[Snort-users] Fwd: Snort 2.9.6.0 memory leak?

Mirek Suliba msuliba at ...11827...
Thu Feb 27 17:32:18 EST 2014


Hui,

Constant growth of memory usage looks a little bit scary but I hope that
you are right that it will stop at some point. I will run it for a longer
period of time to check.

Thank you for your help,

  - Mirek



On Thu, Feb 27, 2014 at 3:25 PM, Hui Cao (huica) <huica at ...589...> wrote:

>  Snort does track many sessions and also lots of gaps in those sessions.
> You can let snort runs and see whether it keeps increasing. So far, it
> appears working as expected.
>
>  Best,
> Hui.
>
>   From: Mirek Suliba <msuliba at ...11827...>
> Date: Thursday, February 27, 2014 at 4:15 PM
> To: Hui Cao <huica at ...589...>
> Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> >
> Subject: Re: [Snort-users] Fwd: Snort 2.9.6.0 memory leak?
>
>    Hi Hui,
>
>  I allowed traffic to go through this server only for three hours and I
> disabled it when I saw this constant memory usage growth. Below is output
> from kill -USR1 [Snort_PID] command:
>
> Feb 27 15:04:06 rsyslogd-2177: imuxsock lost 14 messages from pid 23167
> due to rate-limiting
> Feb 27 15:04:06 snort[23167]: *** Caught Dump Stats-Signal
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: Memory usage summary:
> Feb 27 15:04:06 snort[23167]:   Total non-mmapped bytes (arena):
> 183816192
> Feb 27 15:04:06 snort[23167]:   Bytes in mapped regions (hblkhd):
> 313253888
> Feb 27 15:04:06 snort[23167]:   Total allocated space (uordblks):
> 76144432
> Feb 27 15:04:06 snort[23167]:   Total free space (fordblks):
> 107671760
> Feb 27 15:04:06 snort[23167]:   Topmost releasable block (keepcost):
> 102576
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: Packet I/O Totals:
> Feb 27 15:04:06 snort[23167]:    Received:      8498408
> Feb 27 15:04:06 snort[23167]:    Analyzed:      8498408 (100.000%)
> Feb 27 15:04:06 snort[23167]:     Dropped:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:    Filtered:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]: Outstanding:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:    Injected:            0
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: Breakdown by protocol (includes rebuilt
> packets):
> Feb 27 15:04:06 snort[23167]:         Eth:      8537764 (100.000%)
> Feb 27 15:04:06 snort[23167]:        VLAN:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:         IP4:      8510095 ( 99.676%)
> Feb 27 15:04:06 snort[23167]:        Frag:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:        ICMP:        27312 (  0.320%)
> Feb 27 15:04:06 snort[23167]:         UDP:       204961 (  2.401%)
> Feb 27 15:04:06 snort[23167]:         TCP:      6763077 ( 79.214%)
> Feb 27 15:04:06 snort[23167]:         IP6:          282 (  0.003%)
> Feb 27 15:04:06 snort[23167]:     IP6 Ext:          282 (  0.003%)
> Feb 27 15:04:06 snort[23167]:    IP6 Opts:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:       Frag6:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:       ICMP6:          282 (  0.003%)
> Feb 27 15:04:06 snort[23167]:        UDP6:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:        TCP6:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:      Teredo:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     ICMP-IP:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     IP4/IP4:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     IP4/IP6:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     IP6/IP4:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     IP6/IP6:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:         GRE:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     GRE Eth:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:    GRE VLAN:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     GRE IP4:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     GRE IP6:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]: GRE IP6 Ext:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:    GRE PPTP:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     GRE ARP:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     GRE IPX:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:    GRE Loop:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:        MPLS:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:         ARP:        27387 (  0.321%)
> Feb 27 15:04:06 snort[23167]:         IPX:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:    Eth Loop:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:    Eth Disc:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:    IP4 Disc:      1514740 ( 17.742%)
> Feb 27 15:04:06 snort[23167]:    IP6 Disc:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:    TCP Disc:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:    UDP Disc:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:   ICMP Disc:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]: All Discard:      1514740 ( 17.742%)
> Feb 27 15:04:06 snort[23167]:       Other:            5 (  0.000%)
> Feb 27 15:04:06 snort[23167]: Bad Chk Sum:      1230372 ( 14.411%)
