[Snort-users] community.rules file - failure error during restart or start of snort

Michael Brown mike.a.brown09 at ...11827...
Wed Apr 30 14:44:37 EDT 2014


Can you send us the complete output when you run snort?

---
Thank you,

Michael A. Brown
mike.a.brown09 at ...11827...
(757) 912-0836
M.S. Forensic Studies: Computer Forensics
B.S. Information Technology: Network Specialist

"The only thing necessary for the triumph of evil is for good men to do
nothing" -Edmund Burke


On Wed, Apr 30, 2014 at 2:42 PM, Farnsworth, Robert <
robert.farnsworth at ...6440...> wrote:

>  Sorry, I understand that but the only thing I get when the command is
> run is *failure*, it does not display any other message. If you can tell
> me how to run the command in a DIAG mode that would be great, or how to get
> more information please let me know.
>
>
>
> *From:* Michael Brown [mailto:mike.a.brown09 at ...11827...]
> *Sent:* Wednesday, April 30, 2014 2:40 PM
> *To:* Farnsworth, Robert
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] community.rules file - failure error during
> restart or start of snort
>
>
>
> What is the actual failure message? That is what we need.
>
>
>   ---
> Thank you,
>
> Michael A. Brown
> mike.a.brown09 at ...11827...
> (757) 912-0836
>
> M.S. Forensic Studies: Computer Forensics
> B.S. Information Technology: Network Specialist
>
> "The only thing necessary for the triumph of evil is for good men to do
> nothing" -Edmund Burke
>
>
>
> On Wed, Apr 30, 2014 at 2:30 PM, Farnsworth, Robert <
> robert.farnsworth at ...6440...> wrote:
>
>  The error is that the service fails to start.
>
>
>
> When  we run this command */etc/init.d/snort_rc start  or the restart,
>  snort fails to start when this is listed in the snort.conf file  --
> include $RULE_PATH/community.rules   When we remove this line it starts
> fine.*
>
>
>
> The community rules file is in the proper directory
>
>
>
> *From:* Michael Brown [mailto:mike.a.brown09 at ...11827...]
> *Sent:* Wednesday, April 30, 2014 2:25 PM
> *To:* Farnsworth, Robert
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] community.rules file - failure error during
> restart or start of snort
>
>
>
> I still do not see the actual error message. When you say you are getting
> a failure are you seeing something that says ERROR: <errorMessage>? Or what
> is happening?
>
> I am using the community.rules file (which I have to update on my server)
> and all I did was add the following line to snort.conf and restarted snort
>
> include $RULE_PATH/community.rules
>
>
> Since I have added this line to my snort.conf I have not had any issues.
>
>
>
>
>   ---
> Thank you,
>
> Michael A. Brown
> mike.a.brown09 at ...11827...
>
> M.S. Forensic Studies: Computer Forensics
> B.S. Information Technology: Network Specialist
>
> "The only thing necessary for the triumph of evil is for good men to do
> nothing" -Edmund Burke
>
>
>
> On Wed, Apr 30, 2014 at 2:10 PM, Farnsworth, Robert <
> robert.farnsworth at ...6440...> wrote:
>
>  Trying to get compliant with the recently announced IE issue.
>
>
>
> I have added the latest community.rules file to the rules directory and
> updated my snort.conf, but am getting a *failure* error when doing a
> restart/start.
>
>
>
> Snort starts file without the include $RULE_PATH/community.rules entry
>
>
>
> Not sure if this helps but get this in the /var/adm/messages file
>
>
>
> Apr 30 09:40:04 snort[19732]: [ID 702911 daemon.notice] Encoded Rule
> Plugin SID: 17684, GID: 3 not registered properly.  Disabling this rule.
