabling verbose mode, I am getting some output. Following change I
>>> made in snortstart.bat
>>>
>>> c:\snort\bin\snort -v -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
>>>
>>> but still I am not getting that out put in kiwi. I am new to snort. Can
>>> you please to let me know the steps to enable syslog output.
>>> I have installed kiwi syslog server v8.3.52 on the same machine on which
>>> I have snort installed.
>>>
>>> Thanks,
>>> Sadanand
>>>
>>> On Wed, May 20, 2009 at 6:10 PM, Joel Esler <jesler at ...1935...>wrote:
>>>
>>>> Sadanand,
>>>>
>>>> That's the successful completion start up lines.  I see no errors
>>>> there.  I see nothing to indicate that you *should* be receiving alerts in
>>>> Kiwi, as you don't have the syslog output enabled.  Try configuring that,
>>>> and restarting Snort.
>>>>
>>>> Joel
>>>>
>>>> On Wed, May 20, 2009 at 7:05 AM, Sadanand Ghagare <sadanandgh at ...11827...
>>>> > wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> I followed steps to install snort on windows 2003 standard edition. For
>>>>> this, I used method of installing snort on win xp.
>>>>> After installation, when I tried to run snortstart.bat file as per
>>>>> steps 12, it got stuck on following prompt and I cant see snort piggy as
>>>>> well not I am getting any output in Kiwi.
>>>>>
>>>>>         --== Initialization Complete ==--
>>>>>
>>>>>    ,,_     -*> Snort! <*-
>>>>>   o"  )~   Version 2.8.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 26)
>>>>>    ''''    By Martin Roesch & The Snort Team:
>>>>> http://www.snort.org/team.html
>>>>>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>>>>>            Using PCRE version: 7.4 2007-09-21
>>>>>
>>>>>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.10
>>>>> <Build 16>
>>>>>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 2>
>>>>>            Preprocessor Object: SF_SSH  Version 1.1  <Build 1>
>>>>>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 7>
>>>>>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 11>
>>>>>            Preprocessor Object: SF_DNS  Version 1.1  <Build 2>
>>>>>            Preprocessor Object: SF_DCERPC  Version 1.1  <Build 4>
>>>>>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 1>
>>>>> Not Using PCAP_FRAMES
>>>>>
>>>>> ===================================
>>>>>
>>>>> Here is my snortstart.conf file:
>>>>>
>>>>> c:\snort\bin\snort -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
>>>>>
>>>>> ================================
>>>>>
>>>>> Here is my snort.conf file:
>>>>>
>>>>> #VERSION:284
>>>>> #--------------------------------------------------
>>>>> #   http://www.snort.org     Snort current Ruleset
>>>>> #     Contact: snort-sigs at lists.sourceforge.net
>>>>> #--------------------------------------------------
>>>>> # $Id: snort.conf,v 1.183.4.6 2009/04/08 21:40:16 mwatchinski Exp $
>>>>> #
>>>>> ###################################################
>>>>> # This file contains a sample snort configuration.
>>>>> # You can take the following steps to create your own custom
>>>>> configuration:
>>>>> #
>>>>> #  1) Set the variables for your network
>>>>> #  2) Configure dynamic loaded libraries
>>>>> #  3) Configure preprocessors
>>>>> #  4) Configure output plugins
>>>>> #  5) Add any runtime config directives
>>>>> #  6) Customize your rule set
>>>>> #
>>>>> ###################################################
>>>>> # Step #1: Set the network variables:
>>>>> #
>>>>> # You must change the following variables to reflect your local
>>>>> network. The
>>>>> # variable is currently setup for an RFC 1918 address space.
>>>>> #
>>>>> # You can specify it explicitly as:
>>>>> #
>>>>> # var HOME_NET 10.1.1.0/24
>>>>> #
>>>>> # or use global variable $<interfacename>_ADDRESS which will be always
>>>>> # initialized to IP address and netmask of the network interface which
>>>>> you run
>>>>> # snort at.  Under Windows, this must be specified as
>>>>> # $(<interfacename>_ADDRESS), such as:
>>>>> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
>>>>> #
>>>>> # var HOME_NET $eth0_ADDRESS
>>>>> #
>>>>> # You can specify lists of IP addresses for HOME_NET
>>>>> # by separating the IPs with commas like this:
>>>>> #
>>>>> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>>>>> #
>>>>> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>>>>> #
>>>>> # or you can specify the variable to be any IP address
>>>>> # like this:
>>>>>
>>>>> # Set up network addresses you are protecting.  A simple start might be
>>>>> RFC1918
>>>>> var HOME_NET any
>>>>>
>>>>> # Set up the external network addresses as well.  A good start may be
>>>>> "any"
>>>>> var EXTERNAL_NET any
>>>>>
>>>>> # Configure your server lists.  This allows snort to only look for
>>>>> attacks to
>>>>> # systems that have a service up.  Why look for HTTP attacks if you are
>>>>> not
>>>>> # running a web server?  This allows quick filtering based on IP
>>>>> addresses
>>>>> # These configurations MUST follow the same configuration scheme as
>>>>> defined
>>>>> # above for $HOME_NET.
>>>>>
>>>>> # List of DNS servers on your network
>>>>> var DNS_SERVERS $HOME_NET
>>>>>
>>>>> # List of SMTP servers on your network
>>>>> var SMTP_SERVERS $HOME_NET
>>>>>
>>>>> # List of web servers on your network
>>>>> var HTTP_SERVERS $HOME_NET
>>>>>
>>>>> # List of sql servers on your network
>>>>> var SQL_SERVERS $HOME_NET
>>>>>
>>>>> # List of telnet servers on your network
>>>>> var TELNET_SERVERS $HOME_NET
>>>>>
>>>>> # List of snmp servers on your network
>>>>> var SNMP_SERVERS $HOME_NET
>>>>>
>>>>> # List of ftp servers on your network
>>>>> var FTP_SERVERS $HOME_NET
>>>>>
>>>>> # List of ssh servers on your network
>>>>> var SSH_SERVERS $HOME_NET
>>>>>
>>>>> # List of pop2/3 servers on your network
>>>>> var POP_SERVERS $HOME_NET
>>>>>
>>>>> # List of imap servers on your network
>>>>> var IMAP_SERVERS $HOME_NET
>>>>>
>>>>> # List of SunRPC servers on your network
>>>>> var RPC_SERVERS $HOME_NET
>>>>>
>>>>> # List of web servers on your network
>>>>> var WWW_SERVERS $HOME_NET
>>>>>
>>>>> # AIM servers.  AOL has a habit of adding new AIM servers, so instead
>>>>> of
>>>>> # modifying the signatures when they do, we add them to this list of
>>>>> servers.