> Feb 27 15:04:06 snort[23167]:     Bad TTL:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:      S5 G 1:        10861 (  0.127%)
> Feb 27 15:04:06 snort[23167]:      S5 G 2:        28496 (  0.334%)
> Feb 27 15:04:06 snort[23167]:       Total:      8537764
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: Action Stats:
> Feb 27 15:04:06 snort[23167]:      Alerts:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:      Logged:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:      Passed:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]: Limits:
> Feb 27 15:04:06 snort[23167]:       Match:            0
> Feb 27 15:04:06 snort[23167]:       Queue:            0
> Feb 27 15:04:06 snort[23167]:         Log:            0
> Feb 27 15:04:06 snort[23167]:       Event:            0
> Feb 27 15:04:06 snort[23167]:       Alert:            0
> Feb 27 15:04:06 snort[23167]: Verdicts:
> Feb 27 15:04:06 snort[23167]:       Allow:      8496786 ( 99.981%)
> Feb 27 15:04:06 snort[23167]:       Block:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:     Replace:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:   Whitelist:         1621 (  0.019%)
> Feb 27 15:04:06 snort[23167]:   Blacklist:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:      Ignore:            0 (  0.000%)
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: Frag3 statistics:
> Feb 27 15:04:06 snort[23167]:         Total Fragments: 0
> Feb 27 15:04:06 snort[23167]:       Frags Reassembled: 0
> Feb 27 15:04:06 snort[23167]:                Discards: 0
> Feb 27 15:04:06 snort[23167]:           Memory Faults: 0
> Feb 27 15:04:06 snort[23167]:                Timeouts: 0
> Feb 27 15:04:06 snort[23167]:                Overlaps: 0
> Feb 27 15:04:06 snort[23167]:               Anomalies: 0
> Feb 27 15:04:06 snort[23167]:                  Alerts: 0
> Feb 27 15:04:06 snort[23167]:                   Drops: 0
> Feb 27 15:04:06 snort[23167]:      FragTrackers Added: 0
> Feb 27 15:04:06 snort[23167]:     FragTrackers Dumped: 0
> Feb 27 15:04:06 snort[23167]: FragTrackers Auto Freed: 0
> Feb 27 15:04:06 snort[23167]:     Frag Nodes Inserted: 0
> Feb 27 15:04:06 snort[23167]:      Frag Nodes Deleted: 0
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: Stream5 statistics:
> Feb 27 15:04:06 snort[23167]:             Total sessions: 272938
> Feb 27 15:04:06 snort[23167]:               TCP sessions: 255727
> Feb 27 15:04:06 snort[23167]:               UDP sessions: 17211
> Feb 27 15:04:06 snort[23167]:              ICMP sessions: 0
> Feb 27 15:04:06 snort[23167]:                IP sessions: 0
> Feb 27 15:04:06 snort[23167]:                 TCP Prunes: 0
> Feb 27 15:04:06 snort[23167]:                 UDP Prunes: 0
> Feb 27 15:04:06 snort[23167]:                ICMP Prunes: 0
> Feb 27 15:04:06 snort[23167]:                  IP Prunes: 0
> Feb 27 15:04:06 snort[23167]: TCP StreamTrackers Created: 255897
> Feb 27 15:04:06 snort[23167]: TCP StreamTrackers Deleted: 255349
> Feb 27 15:04:06 snort[23167]:               TCP Timeouts: 266
> Feb 27 15:04:06 snort[23167]:               TCP Overlaps: 118
> Feb 27 15:04:06 snort[23167]:        TCP Segments Queued: 737031
> Feb 27 15:04:06 snort[23167]:      TCP Segments Released: 736763
> Feb 27 15:04:06 snort[23167]:        TCP Rebuilt Packets: 306435
> Feb 27 15:04:06 snort[23167]:          TCP Segments Used: 711696
> Feb 27 15:04:06 snort[23167]:               TCP Discards: 8308
> Feb 27 15:04:06 snort[23167]:                   TCP Gaps: 66562
> Feb 27 15:04:06 snort[23167]:       UDP Sessions Created: 23942
> Feb 27 15:04:06 snort[23167]:       UDP Sessions Deleted: 10211
> Feb 27 15:04:06 snort[23167]:               UDP Timeouts: 6731
> Feb 27 15:04:06 snort[23167]:               UDP Discards: 0
> Feb 27 15:04:06 snort[23167]:                     Events: 33307
> Feb 27 15:04:06 snort[23167]:            Internal Events: 0
> Feb 27 15:04:06 snort[23167]:            TCP Port Filter
> Feb 27 15:04:06 snort[23167]:                   Filtered: 0
> Feb 27 15:04:06 snort[23167]:                  Inspected: 0
> Feb 27 15:04:06 snort[23167]:                    Tracked: 5590053
> Feb 27 15:04:06 snort[23167]:            UDP Port Filter
> Feb 27 15:04:06 snort[23167]:                   Filtered: 0
> Feb 27 15:04:06 snort[23167]:                  Inspected: 5225
> Feb 27 15:04:06 snort[23167]:                    Tracked: 17211
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: HTTP Inspect - encodings (Note:
> stream-reassembled packets included):
> Feb 27 15:04:06 snort[23167]:     POST methods:                         657
> Feb 27 15:04:06 snort[23167]:     GET methods:
> 33120
> Feb 27 15:04:06 snort[23167]:     HTTP Request Headers extracted:
> 34016
> Feb 27 15:04:06 snort[23167]:     HTTP Request Cookies extracted:
> 25326
> Feb 27 15:04:06 snort[23167]:     Post parameters extracted:            657
> Feb 27 15:04:06 snort[23167]:     HTTP response Headers extracted:
> 9083
> Feb 27 15:04:06 snort[23167]:     HTTP Response Cookies extracted:      98
> Feb 27 15:04:06 snort[23167]:     Unicode:                              0