>
>
>
>
>
>
>
> /usr/local$ snort -V
>
>
>
>    ,,_     -*> Snort! <*-
>
>   o"  )~   Version 2.9.4.6 GRE (Build 73)
>
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>
>            Using libpcap version 1.4.0
>
>            Using PCRE version: 8.33 2013-05-28
>
>            Using ZLIB version: 1.2.3
>
>
>
>
>
>
>
> */etc/init.d/snort_rc start  or **/etc/init.d/snort_rc restart*
>
>
>
> *snort.conf  file*
>
> *#--------------------------------------------------*
>
> *#   VRT Rule Packages Snort.conf*
>
> *#*
>
> *#   For more information visit us at:*
>
> *#     http://www.snort.org <http://www.snort.org>                   Snort
> Website*
>
> *#     http://vrt-sourcefire.blogspot.com/
> <http://vrt-sourcefire.blogspot.com/>    Sourcefire VRT Blog*
>
> *#*
>
> *#     Mailing list Contact:      snort-sigs at lists.sourceforge.net
> <snort-sigs at lists.sourceforge.net>*
>
> *#     False Positive reports:    fp at ...1935... <fp at ...1935...>*
>
> *#     Snort bugs:                bugs at ...950... <bugs at ...950...>*
>
> *#*
>
> *#     Compatible with Snort Versions:*
>
> *#     VERSIONS : 2.9.0.1*
>
> *#*
>
> *#     Snort build options:*
>
> *#     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
> --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
> --enable-perfprofiling --enable-zlib --enable-active-response
> --enable-normalizer --enable-reload --enable-react --enable-flexresp3*
>
> *#--------------------------------------------------*
>
>
>
> *###################################################*
>
> *# This file contains a sample snort configuration.*
>
> *# You should take the following steps to create your own custom
> configuration:*
>
> *#*
>
> *#  1) Set the network variables.*
>
> *#  2) Configure the decoder*
>
> *#  3) Configure the base detection engine*
>
> *#  4) Configure dynamic loaded libraries*
>
> *#  5) Configure preprocessors*
>
> *#  6) Configure output plugins*
>
> *#  7) Customize your rule set*
>
> *#  8) Customize preprocessor and decoder rule set*
>
> *#  9) Customize shared object rule set*
>
> *###################################################*
>
>
>
> *###################################################*
>
> *# Step #1: Set the network variables.  For more information, see
> README.variables*
>
> *###################################################*
>
>
>
> *# Setup the network addresses you are protecting*
>
> *#var HOME_NET any*
>
> *#var HOME_NET any*
>
> *var HOME_NET any*
>
>
>
> *# Set up the external network addresses. Leave as "any" in most
> situations*
>
> *var EXTERNAL_NET any*
>
>
>
> *# List of DNS servers on your network*
>
> *var DNS_SERVERS $HOME_NET*
>
>
>
> *# List of SMTP servers on your network*
>
> *var SMTP_SERVERS $HOME_NET*
>
>
>
> *# List of web servers on your network*
>
> *var HTTP_SERVERS $HOME_NET*
>
>
>
> *# List of sql servers on your network*
>
> *var SQL_SERVERS $HOME_NET*
>
>
>
> *# List of telnet servers on your network*
>
> *var TELNET_SERVERS $HOME_NET*
>
>
>
> *# List of ssh servers on your network*
>
> *var SSH_SERVERS $HOME_NET*
>
>
>
> *# List of ports you run web servers on*
>
> *portvar HTTP_PORTS
> [80,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8181,8243,8280,8888,9090,9091,9443,9999,11371]*
>
>
>
> *# List of ports you want to look for SHELLCODE on.*
>
> *portvar SHELLCODE_PORTS !80*
>
>
>
> *# List of ports you might see oracle attacks on*
>
> *portvar ORACLE_PORTS 1024:*
>
>
>
> *# List of ports you want to look for SSH connections on:*
>
> *portvar SSH_PORTS 22*
>
>
>
> *# other variables, these should not be modified*
>
> *var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
> <http://64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24>]*
>
>
>
> *# Path to your rules files (this can be a relative path)*
>
> *# Note for Windows users:  You are advised to make this an absolute path,*