>>>>> var AIM_SERVERS [
>>>>> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>>>>> ]
>>>>>
>>>>>
>>>>> # Configure your service ports.  This allows snort to look for attacks
>>>>> destined
>>>>> # to a specific application only on the ports that application runs
>>>>> on.  For
>>>>> # example, if you run a web server on port 8081, set your HTTP_PORTS
>>>>> variable
>>>>> # like this:
>>>>> #
>>>>> # var HTTP_PORTS 8081
>>>>> #
>>>>> # Port lists must either be continuous [eg 80:8080], or a single port
>>>>> [eg 80].
>>>>> # We will adding support for a real list of ports in the future.
>>>>>
>>>>> # Ports you run web servers on
>>>>> #
>>>>> # Please note:  [80,8080] does not work.
>>>>> # If you wish to define multiple HTTP ports, use the following
>>>>> convention
>>>>> # when customizing your rule set (as part of Step #6 below).  This
>>>>> should
>>>>> # not be done here, as the rules files may depend on the
>>>>> classifications
>>>>> # and/or references, which are included below.
>>>>> #
>>>>> ## var HTTP_PORTS 80
>>>>> ## include somefile.rules
>>>>> ## var HTTP_PORTS 8080
>>>>> ## include somefile.rules
>>>>>
>>>>> # HTTP Ports on your network
>>>>> portvar HTTP_PORTS [80,2301,3128,8000,8080,8180,8888]
>>>>>
>>>>> # Ports you want to look for SHELLCODE on.
>>>>> portvar SHELLCODE_PORTS !80
>>>>>
>>>>> # Ports you do oracle attacks on
>>>>> portvar ORACLE_PORTS 1521
>>>>>
>>>>> # Auth / ident
>>>>> portvar AUTH_PORTS 113
>>>>>
>>>>> # DNS
>>>>> portvar DNS_PORTS 53
>>>>>
>>>>> # Finger
>>>>> portvar FINGER_PORTS 79
>>>>>
>>>>> # Ftp
>>>>> portvar FTP_PORTS 21
>>>>>
>>>>> # Imap
>>>>> portvar IMAP_PORTS 143
>>>>>
>>>>> # IRC
>>>>> portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
>>>>>
>>>>> # MS-SQL
>>>>> portvar MSSQL_PORTS 1433
>>>>>
>>>>> # NNTP
>>>>> portvar NNTP_PORTS 119
>>>>>
>>>>> # POP2
>>>>> portvar POP2_PORTS 109
>>>>>
>>>>> # POP3
>>>>> portvar POP3_PORTS 110
>>>>>
>>>>> # PortMapper
>>>>> portvar SUNRPC_PORTS
>>>>> [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
>>>>>
>>>>> # rlogin
>>>>> portvar RLOGIN_PORTS 513
>>>>>
>>>>> # rsh
>>>>> portvar RSH_PORTS 514
>>>>>
>>>>> # smb
>>>>> portvar SMB_PORTS [139,445]
>>>>>
>>>>> # smtp
>>>>> portvar SMTP_PORTS 25
>>>>>
>>>>> # snmp
>>>>> portvar SNMP_PORTS 161
>>>>>
>>>>> # ssh
>>>>> portvar SSH_PORTS 22
>>>>>
>>>>> # telnet
>>>>> portvar TELNET_PORTS 23
>>>>>
>>>>> # mail this for compatability with versions of snort that support port
>>>>> lists
>>>>> portvar MAIL_PORTS [25,143,465,691]
>>>>>
>>>>> # SSL Ports
>>>>> portvar SSL_PORTS [25,443,465,636,993,995]
>>>>>
>>>>> # DCERPC NCACN-IP-TCP
>>>>> portvar DCERPC_NCACN_IP_TCP [139,445]
>>>>> portvar DCERPC_NCADG_IP_UDP [138,1024:]
>>>>> portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
>>>>> portvar DCERPC_NCACN_UDP_LONG [135,1024:]
>>>>> portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
>>>>> portvar DCERPC_NCACN_TCP [2103,2105,2107]
>>>>> portvar DCERPC_BRIGHTSTORE [6503,6504]
>>>>>
>>>>> # Path to your rules files (this can be a relative path)
>>>>> # Note for Windows users:  You are advised to make this an absolute
>>>>> path,
>>>>> # such as:  c:\snort\rules
>>>>> var RULE_PATH C:\snort\rules
>>>>>
>>>>> # Configure the snort decoder
>>>>> # ============================
>>>>> #
>>>>> # Snort's decoder will alert on lots of things such as header
>>>>> # truncation or options of unusual length or infrequently used tcp
>>>>> options
>>>>> #
>>>>> #
>>>>> # Stop generic decode events:
>>>>> #
>>>>> # config disable_decode_alerts
>>>>> #
>>>>> # Stop Alerts on experimental TCP options
>>>>> #
>>>>> # config disable_tcpopt_experimental_alerts
>>>>> #
>>>>> # Stop Alerts on obsolete TCP options
>>>>> #
>>>>> # config disable_tcpopt_obsolete_alerts
>>>>> #
>>>>> # Stop Alerts on T/TCP alerts
>>>>> #
>>>>> # In snort 2.0.1 and above, this only alerts when a TCP option is
>>>>> detected
>>>>> # that shows T/TCP being actively used on the network.  If this is
>>>>> normal
>>>>> # behavior for your network, disable the next option.