> Feb 27 15:04:06 snort[23167]:     Double unicode:                       0
> Feb 27 15:04:06 snort[23167]:     Non-ASCII representable:              0
> Feb 27 15:04:06 snort[23167]:     Directory traversals:                 0
> Feb 27 15:04:06 snort[23167]:     Extra slashes ("//"):
> 4045
> Feb 27 15:04:06 snort[23167]:     Self-referencing paths ("./"):        0
> Feb 27 15:04:06 snort[23167]:     HTTP Response Gzip packets extracted: 0
> Feb 27 15:04:06 snort[23167]:     Gzip Compressed Data Processed:       n/a
> Feb 27 15:04:06 snort[23167]:     Gzip Decompressed Data Processed:     n/a
> Feb 27 15:04:06 snort[23167]:     Total packets processed:
> 1851525
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: SMTP Preprocessor Statistics
> Feb 27 15:04:06 snort[23167]:   Total
> sessions                                    : 0
> Feb 27 15:04:06 snort[23167]:   Max concurrent
> sessions                           : 0
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: dcerpc2 Preprocessor Statistics
> Feb 27 15:04:06 snort[23167]:   Total sessions: 0
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: SSL Preprocessor:
> Feb 27 15:04:06 snort[23167]:    SSL packets decoded: 892031
> Feb 27 15:04:06 snort[23167]:           Client Hello: 389752
> Feb 27 15:04:06 snort[23167]:           Server Hello: 793
> Feb 27 15:04:06 snort[23167]:            Certificate: 908
> Feb 27 15:04:06 snort[23167]:            Server Done: 382480
> Feb 27 15:04:06 snort[23167]:    Client Key Exchange: 30685
> Feb 27 15:04:06 snort[23167]:    Server Key Exchange: 0
> Feb 27 15:04:06 snort[23167]:          Change Cipher: 384430
> Feb 27 15:04:06 snort[23167]:               Finished: 0
> Feb 27 15:04:06 snort[23167]:     Client Application: 440228
> Feb 27 15:04:06 snort[23167]:     Server Application: 427
> Feb 27 15:04:06 snort[23167]:                  Alert: 21387
> Feb 27 15:04:06 snort[23167]:   Unrecognized records: 191082
> Feb 27 15:04:06 snort[23167]:   Completed handshakes: 0
> Feb 27 15:04:06 snort[23167]:         Bad handshakes: 121
> Feb 27 15:04:06 snort[23167]:       Sessions ignored: 427
> Feb 27 15:04:06 snort[23167]:     Detection disabled: 19941
> Feb 27 15:04:06 snort[23167]:
> ===============================================================================
> Feb 27 15:04:06 snort[23167]: SIP Preprocessor Statistics
> Feb 27 15:04:06 snort[23167]:   Total sessions: 3
> Feb 27 15:04:06 snort[23167]:   SIP anomalies : 1
> Feb 27 15:04:06 snort[23167]:   Requests: 0
> Feb 27 15:04:06 snort[23167]:           invite:   0
> Feb 27 15:04:06 snort[23167]:           cancel:   0
> Feb 27 15:04:06 snort[23167]:              ack:   0
> Feb 27 15:04:06 snort[23167]:              bye:   0
> Feb 27 15:04:06 snort[23167]:         register:   0
> Feb 27 15:04:06 snort[23167]:          options:   0
> Feb 27 15:04:06 snort[23167]:            refer:   0
> Feb 27 15:04:06 snort[23167]:        subscribe:   0
> Feb 27 15:04:06 snort[23167]:           update:   0
> Feb 27 15:04:06 snort[23167]:             join:   0
> Feb 27 15:04:06 snort[23167]:             info:   0
> Feb 27 15:04:06 snort[23167]:          message:   0
> Feb 27 15:04:06 snort[23167]:           notify:   0
> Feb 27 15:04:06 snort[23167]:            prack:   0
> Feb 27 15:04:06 snort[23167]:   Responses: 0
> Feb 27 15:04:06 snort[23167]:              1xx:   0
> Feb 27 15:04:06 rsyslogd-2177: imuxsock begins to drop messages from pid
> 23167 due to rate-limiting
>
>  Thank you,
>
>    - Mirek
>
>
>
> On Thu, Feb 27, 2014 at 2:50 PM, Hui Cao (huica) <huica at ...589...> wrote:
>
>>  HI Mirek,
>>
>>  Snort memory usage might increase constantly when more sessions are
>> tracked. After some point, it will stabilize. If you saw memory never stops
>> increasing even all the sessions used up, it might indicate some memory
>> issue. Based on your data, it looks like ok at this level. What's the snort
>> stats and snort configuration? You can use kill -USR1 Snort_PID  to get
>> snort stats if you don't want to stop snort.
>>
>>  Best,
>> Hui.
>>
>>   From: Mirek Suliba <msuliba at ...11827...>
>> Date: Thursday, February 27, 2014 at 3:37 PM
>> To: "snort-users at lists.sourceforge.net" <
>> snort-users at lists.sourceforge.net>
>> Subject: [Snort-users] Fwd: Snort 2.9.6.0 memory leak?
>>
>>         Hello,
>>
>>  I have just installed my first instance of Snort and found that after
>> putting traffic through it Snort memory usage is constantly growing. Below
>> are checks done every hour using "top" command:
>>
>>  Time    VIRT    RES    %MEM
>>  9:00     596m   240m   12.9
>>  10:00   596m   310m    16.5
>>  11:00   596m   386m    20.6
>>  12:00   596m   456m    24.3
>>
>>  Is this normal behavior for Snort? If not what setting should I change
>> to fix it?
>>
>>  This installation of Snort is for monitoring traffic only on local
>> server (not promiscuous mode).
>>
>>  System is CentOS 6.4 with 2 GB of memory. Below is Snort information:
>>
>> # snort -V
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.6.0 GRE (Build 47)
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>            Copyright (C) 2014 Cisco and/or its affiliates. All rights
>> reserved.