>
> *# such as:  c:\snort\rules*
>
> *var RULE_PATH ../rules*
>
> *var SO_RULE_PATH ../so_rules*
>
> *var PREPROC_RULE_PATH ../preproc_rules*
>
>
>
> *###################################################*
>
> *# Step #2: Configure the decoder.  For more information, see
> README.decode*
>
> *###################################################*
>
>
>
> *# Stop generic decode events:*
>
> *#config disable_decode_alerts*
>
>
>
> *# Stop Alerts on experimental TCP options*
>
> *#config disable_tcpopt_experimental_alerts*
>
>
>
> *# Stop Alerts on obsolete TCP options*
>
> *#config disable_tcpopt_obsolete_alerts*
>
>
>
> *# Stop Alerts on T/TCP alerts*
>
> *#config disable_tcpopt_ttcp_alerts*
>
>
>
> *# Stop Alerts on all other TCPOption type events:*
>
> *#config disable_tcpopt_alerts*
>
>
>
> *# Stop Alerts on invalid ip options*
>
> *#config disable_ipopt_alerts*
>
>
>
> *# Alert if value in length field (IP, TCP, UDP) is greater th elength of
> the packet*
>
> *config enable_decode_oversized_alerts*
>
>
>
> *# Same as above, but drop packet if in Inline mode (requires
> enable_decode_oversized_alerts)*
>
> *config enable_decode_oversized_drops*
>
>
>
> *# Configure IP / TCP checksum mode*
>
> *config checksum_mode: all*
>
>
>
> *# Configure maximum number of flowbit references.  For more information,
> see README.flowbits*
>
> *# config flowbits_size: 64*
>
>
>
> *# Configure ports to ignore*
>
> *# config ignore_ports: tcp 21 6667:6671 1356*
>
> *# config ignore_ports: udp 1:17 53*
>
> *#*
>
> *# Our "Core" interface is e1000g5*
>
> *#*
>
> *config interface: e1000g5*
>
>
>
> *# Configure active response for non inline operation. For more
> information, see REAMDE.active*
>
> *# config response: eth0 attempts 2*
>
>
>
>
>
> *###################################################*
>
> *# Step #3: Configure the base detection engine.  For more information,
> see  README.decode*
>
> *###################################################*
>
>
>
> *# Configure PCRE match limitations*
>
> *config pcre_match_limit: 3500*
>
> *config pcre_match_limit_recursion: 1500*
>
>
>
> *# Configure the detection engine  See the Snort Manual, Configuring Snort
> - Includes - Config*
>
> *config detection: search-method ac-split search-optimize max-pattern-len
> 20*
>
>
>
> *# Configure the event queue.  For more information, see
> README.event_queue*
>
> *config event_queue: max_queue 8 log 3 order_events content_length*
>
>
>
> *###################################################*
>
> *# Per packet and rule latency enforcement*
>
> *# For more information see README.ppm*
>
> *###################################################*
>
>
>
> *# Per Packet latency configuration*
>
> *#config ppm: max-pkt-time 250, \*
>
> *#   fastpath-expensive-packets, \*
>
> *#   pkt-log*
>
>
>
> *# Per Rule latency configuration*
>
> *#config ppm: max-rule-time 200, \*
>
> *#   threshold 3, \*
>
> *#   suspend-expensive-rules, \*
>
> *#   suspend-timeout 20, \*
>
> *#   rule-log alert*
>
>
>
> *###################################################*
>
> *# Configure Perf Profiling for debugging*
>
> *# For more information see README.PerfProfiling*
>
> *###################################################*
>
>
>
> *#config profile_rules: print all, sort avg_ticks*
>
> *#config profile_preprocs: print all, sort avg_ticks*
>
>
>
> *###################################################*
>
> *# Step #4: Configure dynamic loaded libraries.*
>
> *# For more information, see Snort Manual, Configuring Snort - Dynamic
> Modules*
>
> *###################################################*
>
>
>
> *# path to dynamic preprocessor libraries*
>
> *dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor*
>
>
>
> *# path to base preprocessor engine*
>
> *dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so*
>