>>>>> #
>>>>> # config disable_tcpopt_ttcp_alerts
>>>>> #
>>>>> # Stop Alerts on all other TCPOption type events:
>>>>> #
>>>>> # config disable_tcpopt_alerts
>>>>> #
>>>>> # Stop Alerts on invalid ip options
>>>>> #
>>>>> # config disable_ipopt_alerts
>>>>> #
>>>>> # Alert if value in length field (IP, TCP, UDP) is greater than the
>>>>> # actual length of the captured portion of the packet that the length
>>>>> # is supposed to represent:
>>>>> #
>>>>> # config enable_decode_oversized_alerts
>>>>> #
>>>>> # Same as above, but drop packet if in Inline mode -
>>>>> # enable_decode_oversized_alerts must be enabled for this to work:
>>>>> #
>>>>> # config enable_decode_oversized_drops
>>>>> #
>>>>> config checksum_mode: all
>>>>> config disable_decode_alerts
>>>>> config disable_tcpopt_experimental_alerts
>>>>> config disable_tcpopt_obsolete_alerts
>>>>> config disable_ttcp_alerts
>>>>> config disable_tcpopt_alerts
>>>>> config disable_ipopt_alerts
>>>>> config disable_decode_drops
>>>>>
>>>>> # Configure the detection engine
>>>>> # ===============================
>>>>> #
>>>>> # Use a different pattern matcher in case you have a machine with very
>>>>> limited
>>>>> # resources:
>>>>> #
>>>>> # config detection: search-method lowmem
>>>>>
>>>>> config detection: search-method ac-bnfa
>>>>> config detection: max_queue_events 5
>>>>> config event_queue: max_queue 8 log 3 order_events content_length
>>>>>
>>>>> # Configure Inline Resets
>>>>> # ========================
>>>>> #
>>>>> # If running an iptables firewall with snort in InlineMode() we can now
>>>>> # perform resets via a physical device. We grab the indev from iptables
>>>>> # and use this for the interface on which to send resets. This config
>>>>> # option takes an argument for the src mac address you want to use in
>>>>> the
>>>>> # reset packet.  This way the bridge can remain stealthy. If the src
>>>>> mac
>>>>> # option is not set we use the mac address of the indev device. If we
>>>>> # don't set this option we will default to sending resets via raw
>>>>> socket,
>>>>> # which needs an ipaddress to be assigned to the int.
>>>>> #
>>>>> # config layer2resets: 00:06:76:DD:5F:E3
>>>>>
>>>>> ###################################################
>>>>> # Step #2: Configure dynamic loaded libraries
>>>>> #
>>>>> # If snort was configured to use dynamically loaded libraries,
>>>>> # those libraries can be loaded here.
>>>>> #
>>>>> # Each of the following configuration options can be done via
>>>>> # the command line as well.
>>>>> #
>>>>> # Load all dynamic preprocessors from the install path
>>>>> # (same as command line option --dynamic-preprocessor-lib-dir)
>>>>> #
>>>>> dynamicpreprocessor file
>>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
>>>>> dynamicpreprocessor file
>>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
>>>>> dynamicpreprocessor file
>>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
>>>>> dynamicpreprocessor file
>>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
>>>>> dynamicpreprocessor file
>>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
>>>>> dynamicpreprocessor file
>>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
>>>>> dynamicpreprocessor file
>>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
>>>>>
>>>>> # Comment out above and uncomment this if running OSX
>>>>> #
>>>>> #dynamicpreprocessor file
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.dylib
>>>>> #dynamicpreprocessor file
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.dylib
>>>>> #dynamicpreprocessor file
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.dylib
>>>>> #dynamicpreprocessor file
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.dylib
>>>>> #dynamicpreprocessor file
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.dylib
>>>>> #dynamicpreprocessor file
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.dylib
>>>>>
>>>>> #
>>>>> # Load a specific dynamic preprocessor library from the install path
>>>>> # (same as command line option --dynamic-preprocessor-lib)
>>>>> #
>>>>> # dynamicpreprocessor file
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
>>>>> #
>>>>> # Load a dynamic engine from the install path
>>>>> # (same as command line option --dynamic-engine-lib)
>>>>> #
>>>>> dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
>>>>> #
>>>>> # Load all dynamic rules libraries from the install path
>>>>> # (same as command line option --dynamic-detection-lib-dir)
>>>>> #
>>>>> # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
>>>>> #
>>>>> # Load a specific dynamic rule library from the install path
>>>>> # (same as command line option --dynamic-detection-lib)
>>>>> #
>>>>> # Rule packages from the VRT contain a so_rules directory that contains
>>>>> these rules
>>>>> # you need to compile them using the makefile in the rules package and
>>>>> place
>>>>> # them here and add them.
>>>>> #
>>>>>
>>>>> # Uncomment if you are using the default VRT SO rules and have them in
>>>>> this directory.
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/bad-traffic.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/chat.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/dos.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/exploit.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/imap.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/misc.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/multimedia.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/netbios.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/nntp.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/p2p.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/smtp.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/sql.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-client.so
>>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-misc.so
>>>>>
>>>>>
>>>>> ###################################################
>>>>> # Step #3: Configure preprocessors
>>>>> #
>>>>> # General configuration for preprocessors is of
>>>>> # the form
>>>>> # preprocessor <name_of_processor>: <configuration_options>
>>>>>
>>>>> # frag3: Target-based IP defragmentation
>>>>> # --------------------------------------
>>>>> #
>>>>> # Frag3 is a brand new IP defragmentation preprocessor that is capable
>>>>> of
>>>>> # performing "target-based" processing of IP fragments.  Check out the
>>>>> # README.frag3 file in the doc directory for more background and
>>>>> configuration
>>>>> # information.
>>>>> #
>>>>> # Frag3 configuration is a two step process, a global initialization
>>>>> phase
>>>>> # followed by the definition of a set of defragmentation engines.
>>>>> #
>>>>> # Global configuration defines the number of fragmented packets that
>>>>> Snort can
>>>>> # track at the same time and gives you options regarding the memory cap
>>>>> for the
>>>>> # subsystem or, optionally, allows you to preallocate all the memory
>>>>> for the
>>>>> # entire frag3 system.
>>>>> #
>>>>> # frag3_global options:
>>>>> #   max_frags: Maximum number of frag trackers that may be active at
>>>>> once.
>>>>> #              Default value is 8192.
>>>>> #   memcap: Maximum amount of memory that frag3 may access at any given
>>>>> time.
>>>>> #           Default value is 4MB.
>>>>> #   prealloc_frags: Maximum number of individual fragments that may be
>>>>> processed
>>>>> #                   at once.  This is instead of the memcap system,
>>>>> uses static
>>>>> #                   allocation to increase performance.  No default
>>>>> value.  Each
>>>>> #                   preallocated fragment eats ~1550 bytes.
>>>>> #
>>>>> # Target-based behavior is attached to an engine as a "policy" for
>>>>> handling
>>>>> # overlaps and retransmissions as enumerated in the Paxson paper.
>>>>> There are
>>>>> # currently five policy types available: "BSD", "BSD-right", "First",
>>>>> "Linux"
>>>>> # and "Last".  Engines can be bound to standard Snort CIDR blocks or
>>>>> # IP lists.