>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>            Using libpcap version 1.0.0
>>            Using PCRE version: 7.8 2008-09-05
>>            Using ZLIB version: 1.2.3
>>
>>  Snort command:
>>
>> /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
>> /etc/snort/snort.conf -l /var/log/snort
>>
>>  Content of snort.conf file:
>>
>> #--------------------------------------------------
>> #   VRT Rule Packages Snort.conf
>> #
>> #   For more information visit us at:
>> #     http://www.snort.org                   Snort Website
>> #     http://vrt-blog.snort.org/    Sourcefire VRT Blog
>> #
>> #     Mailing list Contact:      snort-sigs at lists.sourceforge.net
>> #     False Positive reports:    fp at ...1935...
>> #     Snort bugs:                bugs at ...950...
>> #
>> #     Compatible with Snort Versions:
>> #     VERSIONS : 2.9.6.0
>> #
>> #     Snort build options:
>> #     OPTIONS : --enable-gre --enable-mpls --enable-targetbased
>> --enable-ppm --enable-perfprofiling --enable-zlib --enable-activ
>> e-response --enable-normalizer --enable-reload --enable-react
>> --enable-flexresp3
>> #
>> #     Additional information:
>> #     This configuration file enables active response, to run snort in
>> #     test mode -T you are required to supply an interface -i <interface>
>> #     or test mode will fail to fully validate the configuration and
>> #     exit with a FATAL error
>> #--------------------------------------------------
>>
>> ###################################################
>> # This file contains a sample snort configuration.
>> # You should take the following steps to create your own custom
>> configuration:
>> #
>> #  1) Set the network variables.
>> #  2) Configure the decoder
>> #  3) Configure the base detection engine
>> #  4) Configure dynamic loaded libraries
>> #  5) Configure preprocessors
>> #  6) Configure output plugins
>> #  7) Customize your rule set
>> #  8) Customize preprocessor and decoder rule set
>> #  9) Customize shared object rule set
>> ###################################################
>>
>> ###################################################
>> # Step #1: Set the network variables.  For more information, see
>> README.variables
>> ###################################################
>>
>> # Setup the network addresses you are protecting
>> ipvar HOME_NET any
>>
>> # Set up the external network addresses. Leave as "any" in most situations
>> ipvar EXTERNAL_NET any
>>
>> # List of DNS servers on your network
>> ipvar DNS_SERVERS $HOME_NET
>>
>> # List of SMTP servers on your network
>> ipvar SMTP_SERVERS $HOME_NET
>>
>> # List of web servers on your network
>> ipvar HTTP_SERVERS $HOME_NET
>>
>> # List of sql servers on your network
>> ipvar SQL_SERVERS $HOME_NET
>>
>> # List of telnet servers on your network
>> ipvar TELNET_SERVERS $HOME_NET
>>
>> # List of ssh servers on your network
>> ipvar SSH_SERVERS $HOME_NET
>>
>> # List of ftp servers on your network
>> ipvar FTP_SERVERS $HOME_NET
>>
>> # List of sip servers on your network
>> ipvar SIP_SERVERS $HOME_NET
>>
>> # List of ports you run web servers on
>> portvar HTTP_PORTS
>> [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,183
>>
>> 0,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,4000,4343,4848,5117,5250,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7
>>
>> 777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8888,8899,9000
>>
>> ,9060,9080,9090,9091,9111,9443,9999,10000,11371,12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55
>> 252,55555,56712]
>>
>> # List of ports you want to look for SHELLCODE on.
>> portvar SHELLCODE_PORTS !80
>>
>> # List of ports you might see oracle attacks on
>> portvar ORACLE_PORTS 1024:
>>
>> # List of ports you want to look for SSH connections on:
>> portvar SSH_PORTS 22
>>
>> # List of ports you run ftp servers on
>> portvar FTP_PORTS [21,2100,3535]
>>
>> # List of ports you run SIP servers on
>> portvar SIP_PORTS [5060,5061,5600]
>>
>> # List of file data ports for file inspection
>> portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
>>
>> # List of GTP ports for GTP preprocessor
>> portvar GTP_PORTS [2123,2152,3386]
>>
>> # other variables, these should not be modified
>> ipvar AIM_SERVERS [
>> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.18
>> 8.7.0/24,
>> 205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>
>> # Path to your rules files (this can be a relative path)
>> # Note for Windows users:  You are advised to make this an absolute path,
>> # such as:  c:\snort\rules
>> var RULE_PATH /etc/snort/rules
>> var SO_RULE_PATH /etc/snort/so_rules
>> var PREPROC_RULE_PATH /etc/snort/preproc_rules
>>
>> # If you are using reputation preprocessor set these
>> var WHITE_LIST_PATH /etc/snort/rules
>> var BLACK_LIST_PATH /etc/snort/rules
>>
>> ###################################################
>> # Step #2: Configure the decoder.  For more information, see README.decode
>> ###################################################
>>
>> # Disable promiscuous mode
>> config no_promisc
>>
>> # Stop generic decode events:
>> config disable_decode_alerts
>>
>> # Stop Alerts on experimental TCP options
>> config disable_tcpopt_experimental_alerts
>>
>> # Stop Alerts on obsolete TCP options
>> config disable_tcpopt_obsolete_alerts
>>
>> # Stop Alerts on T/TCP alerts
>> config disable_tcpopt_ttcp_alerts
>>
>> # Stop Alerts on all other TCPOption type events:
>> config disable_tcpopt_alerts
>>
>> # Stop Alerts on invalid ip options
>> config disable_ipopt_alerts
>>
>> # Alert if value in length field (IP, TCP, UDP) is greater th elength of
>> the packet
>> # config enable_decode_oversized_alerts
>>
>> # Same as above, but drop packet if in Inline mode (requires
>> enable_decode_oversized_alerts)
>> # config enable_decode_oversized_drops
>>
>> # Configure IP / TCP checksum mode
>> config checksum_mode: all
>>
>> # Configure maximum number of flowbit references.  For more information,
>> see README.flowbits
>> # config flowbits_size: 64
>>
>> # Configure ports to ignore
>> # config ignore_ports: tcp 21 6667:6671 1356
>> # config ignore_ports: udp 1:17 53
>>
>> # Configure active response for non inline operation. For more
>> information, see REAMDE.active
>> # config response: eth0 attempts 2
>>
>> # Configure DAQ related options for inline operation. For more
>> information, see README.daq
>> #
>> # config daq: <type>
>> # config daq_dir: <dir>
>> # config daq_mode: <mode>
>> # config daq_var: <var>
>> #
>> # <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
>> # <mode> ::= read-file | passive | inline
>> # <var> ::= arbitrary <name>=<value passed to DAQ
>> # <dir> ::= path as to where to look for DAQ module so's
>>
>> # Configure specific UID and GID to run snort as after dropping privs.