>
>
> *# path to dynamic rules libraries*
>
> *dynamicdetection directory /usr/local/lib/snort_dynamicrules*
>
>
>
> *###################################################*
>
> *# Step #5: Configure preprocessors*
>
> *# For more information, see the Snort Manual, Configuring Snort -
> Preprocessors*
>
> *###################################################*
>
>
>
> *# Inline packet normalization. For more information, see README.normalize*
>
> *# Does nothing in IDS mode*
>
> *#preprocessor normalize_ip4*
>
> *#preprocessor normalize_tcp: ips ecn stream*
>
> *#preprocessor normalize_icmp4*
>
> *#preprocessor normalize_ip6*
>
> *#preprocessor normalize_icmp6*
>
>
>
> *# Target-based IP defragmentation.  For more inforation, see README.frag3*
>
> *preprocessor frag3_global: max_frags 65536*
>
> *preprocessor frag3_engine: policy windows detect_anomalies overlap_limit
> 10 min_fragment_length 100 timeout 180*
>
>
>
> *# Target-Based stateful inspection/stream reassembly.  For more
> inforation, see README.stream5*
>
> *preprocessor stream5_global: max_tcp 8192, track_tcp no, track_udp yes,
> track_icmp no max_active_responses 2 min_response_seconds 5*
>
> *preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
> 180, \*
>
> *   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \*
>
> *    ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139
> 143 \*
>
> *        161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666
> 6667 6668 6669 \*
>
> *        7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778
> 32779, \*
>
> *    ports both 80 311 443 465 563 591 593 636 901 989 992 993 994 995
> 1220 1414 1830 2301 2381 2809 3128 3702 5250 7907 7001 7802 7777 7779 \*
>
> *        7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912
> 7913 7914 7915 7916 \*
>
> *        7917 7918 7919 7920 8000 8008 8028 8080 8088 8118 8123 8180 8243
> 8280 8888 9090 9091 9443 9999 11371*
>
> *preprocessor stream5_udp: timeout 180*
>
>
>
> *# performance statistics.  For more information, see the Snort Manual,
> Configuring Snort - Preprocessors - Performance Monitor*
>
> *# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
> 10000*
>
>
>
> *# HTTP normalization and anomaly detection.  For more information, see
> README.http_inspect*
>
> *preprocessor http_inspect: global \*
>
> *        iis_unicode_map unicode.map 1252 \*
>
> *        compress_depth 20480 decompress_depth 20480*
>
>
>
> *preprocessor http_inspect_server: server default \*
>
> *    chunk_length 500000 \*
>
> *    server_flow_depth 0 \*
>
> *    client_flow_depth 0 \*
>
> *    post_depth 65495 \*
>
> *        oversize_dir_length 500 \*
>
> *    max_header_length 750 \*
>
> *    max_headers 100 \*
>
> *    ports { 80 311 591 593 901 1220 1414 2301 2381 2809 3128 3702 7777
> 7779 8000 8008 8028 8080 8118 8123 8180 8243 828 0 8888 9443 9999 11371 } \*
>
> *    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \*
>
> *    enable_cookie \*
>
> *    extended_response_inspection \*
>
> *    inspect_gzip \*
>
> *    apache_whitespace yes \*
>
> *    ascii yes \*
>
> *    bare_byte yes \*
>
> *        directory yes \*
>
> *        double_decode yes \*
>
> *        iis_backslash yes \*
>
> *        iis_delimiter yes \*
>
> *        iis_unicode yes \*
>
> *        multi_slash yes \*
>
> *        non_strict \*
>
> *        u_encode yes \*
>
> *        webroot yes*
>
>
>
>
>
>
>
> *# ONC-RPC normalization and anomaly detection.  For more information, see
> the Snort Manual, Configuring Snort - Preprocessors - RPC Decode*
>
> *preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
> 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments
> no_alert_incomplete*
>
>
>
> *# Back Orifice detection.*
>
> *preprocessor bo*
>
>
>
> *#*
>
> *# SMTP normalization and anomaly detection.  For more information, see
> README.SMTP*