>>>>> #
>>>>> # frag3_engine options:
>>>>> #   timeout: Amount of time a fragmented packet may be active before
>>>>> expiring.
>>>>> #            Default value is 60 seconds.
>>>>> #   ttl_limit: Limit of delta allowable for TTLs of packets in the
>>>>> fragments.
>>>>> #              Based on the initial received fragment TTL.
>>>>> #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs
>>>>> below this
>>>>> #            value will be discarded.  Default value is 0.
>>>>> #   detect_anomalies: Activates frag3's anomaly detection mechanisms.
>>>>> #   policy: Target-based policy to assign to this engine.  Default is
>>>>> Windows.
>>>>> #   bind_to: IP address set to bind this engine to.  Default is all
>>>>> hosts.
>>>>> #
>>>>> # Frag3 configuration example:
>>>>> #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
>>>>> #preprocessor frag3_engine: policy linux \
>>>>> #                           bind_to [10.1.1.12/32,10.1.1.13/32] \
>>>>> #                           detect_anomalies
>>>>> #preprocessor frag3_engine: policy first \
>>>>> #                           bind_to 10.2.1.0/24 \
>>>>> #                           detect_anomalies
>>>>> #preprocessor frag3_engine: policy last \
>>>>> #                           bind_to 10.3.1.0/24
>>>>> #preprocessor frag3_engine: policy bsd
>>>>>
>>>>> preprocessor frag3_global: max_frags 65536
>>>>> preprocessor frag3_engine: policy windows timeout 180
>>>>>
>>>>> # stream5: Target Based stateful inspection/stream reassembly for Snort
>>>>> # ---------------------------------------------------------------------
>>>>> # Stream5 is a target-based stream engine for Snort.  Its functionality
>>>>> # replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5
>>>>> # cannot be used simultaneously.  Comment out the stream4
>>>>> configurations
>>>>> # above to use Stream5.
>>>>> #
>>>>> # See README.stream5 for details on the configuration options.
>>>>> #
>>>>> # Example config (that emulates Stream4 with UDP support compiled in)
>>>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>>>>>                              track_udp yes
>>>>> preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \
>>>>>                           ports client 21 23 25 42 53 80 135 136 137
>>>>> 139 143 110 111 445 465 513 691 1433 1521 2100 2301 3128 3306 8000 8080 8180
>>>>> 8888, \
>>>>>                           ports both 443 465 563 636 989 992 993 994
>>>>> 995
>>>>> preprocessor stream5_udp: ignore_any_rules
>>>>>
>>>>>
>>>>> # Performance Statistics
>>>>> # ----------------------
>>>>> # Documentation for this is provided in the Snort Manual.  You should
>>>>> read it.
>>>>> # It is included in the release distribution as doc/snort_manual.pdf
>>>>> #
>>>>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
>>>>> 10000
>>>>>
>>>>> # http_inspect: normalize and detect HTTP traffic and protocol
>>>>> anomalies
>>>>> #
>>>>> # lots of options available here. See doc/README.http_inspect.
>>>>> # unicode.map should be wherever your snort.conf lives, or given
>>>>> # a full path to where snort can find it.
>>>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>>>> preprocessor http_inspect_server: \
>>>>>     server default \
>>>>>     apache_whitespace no \
>>>>>     ascii no \
>>>>>     bare_byte no \
>>>>>     chunk_length 500000 \
>>>>>     flow_depth 1460 \
>>>>>     directory no \
>>>>>     double_decode no \
>>>>>     iis_backslash no \
>>>>>     iis_delimiter no \
>>>>>     iis_unicode no \
>>>>>     multi_slash no \
>>>>>     non_strict \
>>>>>     oversize_dir_length 500 \
>>>>>     ports { 80 2301 3128 8000 8080 8180 8888 } \
>>>>>     u_encode yes \
>>>>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>>>     webroot no
>>>>>
>>>>> #
>>>>> #  Example unique server configuration
>>>>> #
>>>>> #preprocessor http_inspect_server: server 1.1.1.1 \
>>>>> #    ports { 80 3128 8080 } \
>>>>> #    flow_depth 0 \
>>>>> #    ascii no \
>>>>> #    double_decode yes \
>>>>> #    non_rfc_char { 0x00 } \
>>>>> #    chunk_length 500000 \
>>>>> #    non_strict \
>>>>> #    oversize_dir_length 300 \
>>>>> #    no_alerts
>>>>>
>>>>>
>>>>> # rpc_decode: normalize RPC traffic
>>>>> # ---------------------------------
>>>>> # RPC may be sent in alternate encodings besides the usual 4-byte
>>>>> encoding
>>>>> # that is used by default. This plugin takes the port numbers that RPC
>>>>> # services are running on as arguments - it is assumed that the given
>>>>> ports
>>>>> # are actually running this type of service. If not, change the ports
>>>>> or turn
>>>>> # it off.
>>>>> # The RPC decode preprocessor uses generator ID 106
>>>>> #
>>>>> # arguments: space separated list
>>>>> # alert_fragments - alert on any rpc fragmented TCP data
>>>>> # no_alert_multiple_requests - don't alert when >1 rpc query is in a
>>>>> packet
>>>>> # no_alert_large_fragments - don't alert when the fragmented
>>>>> #                            sizes exceed the current packet size
>>>>> # no_alert_incomplete - don't alert when a single segment
>>>>> #                       exceeds the current packet size
>>>>>
>>>>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
>>>>> 32777 32778 32779
>>>>>
>>>>> # bo: Back Orifice detector
>>>>> # -------------------------
>>>>> # Detects Back Orifice traffic on the network.