>> For more information see snort -h command line options
>> #
>> # config set_gid:
>> # config set_uid:
>>
>> # Configure default snaplen. Snort defaults to MTU of in use interface.
>> For more information see README
>> #
>> # config snaplen:
>> #
>>
>> # Configure default bpf_file to use for filtering what traffic reaches
>> snort. For more information see snort -h command line opt
>> ions (-F)
>> #
>> # config bpf_file:
>> #
>>
>> # Configure default log directory for snort to log to.  For more
>> information see snort -h command line options (-l)
>> #
>> # config logdir:
>>
>>
>> ###################################################
>> # Step #3: Configure the base detection engine.  For more information,
>> see  README.decode
>> ###################################################
>>
>> # Configure PCRE match limitations
>> config pcre_match_limit: 3500
>> config pcre_match_limit_recursion: 1500
>>
>> # Configure the detection engine  See the Snort Manual, Configuring Snort
>> - Includes - Config
>> config detection: search-method ac-split search-optimize max-pattern-len
>> 20
>>
>> # Configure the event queue.  For more information, see README.event_queue
>> config event_queue: max_queue 8 log 5 order_events content_length
>>
>> ###################################################
>> ## Configure GTP if it is to be used.
>> ## For more information, see README.GTP
>> ####################################################
>>
>> # config enable_gtp
>>
>> ###################################################
>> # Per packet and rule latency enforcement
>> # For more information see README.ppm
>> ###################################################
>>
>> # Per Packet latency configuration
>> #config ppm: max-pkt-time 250, \
>> #   fastpath-expensive-packets, \
>> #   pkt-log
>>
>> # Per Rule latency configuration
>> #config ppm: max-rule-time 200, \
>> #   threshold 3, \
>> #   suspend-expensive-rules, \
>> #   suspend-timeout 20, \
>> #   rule-log alert
>>
>> ###################################################
>> # Configure Perf Profiling for debugging
>> # For more information see README.PerfProfiling
>> ###################################################
>>
>> #config profile_rules: print all, sort avg_ticks
>> #config profile_preprocs: print all, sort avg_ticks
>>
>> ###################################################
>> # Configure protocol aware flushing
>> # For more information see README.stream5
>> ###################################################
>> config paf_max: 16000
>>
>> ###################################################
>> # Step #4: Configure dynamic loaded libraries.
>> # For more information, see Snort Manual, Configuring Snort - Dynamic
>> Modules
>> ###################################################
>>
>> # path to dynamic preprocessor libraries
>> # dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>> dynamicpreprocessor directory /usr/lib64/snort-2.9.6.0_dynamicpreprocessor
>>
>> # path to base preprocessor engine
>> # dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>> dynamicengine /usr/lib64/snort-2.9.6.0_dynamicengine/libsf_engine.so
>>
>> # path to dynamic rules libraries
>> # dynamicdetection directory /usr/local/lib/snort_dynamicrules
>> dynamicdetection directory
>> /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.0
>>
>> ###################################################
>> # Step #5: Configure preprocessors
>> # For more information, see the Snort Manual, Configuring Snort -
>> Preprocessors
>> ###################################################
>>
>> # GTP Control Channle Preprocessor. For more information, see README.GTP
>> # preprocessor gtp: ports { 2123 3386 2152 }
>>
>> # Inline packet normalization. For more information, see README.normalize
>> # Does nothing in IDS mode
>> preprocessor normalize_ip4
>> preprocessor normalize_tcp: ips ecn stream
>> preprocessor normalize_icmp4
>> preprocessor normalize_ip6
>> preprocessor normalize_icmp6
>>
>> # Target-based IP defragmentation.  For more inforation, see README.frag3
>> preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy windows detect_anomalies overlap_limit
>> 10 min_fragment_length 100 timeout 180
>>
>> # Target-Based stateful inspection/stream reassembly.  For more
>> inforation, see README.stream5
>> preprocessor stream5_global: track_tcp yes, \
>>    track_udp yes, \
>>    track_icmp no, \
>>    max_tcp 262144, \
>>    max_udp 131072, \
>>    max_active_responses 2, \
>>    min_response_seconds 5
>> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
>> 180, \
>>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>>     ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137
>> 139 143 \
>>         161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665
>> 6666 6667 6668 6669 \
>>         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778
>> 32779, \
>>     ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465
>> 563 555 591 593 631 636 801 808 818 901 972 989 992 993 9
>> 94 995 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057
>> 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7
>> 907 7000 7001 7071 7144 7145 7510 7802 7770 7777 7779 \
>>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912
>> 7913 7914 7915 7916 \
>>         7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8082 8085 8088
>> 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509
>> 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000 11371 12601
>> 15489 29991 33300 34412 34443 34444 41080 44449 50000 5
>> 0002 51423 53331 55252 55555 56712