>
> *preprocessor smtp: ports { 25 465 587 691 } \*
>
> *    inspection_type stateful \*
>
> *    enable_mime_decoding \*
>
> *    max_mime_depth 20480 \*
>
> *    normalize cmds \*
>
> *    normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM
> ESND ESOM ETRN EVFY } \*
>
> *    normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
> RSET SAML SEND SOML } \*
>
> *    normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT
> X-DRCP X-ERCP X-EXCH50 } \*
>
> *    normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
> XLICENSE XQUE XSTA XTRN XUSR } \*
>
> *    max_command_line_len 512 \*
>
> *    max_header_line_len 1000 \*
>
> *    max_response_line_len 512 \*
>
> *    alt_max_command_line_len 260 { MAIL } \*
>
> *    alt_max_command_line_len 300 { RCPT } \*
>
> *    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \*
>
> *    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
> ESAM ESND ESOM EVFY IDENT NOOP RSET } \*
>
> *    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA
> RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR
> XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \*
>
> *    valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
> ESOM ETRN EVFY } \*
>
> *    valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
> SAML SEND SOML } \*
>
> *    valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
> X-ERCP X-EXCH50 } \*
>
> *    valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
> XLICENSE XQUE XSTA XTRN XUSR } \*
>
> *    xlink2state { enabled }*
>
>
>
> *# Portscan detection.  For more information, see README.sfportscan*
>
> *preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
> low }*
>
>
>
> *# ARP spoof detection.  For more information, see the Snort Manual -
> Configuring Snort - Preprocessors - ARP Spoof Preprocessor*
>
> *preprocessor arpspoof*
>
> *# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00*
>
>
>
> *# SSH anomaly detection.  For more information, see README.ssh*
>
> *preprocessor ssh: server_ports { 22 } \*
>
> *                  autodetect \*
>
> *                  max_client_bytes 19600 \*
>
> *                  max_encrypted_packets 20 \*
>
> *                  max_server_version_len 100 \*
>
> *                  enable_respoverflow enable_ssh1crc32 \*
>
> *                  enable_srvoverflow enable_protomismatch*
>
>
>
> *# SMB / DCE-RPC normalization and anomaly detection.  For more
> information, see README.dcerpc2*
>
> *preprocessor dcerpc2: memcap 102400, events [co ]*
>
> *preprocessor dcerpc2_server: default, policy WinXP, \*
>
> *    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \*
>
> *    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \*
>
> *    smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]*
>
>
>
> *# DNS anomaly detection.  For more information, see README.dns*
>
> *preprocessor dns: ports { 53 } enable_rdata_overflow*
>
>
>
> *# SSL anomaly detection and traffic bypass.  For more information, see
> README.ssl*
>
> *preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802
> 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914
> 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted*
>
>
>
> *# SDF sensitive data preprocessor.  For more information see
> README.sensitive_data*
>
> *preprocessor sensitive_data: alert_threshold 25*
>
> *#*
>
> *# FTP / Telnet normalization and anomaly detection.  For more
> information, see README.ftptelnet*
>
> *preprocessor ftp_telnet: global inspection_type stateless
> encrypted_traffic no*
>
> *#*
>
> *preprocessor ftp_telnet_protocol: telnet ports { 23 } normalize
> ayt_attack_thresh 20*
>
> *#*
>
> *#*
>
> *preprocessor ftp_telnet_protocol: ftp server default \*
>
> *    def_max_param_len 100 \*
>
> *    ports { 21 2100 3535 } \*
>
> *    telnet_cmds yes \*
>
> *    ignore_telnet_erase_cmds yes \*