>>>>> #
>>>>> # arguments:
>>>>> #   syntax:
>>>>> #     preprocessor bo: noalert { client | server | general |
>>>>> snort_attack } \
>>>>> #                      drop    { client | server | general |
>>>>> snort_attack }
>>>>> #   example:
>>>>> #     preprocessor bo: noalert { general server } drop { snort_attack }
>>>>>
>>>>> #
>>>>> # The Back Orifice detector uses Generator ID 105 and uses the
>>>>> # following SIDS for that GID:
>>>>> #  SID     Event description
>>>>> # -----   -------------------
>>>>> #   1       Back Orifice traffic detected
>>>>> #   2       Back Orifice Client Traffic Detected
>>>>> #   3       Back Orifice Server Traffic Detected
>>>>> #   4       Back Orifice Snort Buffer Attack
>>>>>
>>>>> preprocessor bo
>>>>>
>>>>> # telnet_decode: Telnet negotiation string normalizer
>>>>> # ---------------------------------------------------
>>>>> # This preprocessor "normalizes" telnet negotiation strings from telnet
>>>>> and ftp
>>>>> # traffic.  It works in much the same way as the http_decode
>>>>> preprocessor,
>>>>> # searching for traffic that breaks up the normal data stream of a
>>>>> protocol and
>>>>> # replacing it with a normalized representation of that traffic so that
>>>>> the
>>>>> # "content" pattern matching keyword can work without requiring
>>>>> modifications.
>>>>> # This preprocessor requires no arguments.
>>>>> #
>>>>> # DEPRECATED in favor of ftp_telnet dynamic preprocessor
>>>>> #preprocessor telnet_decode
>>>>> #
>>>>> # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff
>>>>> overflow
>>>>> #
>>>>> ---------------------------------------------------------------------------
>>>>> # This preprocessor normalizes telnet negotiation strings from telnet
>>>>> and
>>>>> # ftp traffic.  It looks for traffic that breaks the normal data stream
>>>>> # of the protocol, replacing it with a normalized representation of
>>>>> that
>>>>> # traffic so that the "content" pattern matching keyword can work
>>>>> without
>>>>> # requiring modifications.
>>>>> #
>>>>> # It also performs protocol correctness checks for the FTP command
>>>>> channel,
>>>>> # and identifies open FTP data transfers.
>>>>> #
>>>>> # FTPTelnet has numerous options available, please read
>>>>> # README.ftptelnet for help configuring the options for the global
>>>>> # telnet, ftp server, and ftp client sections for the protocol.
>>>>>
>>>>> #####
>>>>> # Per Step #2, set the following to load the ftptelnet preprocessor
>>>>> # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
>>>>> # or use commandline option
>>>>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>>>> preprocessor ftp_telnet: \
>>>>>     global \
>>>>>     encrypted_traffic yes \
>>>>>     check_encrypted \
>>>>>     inspection_type stateful
>>>>>
>>>>> preprocessor ftp_telnet_protocol: \
>>>>>     telnet \
>>>>>     ayt_attack_thresh 20 \
>>>>>     normalize ports { 23 } \
>>>>>     detect_anomalies
>>>>>
>>>>> preprocessor ftp_telnet_protocol: \
>>>>>     ftp server default \
>>>>>     def_max_param_len 100 \
>>>>>     ports { 21 2100 } \
>>>>>     ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE
>>>>> STRU MODE } \
>>>>>     ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD
>>>>> MKD PWD } \
>>>>>     ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
>>>>>     ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
>>>>>     ftp_cmds { FEAT OPTS CEL CMD MACB } \
>>>>>     ftp_cmds { MDTM REST SIZE MLST MLSD } \
>>>>>     ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>>>>>     alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP }
>>>>> \
>>>>>     alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD
>>>>> SYST TEST STAT MACB EPSV CLNT LPRT } \
>>>>>     alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR
>>>>> HELP } \
>>>>>     alt_max_param_len 256 { RNTO CWD } \
>>>>>     alt_max_param_len 400 { PORT } \
>>>>>     alt_max_param_len 512 { SIZE } \
>>>>>     chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
>>>>>     chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD
>>>>> } \
>>>>>     chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
>>>>>     chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
>>>>>     chk_str_fmt { FEAT OPTS CEL CMD } \
>>>>>     chk_str_fmt { MDTM REST SIZE MLST MLSD } \
>>>>>     chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>>>>>     cmd_validity MODE < char ASBCZ > \
>>>>>     cmd_validity STRU < char FRP > \
>>>>>     cmd_validity ALLO < int [ char R int ] > \
>>>>>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [
>>>>> number ] } > \
>>>>>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>>>>     cmd_validity PORT < host_port >
>>>>>
>>>>> preprocessor ftp_telnet_protocol: \
>>>>>     ftp client default \
>>>>>     max_resp_len 200 \
>>>>>     bounce yes \
>>>>>     telnet_cmds no
>>>>>
>>>>> # smtp: SMTP normalizer, protocol enforcement and buffer overflow
>>>>> #
>>>>> ---------------------------------------------------------------------------
>>>>> # This preprocessor normalizes SMTP commands by removing extraneous
>>>>> spaces.
>>>>> # It looks for overly long command lines, response lines, and data
>>>>> header lines.
>>>>> # It can alert on invalid commands, or specific valid commands.  It can
>>>>> optionally
>>>>> # ignore mail data, and can ignore TLS encrypted data.
>>>>> #
>>>>> # SMTP has numerous options available, please read README.SMTP for help
>>>>> # configuring options.
>>>>>
>>>>> #####
>>>>> # Per Step #2, set the following to load the smtp preprocessor
>>>>> # dynamicpreprocessor <full path to libsf_smtp_preproc.so>
>>>>> # or use commandline option
>>>>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>>>>
>>>>> preprocessor SMTP: \
>>>>>     ports { 25 465 691 } \
>>>>>     inspection_type stateful \
>>>>>     normalize cmds \
>>>>>     valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT
>>>>> DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN
>>>>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME
>>>>> VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA
>>>>> XTRN XUSR } \
>>>>>     normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE
>>>>> BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN
>>>>> ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME
>>>>> TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU
>>>>> XSTA XTRN XUSR } \
>>>>>     max_header_line_len 1000 \
>>>>>     max_response_line_len 512 \
>>>>>     alt_max_command_line_len 260 { MAIL } \
>>>>>     alt_max_command_line_len 300 { RCPT } \
>>>>>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>>>>>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
>>>>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>>>>>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN
>>>>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
>>>>>     alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB
>>>>> X-EXPS X-LINK2STATE XADR } \
>>>>>     alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE
>>>>> XQUEU XSTA XTRN XUSR } \
>>>>>     xlink2state { enable }
>>>>>
>>>>> # sfPortscan
>>>>> # ----------
>>>>> # Portscan detection module.  Detects various types of portscans and
>>>>> # portsweeps.  For more information on detection philosophy, alert
>>>>> types,
>>>>> # and detailed portscan information, please refer to the
>>>>> README.sfportscan.