>> preprocessor stream5_udp: timeout 180
>>
>> # performance statistics.  For more information, see the Snort Manual,
>> Configuring Snort - Preprocessors - Performance Monitor
>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
>> 10000
>>
>> # HTTP normalization and anomaly detection.  For more information, see
>> README.http_inspect
>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> compress_depth 65535 decompress_depth 65535
>> preprocessor http_inspect_server: server default \
>>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
>> POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELE
>> TE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH
>> BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST
>> CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>>     chunk_length 500000 \
>>     server_flow_depth 0 \
>>     client_flow_depth 0 \
>>     post_depth 65495 \
>>     oversize_dir_length 500 \
>>     max_header_length 750 \
>>     max_headers 100 \
>>     max_spaces 200 \
>>     small_chunk_length { 10 5 } \
>>     ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631
>> 801 808 818 901 972 1158 1220 1414 1741 1830 2231 2301 2
>> 381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173
>> 6988 7000 7001 7071 7144 7145 7510 7770 7777 7779 8000
>>  8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222
>> 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 90
>> 90 9091 9111 9443 9999 10000 11371 12601 15489 29991 33300 34412 34443
>> 34444 41080 44449 50000 50002 51423 53331 55252 55555 567
>> 12 } \
>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>     enable_cookie \
>>     extended_response_inspection \
>>     inspect_gzip \
>>     normalize_utf \
>>     unlimited_decompress \
>>     normalize_javascript \
>>     apache_whitespace no \
>>     ascii no \
>>     bare_byte no \
>>     directory no \
>>     double_decode no \
>>     iis_backslash no \
>>     iis_delimiter no \
>>     iis_unicode no \
>>     multi_slash no \
>>     utf_8 no \
>>     u_encode yes \
>>     webroot no
>>
>> # ONC-RPC normalization and anomaly detection.  For more information, see
>> the Snort Manual, Configuring Snort - Preprocessors -
>> RPC Decode
>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
>> 32777 32778 32779 no_alert_multiple_requests no_alert_lar
>> ge_fragments no_alert_incomplete
>>
>> # Back Orifice detection.
>> preprocessor bo
>>
>> # FTP / Telnet normalization and anomaly detection.  For more
>> information, see README.ftptelnet
>> preprocessor ftp_telnet: global inspection_type stateful
>> encrypted_traffic no check_encrypted
>> preprocessor ftp_telnet_protocol: telnet \
>>     ayt_attack_thresh 20 \
>>     normalize ports { 23 } \
>>     detect_anomalies
>> preprocessor ftp_telnet_protocol: ftp server default \
>>     def_max_param_len 100 \
>>     ports { 21 2100 3535 } \
>>     telnet_cmds yes \
>>     ignore_telnet_erase_cmds yes \
>>     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
>>     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
>>     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
>>     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
>>     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
>>     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
>>     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
>>     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
>>     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
>>     ftp_cmds { XSEN XSHA1 XSHA256 } \
>>     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
>> REIN STOU SYST XCUP XPWD } \
>>     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
>> XMKD } \
>>     alt_max_param_len 256 { CWD RNTO } \
>>     alt_max_param_len 400 { PORT } \
>>     alt_max_param_len 512 { SIZE } \
>>     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
>>     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
>>     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
>>     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
>>     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
>>     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
>>     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
>>     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
>>     cmd_validity ALLO < int [ char R int ] > \
>>     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
>>     cmd_validity MACB < string > \
>>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>     cmd_validity MODE < char ASBCZ > \
>>     cmd_validity PORT < host_port > \
>>     cmd_validity PROT < char CSEP > \
>>     cmd_validity STRU < char FRPO [ string ] > \
>>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number
>> ] } >
>> preprocessor ftp_telnet_protocol: ftp client default \
>>     max_resp_len 256 \
>>     bounce yes \
>>     ignore_telnet_erase_cmds yes \
>>     telnet_cmds yes
>>
>>
>> # SMTP normalization and anomaly detection.  For more information, see
>> README.SMTP
>> preprocessor smtp: ports { 25 465 587 691 } \
>>     inspection_type stateful \
>>     b64_decode_depth 0 \
>>     qp_decode_depth 0 \
>>     bitenc_decode_depth 0 \
>>     uu_decode_depth 0 \
>>     log_mailfrom \
>>     log_rcptto \
>>     log_filename \
>>     log_email_hdrs \
>>     normalize cmds \
>>     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM
>> ESND ESOM ETRN EVFY } \
>>     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
>> RSET SAML SEND SOML } \
>>     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT
>> X-DRCP X-ERCP X-EXCH50 } \