>
> *    ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \*
>
> *    ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \*
>
> *    ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \*
>
> *    ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \*
>
> *    ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \*
>
> *    ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \*
>
> *    ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \*
>
> *    ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \*
>
> *    ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \*
>
> *    ftp_cmds { XSEN XSHA1 XSHA256 } \*
>
> *    alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
> REIN STOU SYST XCUP XPWD } \*
>
> *    alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
> XMKD } \*
>
> *    alt_max_param_len 256 { CWD RNTO } \*
>
> *    alt_max_param_len 400 { PORT } \*
>
> *    alt_max_param_len 512 { SIZE } \*
>
> *    chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \*
>
> *    chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \*
>
> *    chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \*
>
> *    chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \*
>
> *    chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \*
>
> *    chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \*
>
> *    chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \*
>
> *    chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \*
>
> *    cmd_validity ALLO < int [ char R int ] > \*
>
> *    cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \*
>
> *    cmd_validity MACB < string > \*
>
> *    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \*
>
> *    cmd_validity MODE < char ASBCZ > \*
>
> *    cmd_validity PORT < host_port > \*
>
> *    cmd_validity PROT < char CSEP > \*
>
> *    cmd_validity STRU < char FRPO [ string ] > \*
>
> *    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number
> ] } >*
>
> *#*
>
> *preprocessor ftp_telnet_protocol: ftp client default \*
>
> *    max_resp_len 256 \*
>
> *    bounce yes \*
>
> *    ignore_telnet_erase_cmds yes \*
>
> *    telnet_cmds yes*
>
> *#*
>
>
>
> *###################################################*
>
> *# Step #6: Configure output plugins*
>
> *# For more information, see Snort Manual, Configuring Snort - Output
> Modules*
>
> *###################################################*
>
>
>
> *# unified2*
>
> *# Recommended for most installs*
>
> *output unified2: filename merged.log, limit 128, nostamp,
> mpls_event_types, vlan_event_types*
>
>
>
> *# Additional configuration for specific types of installs*
>
> *output alert_unified2: filename snort.alert, limit 128, nostamp*
>
> *output log_unified2: filename snort.log, limit 128, nostamp*
>
>
>
> *# syslog*
>
> *output alert_syslog: LOG_AUTH LOG_ALERT*
>
>
>
> *# pcap*
>
> *# output log_tcpdump: tcpdump.log*
>
>
>
> *# database*
>
> *# output database: alert, <db_type>, user=<username> password=<password>
> test dbname=<name> host=<hostname>*
>
> *# output database: log, <db_type>, user=<username> password=<password>
> test dbname=<name> host=<hostname>*
>
>
>
> *# prelude*
>
> *# output alert_prelude*
>
>
>
> *# metadata reference data.  do not modify these lines*
>
> *include classification.config*
>
> *include reference.config*
>
>
>
>
>
> *###################################################*
>
> *# Step #7: Customize your rule set*
>
> *# For more information, see Snort Manual, Writing Snort Rules*
>
> *#*
>
> *# NOTE: All categories are enabled in this conf file*
>
> *###################################################*
>
>
>
> *# site specific rules*
>
> *include $RULE_PATH/local.rules*
>
>
>
> *include $RULE_PATH/attack-responses.rules*
>
> *include $RULE_PATH/backdoor.rules*
>
> *include $RULE_PATH/bad-traffic.rules*
>