>>>>> #
>>>>> # -configuration options-
>>>>> #     proto { tcp udp icmp ip all }
>>>>> #       The arguments to the proto option are the types of protocol
>>>>> scans that
>>>>> #       the user wants to detect.  Arguments should be separated by
>>>>> spaces and
>>>>> #       not commas.
>>>>> #     scan_type { portscan portsweep decoy_portscan
>>>>> distributed_portscan all }
>>>>> #       The arguments to the scan_type option are the scan types that
>>>>> the
>>>>> #       user wants to detect.  Arguments should be separated by spaces
>>>>> and not
>>>>> #       commas.
>>>>> #     sense_level { low|medium|high }
>>>>> #       There is only one argument to this option and it is the level
>>>>> of
>>>>> #       sensitivity in which to detect portscans.  The 'low'
>>>>> sensitivity
>>>>> #       detects scans by the common method of looking for response
>>>>> errors, such
>>>>> #       as TCP RSTs or ICMP unreachables.  This level requires the
>>>>> least
>>>>> #       tuning.  The 'medium' sensitivity level detects portscans and
>>>>> #       filtered portscans (portscans that receive no response).  This
>>>>> #       sensitivity level usually requires tuning out scan events from
>>>>> NATed
>>>>> #       IPs, DNS cache servers, etc.  The 'high' sensitivity level has
>>>>> #       lower thresholds for portscan detection and a longer time
>>>>> window than
>>>>> #       the 'medium' sensitivity level.  Requires more tuning and may
>>>>> be noisy
>>>>> #       on very active networks.  However, this sensitivity levels
>>>>> catches the
>>>>> #       most scans.
>>>>> #     memcap { positive integer }
>>>>> #       The maximum number of bytes to allocate for portscan
>>>>> detection.  The
>>>>> #       higher this number the more nodes that can be tracked.
>>>>> #     logfile { filename }
>>>>> #       This option specifies the file to log portscan and detailed
>>>>> portscan
>>>>> #       values to.  If there is not a leading /, then snort logs to the
>>>>> #       configured log directory.  Refer to README.sfportscan for
>>>>> details on
>>>>> #       the logged values in the logfile.
>>>>> #     watch_ip { Snort IP List }
>>>>> #     ignore_scanners { Snort IP List }
>>>>> #     ignore_scanned { Snort IP List }
>>>>> #       These options take a snort IP list as the argument.  The
>>>>> 'watch_ip'
>>>>> #       option specifies the IP(s) to watch for portscan.  The
>>>>> #       'ignore_scanners' option specifies the IP(s) to ignore as
>>>>> scanners.
>>>>> #       Note that these hosts are still watched as scanned hosts.  The
>>>>> #       'ignore_scanners' option is used to tune alerts from very
>>>>> active
>>>>> #       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned'
>>>>> option
>>>>> #       specifies the IP(s) to ignore as scanned hosts.  Note that
>>>>> these hosts
>>>>> #       are still watched as scanner hosts.  The 'ignore_scanned'
>>>>> option is
>>>>> #       used to tune alerts from very active hosts such as syslog
>>>>> servers, etc.
>>>>> #     detect_ack_scans
>>>>> #       This option will include sessions picked up in midstream by the
>>>>> stream
>>>>> #       module, which is necessary to detect ACK scans.  However, this
>>>>> can lead to
>>>>> #       false alerts, especially under heavy load with dropped packets;
>>>>> which is why
>>>>> #       the option is off by default.
>>>>> #
>>>>> # Disabled by default
>>>>> #
>>>>> # preprocessor sfportscan: proto  { all } \
>>>>> #                         memcap { 10000000 } \
>>>>> #                         sense_level { low }
>>>>>
>>>>> # arpspoof
>>>>> #----------------------------------------
>>>>> # Experimental ARP detection code from Jeff Nathan, detects ARP
>>>>> attacks,
>>>>> # unicast ARP requests, and specific ARP mapping monitoring.  To make
>>>>> use of
>>>>> # this preprocessor you must specify the IP and hardware address of
>>>>> hosts on
>>>>> # the same layer 2 segment as you.  Specify one host IP MAC combo per
>>>>> line.
>>>>> # Also takes a "-unicast" option to turn on unicast ARP request
>>>>> detection.
>>>>> # Arpspoof uses Generator ID 112 and uses the following SIDS for that
>>>>> GID:
>>>>>
>>>>> #  SID     Event description
>>>>> # -----   -------------------
>>>>> #   1       Unicast ARP request
>>>>> #   2       Etherframe ARP mismatch (src)
>>>>> #   3       Etherframe ARP mismatch (dst)
>>>>> #   4       ARP cache overwrite attack
>>>>>
>>>>> #preprocessor arpspoof
>>>>> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>>>>>
>>>>> # ssh
>>>>> #----------------------------------------
>>>>> # EXPERIMENTAL CODE!!!
>>>>> #
>>>>> # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
>>>>> # USE AT YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS.
>>>>> # YOU HAVE BEEN WARNED.
>>>>> #
>>>>> # The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
>>>>> # Secure CRT, and the Protocol Mismatch exploit.
>>>>> #
>>>>> # Both Gobbles and CRC 32 attacks occur after the key exchange, and are
>>>>> # therefore encrypted.  Both attacks involve sending a large payload
>>>>> # (20kb+) to the server immediately after the authentication challenge.
>>>>> # To detect the attacks, the SSH preprocessor counts the number of
>>>>> bytes
>>>>> # transmitted to the server.  If those bytes exceed a pre-defined limit
>>>>> # within a pre-define number of packets, an alert is generated.  Since
>>>>> # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
>>>>> # version string exchange is used to distinguish the attacks.
>>>>> #
>>>>> # The Secure CRT and protocol mismatch exploits are observable before
>>>>> # the key exchange.
>>>>> #
>>>>> # SSH has numerous options available, please read README.ssh for help
>>>>> # configuring options.
>>>>>
>>>>> #####
>>>>> # Per Step #2, set the following to load the ssh preprocessor
>>>>> # dynamicpreprocessor <full path to libsf_ssh_preproc.so>
>>>>> # or use commandline option
>>>>> # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
>>>>> #
>>>>> #preprocessor ssh: server_ports { 22 } \
>>>>> #                  max_client_bytes 19600 \
>>>>> #                  max_encrypted_packets 20 \
>>>>> #                  disable_srvoverflow \
>>>>> #                  disable_protomismatch \
>>>>> #                  disable_badmsgdir
>>>>>
>>>>> #UPDATE HERE MEW#
>>>>> #----------------------------------------
>>>>> # SSL Preprocessor configuration
>>>>> #
>>>>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 },
>>>>> trustservers, noinspect_encrypted
>>>>>
>>>>> # DCE/RPC
>>>>> #----------------------------------------
>>>>> #
>>>>> # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
>>>>> # It is primarily interested in DCE/RPC data, and only decodes SMB
>>>>> # to get at the DCE/RPC data carried by the SMB layer.