>>     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>> XLICENSE XQUE XSTA XTRN XUSR } \
>>     max_command_line_len 512 \
>>     max_header_line_len 1000 \
>>     max_response_line_len 512 \
>>     alt_max_command_line_len 260 { MAIL } \
>>     alt_max_command_line_len 300 { RCPT } \
>>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA
>> RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS
>> X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
>>     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
>> ESOM ETRN EVFY } \
>>     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
>> SAML SEND SOML } \
>>     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
>> X-ERCP X-EXCH50 } \
>>     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>> XLICENSE XQUE XSTA XTRN XUSR } \
>>     xlink2state { enabled }
>>
>> # Portscan detection.  For more information, see README.sfportscan
>> # preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level
>> { low }
>>
>> # ARP spoof detection.  For more information, see the Snort Manual -
>> Configuring Snort - Preprocessors - ARP Spoof Preprocessor
>> # preprocessor arpspoof
>> # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>>
>> # SSH anomaly detection.  For more information, see README.ssh
>> preprocessor ssh: server_ports { 22 } \
>>                   autodetect \
>>                   max_client_bytes 19600 \
>>                   max_encrypted_packets 20 \
>>                   max_server_version_len 100 \
>>                   enable_respoverflow enable_ssh1crc32 \
>>                   enable_srvoverflow enable_protomismatch
>>
>> # SMB / DCE-RPC normalization and anomaly detection.  For more
>> information, see README.dcerpc2
>> preprocessor dcerpc2: memcap 102400, events [co ]
>> preprocessor dcerpc2_server: default, policy WinXP, \
>>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
>>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>>     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
>>
>> # DNS anomaly detection.  For more information, see README.dns
>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>
>> # SSL anomaly detection and traffic bypass.  For more information, see
>> README.ssl
>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802
>> 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7
>> 911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers,
>> noinspect_encrypted
>>
>> # SDF sensitive data preprocessor.  For more information see
>> README.sensitive_data
>> preprocessor sensitive_data: alert_threshold 25
>>
>> # SIP Session Initiation Protocol preprocessor.  For more information see
>> README.sip
>> preprocessor sip: max_sessions 40000, \
>>    ports { 5060 5061 5600 }, \
>>    methods { invite \
>>              cancel \
>>              ack \
>>              bye \
>>              register \
>>              options \
>>              refer \
>>              subscribe \
>>              update \
>>              join \
>>              info \
>>              message \
>>              notify \
>>              benotify \
>>              do \
>>              qauth \
>>              sprack \
>>              publish \
>>              service \
>>              unsubscribe \
>>              prack }, \
>>    max_uri_len 512, \
>>    max_call_id_len 80, \
>>    max_requestName_len 20, \
>>    max_from_len 256, \
>>    max_to_len 256, \
>>    max_via_len 1024, \
>>    max_contact_len 512, \
>>    max_content_len 2048
>>
>> # IMAP preprocessor.  For more information see README.imap
>> preprocessor imap: \
>>    ports { 143 } \
>>    b64_decode_depth 0 \
>>    qp_decode_depth 0 \
>>    bitenc_decode_depth 0 \
>>    uu_decode_depth 0
>>
>> # POP preprocessor. For more information see README.pop
>> preprocessor pop: \
>>    ports { 110 } \
>>    b64_decode_depth 0 \
>>    qp_decode_depth 0 \
>>    bitenc_decode_depth 0 \
>>    uu_decode_depth 0
>>
>> # Modbus preprocessor. For more information see README.modbus
>> preprocessor modbus: ports { 502 }
>>
>> # DNP3 preprocessor. For more information see README.dnp3
>> preprocessor dnp3: ports { 20000 } \
>>    memcap 262144 \
>>    check_crc
>>
>> # Reputation preprocessor. For more information see README.reputation
>> preprocessor reputation: \
>>    memcap 500, \
>>    priority whitelist, \
>>    nested_ip inner, \
>>    whitelist $WHITE_LIST_PATH/white_list.rules, \
>>    blacklist $BLACK_LIST_PATH/black_list.rules
>>
>> ###################################################
>> # Step #6: Configure output plugins
>> # For more information, see Snort Manual, Configuring Snort - Output
>> Modules
>> ###################################################
>>
>> # unified2
>> # Recommended for most installs
>> # output unified2: filename merged.log, limit 128, nostamp,
>> mpls_event_types, vlan_event_types
>>
>> # Additional configuration for specific types of installs
>> # output alert_unified2: filename snort.alert, limit 128, nostamp
>> # output log_unified2: filename snort.log, limit 128, nostamp
>>
>> # syslog
>> # output alert_syslog: LOG_AUTH LOG_ALERT
>>
>> # pcap
>> # output log_tcpdump: tcpdump.log
>>
>> # metadata reference data.  do not modify these lines
>> include classification.config
>> include reference.config
>>
>>
>> ###################################################
>> # Step #7: Customize your rule set
>> # For more information, see Snort Manual, Writing Snort Rules
>> #
>> # NOTE: All categories are enabled in this conf file
>> ###################################################
>>
>> # site specific rules