> *include $RULE_PATH/blacklist.rules*
>
> *include $RULE_PATH/botnet-cnc.rules*
>
> *include $RULE_PATH/chat.rules*
>
> *include $RULE_PATH/community.rules*
>
> *include $RULE_PATH/content-replace.rules*
>
> *include $RULE_PATH/ddos.rules*
>
> *include $RULE_PATH/dns.rules*
>
> *include $RULE_PATH/dos.rules*
>
> *include $RULE_PATH/exploit.rules*
>
> *include $RULE_PATH/finger.rules*
>
> *include $RULE_PATH/ftp.rules*
>
> *include $RULE_PATH/icmp.rules*
>
> *include $RULE_PATH/icmp-info.rules*
>
> *include $RULE_PATH/imap.rules*
>
> *include $RULE_PATH/info.rules*
>
> *include $RULE_PATH/misc.rules*
>
> *include $RULE_PATH/multimedia.rules*
>
> *include $RULE_PATH/mysql.rules*
>
> *include $RULE_PATH/netbios.rules*
>
> *include $RULE_PATH/nntp.rules*
>
> *include $RULE_PATH/oracle.rules*
>
> *include $RULE_PATH/other-ids.rules*
>
> *include $RULE_PATH/p2p.rules*
>
> *include $RULE_PATH/phishing-spam.rules*
>
> *include $RULE_PATH/policy.rules*
>
> *include $RULE_PATH/pop2.rules*
>
> *include $RULE_PATH/pop3.rules*
>
> *include $RULE_PATH/rpc.rules*
>
> *include $RULE_PATH/rservices.rules*
>
> *include $RULE_PATH/scada.rules*
>
> *include $RULE_PATH/scan.rules*
>
> *include $RULE_PATH/shellcode.rules*
>
> *include $RULE_PATH/smtp.rules*
>
> *include $RULE_PATH/snmp.rules*
>
> *include $RULE_PATH/specific-threats.rules*
>
> *include $RULE_PATH/spyware-put.rules*
>
> *include $RULE_PATH/sql.rules*
>
> *include $RULE_PATH/telnet.rules*
>
> *include $RULE_PATH/tftp.rules*
>
> *include $RULE_PATH/virus.rules*
>
> *include $RULE_PATH/voip.rules*
>
> *include $RULE_PATH/web-activex.rules*
>
> *include $RULE_PATH/web-attacks.rules*
>
> *include $RULE_PATH/web-cgi.rules*
>
> *include $RULE_PATH/web-client.rules*
>
> *include $RULE_PATH/web-coldfusion.rules*
>
> *include $RULE_PATH/web-frontpage.rules*
>
> *include $RULE_PATH/web-iis.rules*
>
> *include $RULE_PATH/web-misc.rules*
>
> *include $RULE_PATH/web-php.rules*
>
> *include $RULE_PATH/x11.rules*
>
>
>
> *###################################################*
>
> *# Step #8: Customize your preprocessor and decoder alerts*
>
> *# For more information, see README.decoder_preproc_rules*
>
> *###################################################*
>
>
>
> *# decoder and preprocessor event rules*
>
> *include $PREPROC_RULE_PATH/preprocessor.rules*
>
> *include $PREPROC_RULE_PATH/decoder.rules*
>
> *include $PREPROC_RULE_PATH/sensitive-data.rules*
>
>
>
> *###################################################*
>
> *# Step #9: Customize your Shared Object Snort Rules*
>
> *# For more information, see
> http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
> <http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html>*
>
> *###################################################*
>
>
>
> *# dynamic library rules*
>
> *include $SO_RULE_PATH/bad-traffic.rules*
>
> *include $SO_RULE_PATH/chat.rules*
>
> *include $SO_RULE_PATH/dos.rules*
>
> *include $SO_RULE_PATH/exploit.rules*
>
> *include $SO_RULE_PATH/icmp.rules*
>
> *include $SO_RULE_PATH/imap.rules*
>
> *include $SO_RULE_PATH/misc.rules*
>
> *include $SO_RULE_PATH/multimedia.rules*
>
> *include $SO_RULE_PATH/netbios.rules*
>
> *include $SO_RULE_PATH/nntp.rules*
>
> *include $SO_RULE_PATH/p2p.rules*
>
> *include $SO_RULE_PATH/smtp.rules*
>
> *include $SO_RULE_PATH/sql.rules*
>
> *include $SO_RULE_PATH/web-activex.rules*
>
> *include $SO_RULE_PATH/web-client.rules*
>
> *include $SO_RULE_PATH/web-iis.rules*
>
> *include $SO_RULE_PATH/web-misc.rules*
>
>
>
> *# Event thresholding or suppression commands. See threshold.conf*
>
> *include threshold.conf*
>
>
>
>
>
>
>
> If you need more information let me know.
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.  Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140430/9055baf7/attachment.html>


More information about the Snort-users mailing list