>>>>> #
>>>>> # Currently, the preprocessor only handles reassembly of fragmentation
>>>>> # at both the SMB and DCE/RPC layer.  Snort rules can be evaded by
>>>>> # using both types of fragmentation; with the preprocessor enabled
>>>>> # the rules are given a buffer with a reassembled SMB or DCE/RPC
>>>>> # packet to examine.
>>>>> #
>>>>> # At the SMB layer, only fragmentation using WriteAndX is currently
>>>>> # reassembled.  Other methods will be handled in future versions of
>>>>> # the preprocessor.
>>>>> #
>>>>> # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
>>>>> # the SMB data, as well as checking the NetBIOS header (which is always
>>>>> # present for SMB) for the type "SMB Session".
>>>>> #
>>>>> # Autodetection of DCE/RPC is not as reliable.  Currently, two bytes
>>>>> are
>>>>> # checked in the packet.  Assuming that the data is a DCE/RPC header,
>>>>> # one byte is checked for DCE/RPC version (5) and another for the type
>>>>> # "DCE/RPC Request".  If both match, the preprocessor proceeds with
>>>>> that
>>>>> # assumption that it is looking at DCE/RPC data.  If subsequent checks
>>>>> # are nonsensical, it ends processing.
>>>>> #
>>>>> # DCERPC has numerous options available, please read README.dcerpc for
>>>>> help
>>>>> # configuring options.
>>>>>
>>>>> #####
>>>>> # Per Step #2, set the following to load the dcerpc preprocessor
>>>>> # dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>
>>>>> # or use commandline option
>>>>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>>>>
>>>>> preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
>>>>> preprocessor dcerpc2_server: default, policy WinXP, \
>>>>>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593],
>>>>> \
>>>>>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>>>>>     smb_max_chain 3
>>>>>
>>>>> # DNS
>>>>> #----------------------------------------
>>>>> # The dns preprocessor (currently) decodes DNS Response traffic
>>>>> # and detects a few vulnerabilities.
>>>>> #
>>>>> # DNS has a few options available, please read README.dns for
>>>>> # help configuring options.
>>>>>
>>>>> #####
>>>>> # Per Step #2, set the following to load the dns preprocessor
>>>>> # dynamicpreprocessor <full path to libsf_dns_preproc.so>
>>>>> # or use commandline option
>>>>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>>>>
>>>>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>>>>
>>>>> ####################################################################
>>>>> # Step #4: Configure output plugins
>>>>> #
>>>>> # Uncomment and configure the output plugins you decide to use.
>>>>> General
>>>>> # configuration for output plugins is of the form:
>>>>> #
>>>>> # output <name_of_plugin>: <configuration_options>
>>>>> #
>>>>> # alert_syslog: log alerts to syslog
>>>>> # ----------------------------------
>>>>> # Use one or more syslog facilities as arguments.  Win32 can also
>>>>> optionally
>>>>> # specify a particular hostname/port.  Under Win32, the default
>>>>> hostname is
>>>>> # '127.0.0.1', and the default port is 514.
>>>>> #
>>>>> # [Unix flavours should use this format...]
>>>>> # output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT
>>>>> #
>>>>> # [Win32 can use any of these formats...]
>>>>> # output alert_syslog: LOG_AUTH LOG_ALERT
>>>>> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
>>>>> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>>>>>
>>>>> # log_tcpdump: log packets in binary tcpdump format
>>>>> # -------------------------------------------------
>>>>> # The only argument is the output file name.
>>>>> #
>>>>> # output log_tcpdump: tcpdump.log
>>>>>
>>>>> # database: log to a variety of databases
>>>>> # ---------------------------------------
>>>>> # See the README.database file for more information about configuring
>>>>> # and using this plugin.
>>>>> #
>>>>> # output database: log, mysql, user=root password=test dbname=db
>>>>> host=localhost
>>>>> # output database: alert, postgresql, user=snort dbname=snort
>>>>> # output database: log, odbc, user=snort dbname=snort
>>>>> # output database: log, mssql, dbname=snort user=snort password=test
>>>>> # output database: log, oracle, dbname=snort user=snort password=test
>>>>>
>>>>> # unified: Snort unified binary format alerting and logging
>>>>> # -------------------------------------------------------------
>>>>> # The unified output plugin provides two new formats for logging and
>>>>> generating
>>>>> # alerts from Snort, the "unified" format.  The unified format is a
>>>>> straight
>>>>> # binary format for logging data out of Snort that is designed to be
>>>>> fast and
>>>>> # efficient.  Used with barnyard (the new alert/log processor), most of
>>>>> the
>>>>> # overhead for logging and alerting to various slow storage mechanisms
>>>>> such as
>>>>> # databases or the network can now be avoided.
>>>>> #
>>>>> # Check out the spo_unified.h file for the data formats.
>>>>> #
>>>>> # Two arguments are supported.
>>>>> #    filename - base filename to write to (current time_t is appended)
>>>>> #    limit    - maximum size of spool file in MB (default: 128)
>>>>> #
>>>>> # output alert_unified: filename snort.alert, limit 128
>>>>> # output log_unified: filename snort.log, limit 128
>>>>>
>>>>>
>>>>> # prelude: log to the Prelude Hybrid IDS system
>>>>> # ---------------------------------------------
>>>>> #
>>>>> # profile = Name of the Prelude profile to use (default is snort).