>> include $RULE_PATH/local.rules
>>
>> include $RULE_PATH/app-detect.rules
>> include $RULE_PATH/attack-responses.rules
>> include $RULE_PATH/backdoor.rules
>> include $RULE_PATH/bad-traffic.rules
>> include $RULE_PATH/blacklist.rules
>> include $RULE_PATH/botnet-cnc.rules
>> include $RULE_PATH/browser-chrome.rules
>> include $RULE_PATH/browser-firefox.rules
>> include $RULE_PATH/browser-ie.rules
>> include $RULE_PATH/browser-other.rules
>> include $RULE_PATH/browser-plugins.rules
>> include $RULE_PATH/browser-webkit.rules
>> include $RULE_PATH/chat.rules
>> include $RULE_PATH/content-replace.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/experimental.rules
>> include $RULE_PATH/exploit-kit.rules
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/file-executable.rules
>> include $RULE_PATH/file-flash.rules
>> include $RULE_PATH/file-identify.rules
>> include $RULE_PATH/file-image.rules
>> include $RULE_PATH/file-java.rules
>> include $RULE_PATH/file-multimedia.rules
>> include $RULE_PATH/file-office.rules
>> include $RULE_PATH/file-other.rules
>> include $RULE_PATH/file-pdf.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/icmp-info.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/indicator-compromise.rules
>> include $RULE_PATH/indicator-obfuscation.rules
>> include $RULE_PATH/indicator-scan.rules
>> include $RULE_PATH/indicator-shellcode.rules
>> include $RULE_PATH/info.rules
>> include $RULE_PATH/malware-backdoor.rules
>> include $RULE_PATH/malware-cnc.rules
>> include $RULE_PATH/malware-other.rules
>> include $RULE_PATH/malware-tools.rules
>> include $RULE_PATH/misc.rules
>> include $RULE_PATH/multimedia.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/nntp.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/os-linux.rules
>> include $RULE_PATH/os-mobile.rules
>> include $RULE_PATH/os-other.rules
>> include $RULE_PATH/os-solaris.rules
>> include $RULE_PATH/os-windows.rules
>> include $RULE_PATH/other-ids.rules
>> include $RULE_PATH/p2p.rules
>> include $RULE_PATH/phishing-spam.rules
>> include $RULE_PATH/policy-multimedia.rules
>> include $RULE_PATH/policy-other.rules
>> include $RULE_PATH/policy.rules
>> include $RULE_PATH/policy-social.rules
>> include $RULE_PATH/policy-spam.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/protocol-dns.rules
>> include $RULE_PATH/protocol-finger.rules
>> include $RULE_PATH/protocol-ftp.rules
>> include $RULE_PATH/protocol-icmp.rules
>> include $RULE_PATH/protocol-imap.rules
>> include $RULE_PATH/protocol-nntp.rules
>> include $RULE_PATH/protocol-pop.rules
>> include $RULE_PATH/protocol-rpc.rules
>> include $RULE_PATH/protocol-scada.rules
>> include $RULE_PATH/protocol-services.rules
>> include $RULE_PATH/protocol-snmp.rules
>> include $RULE_PATH/protocol-telnet.rules
>> include $RULE_PATH/protocol-tftp.rules
>> include $RULE_PATH/protocol-voip.rules
>> include $RULE_PATH/pua-adware.rules
>> include $RULE_PATH/pua-other.rules
>> include $RULE_PATH/pua-p2p.rules
>> include $RULE_PATH/pua-toolbars.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/scada.rules
>> include $RULE_PATH/scan.rules
>> include $RULE_PATH/server-apache.rules
>> include $RULE_PATH/server-iis.rules
>> include $RULE_PATH/server-mail.rules
>> include $RULE_PATH/server-mssql.rules
>> include $RULE_PATH/server-mysql.rules
>> include $RULE_PATH/server-oracle.rules
>> include $RULE_PATH/server-other.rules
>> include $RULE_PATH/server-samba.rules
>> include $RULE_PATH/server-webapp.rules
>> include $RULE_PATH/shellcode.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/specific-threats.rules
>> include $RULE_PATH/spyware-put.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/voip.rules
>> include $RULE_PATH/web-activex.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-misc.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/x11.rules
>>
>> ###################################################
>> # Step #8: Customize your preprocessor and decoder alerts
>> # For more information, see README.decoder_preproc_rules
>> ###################################################
>>
>> # decoder and preprocessor event rules
>> # include $PREPROC_RULE_PATH/preprocessor.rules
>> # include $PREPROC_RULE_PATH/decoder.rules
>> # include $PREPROC_RULE_PATH/sensitive-data.rules
>>
>> ###################################################
>> # Step #9: Customize your Shared Object Snort Rules
>> # For more information, see
>> http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html
>> ###################################################
>>
>> # dynamic library rules
>> # include $SO_RULE_PATH/bad-traffic.rules
>> # include $SO_RULE_PATH/chat.rules
>> # include $SO_RULE_PATH/dos.rules
>> # include $SO_RULE_PATH/exploit.rules
>> # include $SO_RULE_PATH/icmp.rules
>> # include $SO_RULE_PATH/imap.rules
>> # include $SO_RULE_PATH/misc.rules
>> # include $SO_RULE_PATH/multimedia.rules
>> # include $SO_RULE_PATH/netbios.rules
>> # include $SO_RULE_PATH/nntp.rules
>> # include $SO_RULE_PATH/p2p.rules
>> # include $SO_RULE_PATH/smtp.rules
>> # include $SO_RULE_PATH/snmp.rules
>> # include $SO_RULE_PATH/specific-threats.rules
>> # include $SO_RULE_PATH/web-activex.rules
>> # include $SO_RULE_PATH/web-client.rules
>> # include $SO_RULE_PATH/web-iis.rules
>> # include $SO_RULE_PATH/web-misc.rules
>>
>> # Event thresholding or suppression commands. See threshold.conf
>> include threshold.conf
>>
>>
>>  Thank you,
>>
>>    - Mirek
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140227/7a74ebcb/attachment.html>


More information about the Snort-users mailing list