>>>>> #
>>>>> # Snort priority to IDMEF severity mappings:
>>>>> # high < medium < low < info
>>>>> #
>>>>> # These are the default mapped from classification.config:
>>>>> # info   = 4
>>>>> # low    = 3
>>>>> # medium = 2
>>>>> # high   = anything below medium
>>>>> #
>>>>> # output alert_prelude
>>>>> # output alert_prelude: profile=snort-profile-name
>>>>>
>>>>>
>>>>> #
>>>>> # Include classification & priority settings
>>>>> # Note for Windows users:  You are advised to make this an absolute
>>>>> path,
>>>>> # such as:  c:\snort\etc\classification.config
>>>>> #
>>>>>
>>>>> include classification.config
>>>>>
>>>>> #
>>>>> # Include reference systems
>>>>> # Note for Windows users:  You are advised to make this an absolute
>>>>> path,
>>>>> # such as:  c:\snort\etc\reference.config
>>>>> #
>>>>>
>>>>> include reference.config
>>>>>
>>>>> ####################################################################
>>>>> # Step #5: Configure snort with config statements
>>>>> #
>>>>> # See the snort manual for a full set of configuration references
>>>>> #
>>>>> # config flowbits_size: 64
>>>>> #
>>>>> # New global ignore_ports config option from Andy Mullican
>>>>> #
>>>>> # config ignore_ports: <tcp|udp> <list of ports separated by
>>>>> whitespace>
>>>>> # config ignore_ports: tcp 21 6667:6671 1356
>>>>> # config ignore_ports: udp 1:17 53
>>>>>
>>>>>
>>>>> ####################################################################
>>>>> # Step #6: Customize your rule set
>>>>> #
>>>>> # Up to date snort rules are available at http://www.snort.org
>>>>> #
>>>>> # The snort web site has documentation about how to write your own
>>>>> custom snort
>>>>> # rules.
>>>>>
>>>>> #=========================================
>>>>> # Include all relevant rulesets here
>>>>> #
>>>>> # The following rulesets are disabled by default:
>>>>> #
>>>>> #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
>>>>> virus,
>>>>> #   chat, multimedia, and p2p
>>>>> #
>>>>> # These rules are either site policy specific or require tuning in
>>>>> order to not
>>>>> # generate false positive alerts in most enviornments.
>>>>> #
>>>>> # Please read the specific include file for more information and
>>>>> # README.alert_order for how rule ordering affects how alerts are
>>>>> triggered.
>>>>> #=========================================
>>>>>
>>>>> include $RULE_PATH/local.rules
>>>>> # include $RULE_PATH/bad-traffic.rules
>>>>> include $RULE_PATH/exploit.rules
>>>>> # include $RULE_PATH/scan.rules
>>>>> # include $RULE_PATH/finger.rules
>>>>> include $RULE_PATH/ftp.rules
>>>>> include $RULE_PATH/telnet.rules
>>>>> include $RULE_PATH/rpc.rules
>>>>> include $RULE_PATH/rservices.rules
>>>>> include $RULE_PATH/dos.rules
>>>>> include $RULE_PATH/ddos.rules
>>>>> include $RULE_PATH/dns.rules
>>>>> # include $RULE_PATH/tftp.rules
>>>>>
>>>>> include $RULE_PATH/web-cgi.rules
>>>>> include $RULE_PATH/web-coldfusion.rules
>>>>> include $RULE_PATH/web-iis.rules
>>>>> include $RULE_PATH/web-frontpage.rules
>>>>> include $RULE_PATH/web-misc.rules
>>>>> include $RULE_PATH/web-client.rules
>>>>> include $RULE_PATH/web-php.rules
>>>>>
>>>>> include $RULE_PATH/sql.rules
>>>>> include $RULE_PATH/x11.rules
>>>>> # include $RULE_PATH/icmp.rules
>>>>> include $RULE_PATH/netbios.rules
>>>>> include $RULE_PATH/misc.rules
>>>>> include $RULE_PATH/attack-responses.rules
>>>>> include $RULE_PATH/oracle.rules
>>>>> include $RULE_PATH/mysql.rules
>>>>> # include $RULE_PATH/snmp.rules
>>>>>
>>>>> include $RULE_PATH/smtp.rules
>>>>> include $RULE_PATH/imap.rules
>>>>> include $RULE_PATH/pop2.rules
>>>>> include $RULE_PATH/pop3.rules
>>>>>
>>>>> include $RULE_PATH/nntp.rules
>>>>> # include $RULE_PATH/other-ids.rules
>>>>> # include $RULE_PATH/web-attacks.rules
>>>>> include $RULE_PATH/backdoor.rules
>>>>> # include $RULE_PATH/shellcode.rules
>>>>> # include $RULE_PATH/policy.rules
>>>>> # include $RULE_PATH/porn.rules
>>>>> # include $RULE_PATH/info.rules
>>>>> # include $RULE_PATH/icmp-info.rules
>>>>> # include $RULE_PATH/virus.rules
>>>>> # include $RULE_PATH/chat.rules
>>>>> # include $RULE_PATH/multimedia.rules
>>>>> # include $RULE_PATH/p2p.rules
>>>>> include $RULE_PATH/spyware-put.rules
>>>>> include $RULE_PATH/specific-threats.rules
>>>>> # include $RULE_PATH/experimental.rules
>>>>> # include $RULE_PATH/content-replace.rules
>>>>> include $RULE_PATH/voip.rules
>>>>>
>>>>> # If your using the so rules you need to do something like the
>>>>> following
>>>>> # cd into the so_rules directory where you built the so rules
>>>>> # cat *.rules >> so-rules.rules
>>>>> # cp to $RULE_PATH/so-rules.rules
>>>>> # uncomment this line
>>>>> # include $RULE_PATH/so-rules.rules
>>>>>
>>>>> # Include any thresholding or suppression commands. See threshold.conf
>>>>> in the
>>>>> # <snort src>/etc directory for details. Commands don't necessarily
>>>>> need to be
>>>>> # contained in this conf, but a separate conf makes it easier to
>>>>> maintain them.
>>>>> # Note for Windows users:  You are advised to make this an absolute
>>>>> path,
>>>>> # such as:  c:\snort\etc\threshold.conf
>>>>> # Uncomment if needed.
>>>>> # include threshold.conf
>>>>>
>>>>> =================================================
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>> Thanks & Regards
>>>>>
>>>>> Sadanand G.
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Crystal Reports - New Free Runtime and 30 Day Trial
>>>>> Check out the new simplified licensing option that enables
>>>>> unlimited royalty-free distribution of the report engine
>>>>> for externally facing server and web deployment.
>>>>> http://p.sf.net/sfu/businessobjects
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>> Thanks & Regards
>>>
>>> Sadanand G.
>>>
>>
>>
>>
>> --
>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>>
>
>
>
> --
>
>
> Thanks & Regards
>
> Sadanand G.
>



-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090521/6b8f700e/attachment.html>


More information about the Snort-users mailing list