[Snort-users] Super slow inline performance of snort 2.9.6.0

N0de n01doffvoid at ...11827...
Sun Apr 19 16:56:56 EDT 2015


Hi all,

I'm running the attached configuration file with an up to date connectivity
policy ruleset selected through pulledpork. (around 840 rules total)

The result of this configuration when ran inline was of about 600 alerts
from the ppm preprocessor, configured to fastpath any packet taking too
long to process (1 second).

What i cannot make sense with is that the server was 96% idle in average
during that test run, no other alert raised but gid 134, and ppm reported
that the average delay was of 20usec at snort exit. Basically: Snort wasn't
able to analyse in time the packets while the server was completely idle. :|

Snort.stats is telling us that the maximum observed bandwidth was of
14mbits/s.

Do you see anything weird in the following configuration file? Anything
conflictual? Thank you for any input that you may have.

Snort: 2.9.6.0

Snort was run this way:

/usr/bin/snort --dynamic-engine-lib
/usr/lib/snort_dynamicengine/libsf_engine.so --dynamic-preprocessor-lib-dir
/usr/lib/snort_dynamicpreprocessor/ --dynamic-detection-lib-dir
/usr/lib/snort_dynamicrules/ -i eth2:eth3 -c snort.conf -l /var/log
--perfmon-file snort.stats --enable-inline-test -M


Here is the timestamps of when PPM alerts raised:

*1 x Sat Apr 11 09:12:50 EDT 2015*

*1 x Sat Apr 11 09:59:44 EDT 2015*

*2 x Sat Apr 11 10:00:10 EDT 2015*

*2 x Sat Apr 11 10:02:12 EDT 2015*

*2 x Sat Apr 11 10:04:51 EDT 2015*

*1 x Sat Apr 11 10:06:14 EDT 2015*

*13 x Sat Apr 11 10:06:22 EDT 2015*

*13 x Sat Apr 11 10:06:38 EDT 2015*

*13 x Sat Apr 11 10:07:01 EDT 2015*

*14 x Sat Apr 11 10:07:14 EDT 2015*

*13 x Sat Apr 11 10:08:13 EDT 2015*

*3 x Sat Apr 11 10:09:16 EDT 2015*

*1 x Sat Apr 11 10:12:19 EDT 2015*

*16 x Sat Apr 11 10:12:20 EDT 2015*

*1 x Sat Apr 11 10:12:21 EDT 2015*

*27 x Sat Apr 11 10:12:22 EDT 2015*

*1 x Sat Apr 11 10:12:23 EDT 2015*

*1 x Sat Apr 11 10:12:26 EDT 2015*

*1 x Sat Apr 11 10:12:27 EDT 2015*

*2 x Sat Apr 11 10:12:28 EDT 2015*

*1 x Sat Apr 11 10:12:29 EDT 2015*

*31 x Sat Apr 11 10:13:22 EDT 2015*

*11 x Sat Apr 11 10:13:23 EDT 2015*

*14 x Sat Apr 11 10:13:25 EDT 2015*

*3 x Sat Apr 11 10:14:22 EDT 2015*

*2 x Sat Apr 11 10:16:23 EDT 2015*

*1 x Sat Apr 11 10:19:25 EDT 2015*

*2 x Sat Apr 11 10:20:26 EDT 2015*

*3 x Sat Apr 11 10:22:28 EDT 2015*

*1 x Sat Apr 11 10:25:30 EDT 2015*

*1 x Sat Apr 11 10:28:32 EDT 2015*

*1 x Sat Apr 11 10:28:33 EDT 2015*

*39 x Sat Apr 11 10:28:35 EDT 2015*

*5 x Sat Apr 11 10:28:36 EDT 2015*

*1 x Sat Apr 11 10:28:42 EDT 2015*

*17 x Sat Apr 11 10:28:44 EDT 2015*

*1 x Sat Apr 11 10:28:52 EDT 2015*

*1 x Sat Apr 11 10:29:25 EDT 2015*

*1 x Sat Apr 11 10:30:34 EDT 2015*

*1 x Sat Apr 11 10:31:35 EDT 2015*

*2 x Sat Apr 11 10:32:37 EDT 2015*

*1 x Sat Apr 11 10:33:38 EDT 2015*

*2 x Sat Apr 11 10:34:39 EDT 2015*

*1 x Sat Apr 11 10:38:42 EDT 2015*

*1 x Sat Apr 11 10:41:45 EDT 2015*

*1 x Sat Apr 11 10:42:21 EDT 2015*

*2 x Sat Apr 11 10:42:22 EDT 2015*

*2 x Sat Apr 11 10:43:46 EDT 2015*

*1 x Sat Apr 11 10:45:47 EDT 2015*

*1 x Sat Apr 11 10:47:49 EDT 2015*

*1 x Sat Apr 11 10:49:50 EDT 2015*

*2 x Sat Apr 11 10:51:51 EDT 2015*

*1 x Sat Apr 11 10:52:52 EDT 2015*

*3 x Sat Apr 11 10:53:53 EDT 2015*

*1 x Sat Apr 11 10:54:54 EDT 2015*

*2 x Sat Apr 11 10:55:55 EDT 2015*

*1 x Sat Apr 11 10:58:31 EDT 2015*

*2 x Sat Apr 11 10:58:32 EDT 2015*

*2 x Sat Apr 11 10:59:58 EDT 2015*

*2 x Sat Apr 11 11:01:59 EDT 2015*

*1 x Sat Apr 11 11:02:00 EDT 2015*

*13 x Sat Apr 11 11:03:28 EDT 2015*

*1 x Sat Apr 11 11:04:00 EDT 2015*

*1 x Sat Apr 11 11:08:03 EDT 2015*

*2 x Sat Apr 11 11:09:04 EDT 2015*

*3 x Sat Apr 11 11:11:05 EDT 2015*

*1 x Sat Apr 11 11:13:57 EDT 2015*

*2 x Sat Apr 11 11:13:58 EDT 2015*

*10 x Sat Apr 11 11:16:01 EDT 2015*

*2 x Sat Apr 11 11:16:02 EDT 2015*

*1 x Sat Apr 11 12:53:05 EDT 2015*

*2 x Sat Apr 11 12:55:06 EDT 2015*

*2 x Sat Apr 11 12:58:07 EDT 2015*

*1 x Sat Apr 11 13:00:01 EDT 2015*

*2 x Sat Apr 11 13:02:10 EDT 2015*

*2 x Sat Apr 11 13:03:11 EDT 2015*

*8 x Sat Apr 11 13:04:44 EDT 2015*

*1 x Sat Apr 11 13:05:13 EDT 2015*

*2 x Sat Apr 11 13:07:14 EDT 2015*

*39 x Sat Apr 11 13:08:47 EDT 2015*

*23 x Sat Apr 11 13:08:48 EDT 2015*

*2 x Sat Apr 11 13:09:15 EDT 2015*

*2 x Sat Apr 11 13:11:16 EDT 2015*

*2 x Sat Apr 11 13:14:18 EDT 2015*

*1 x Sat Apr 11 13:16:19 EDT 2015*

*2 x Sat Apr 11 13:19:21 EDT 2015*

*2 x Sat Apr 11 13:20:22 EDT 2015*

*13 x Sat Apr 11 13:22:02 EDT 2015*

*23 x Sat Apr 11 13:22:03 EDT 2015*

*10 x Sat Apr 11 13:22:04 EDT 2015*

*12 x Sat Apr 11 13:22:05 EDT 2015*

*13 x Sat Apr 11 13:22:06 EDT 2015*

*13 x Sat Apr 11 13:22:52 EDT 2015*

*1 x Sat Apr 11 13:24:25 EDT 2015*

*13 x Sat Apr 11 13:24:58 EDT 2015*

*13 x Sat Apr 11 13:25:37 EDT 2015*

*13 x Sat Apr 11 13:26:09 EDT 2015*

*13 x Sat Apr 11 13:26:12 EDT 2015*

*26 x Sat Apr 11 13:26:34 EDT 2015*

*1 x Sat Apr 11 13:27:26 EDT 2015*

*1 x Sat Apr 11 13:28:27 EDT 2015*

*13 x Sat Apr 11 13:29:20 EDT 2015*

*13 x Sat Apr 11 13:29:21 EDT 2015*

*2 x Sat Apr 11 13:29:22 EDT 2015*

*13 x Sat Apr 11 13:29:24 EDT 2015*

*13 x Sat Apr 11 13:29:48 EDT 2015*

*41 x Sat Apr 11 13:29:49 EDT 2015*

*9 x Sat Apr 11 13:29:51 EDT 2015*

*2 x Sat Apr 11 13:30:28 EDT 2015*

*20 x Sat Apr 11 13:31:02 EDT 2015*

*13 x Sat Apr 11 13:31:03 EDT 2015*

*15 x Sat Apr 11 13:31:04 EDT 2015*

*2 x Sat Apr 11 13:31:05 EDT 2015*

*16 x Sat Apr 11 13:31:08 EDT 2015*

*13 x Sat Apr 11 13:31:20 EDT 2015*

*10 x Sat Apr 11 13:31:21 EDT 2015*

*1 x Sat Apr 11 13:32:30 EDT 2015*

*13 x Sat Apr 11 13:32:53 EDT 2015*

*2 x Sat Apr 11 13:34:31 EDT 2015*

*2 x Sat Apr 11 13:36:32 EDT 2015*

*1 x Sat Apr 11 13:37:33 EDT 2015*

*2 x Sat Apr 11 13:41:59 EDT 2015*

*2 x Sat Apr 11 13:44:00 EDT 2015*

*1 x Sat Apr 11 13:46:01 EDT 2015*

*1 x Sat Apr 11 13:47:02 EDT 2015*

*1 x Sat Apr 11 13:48:03 EDT 2015*

*2 x Sat Apr 11 13:50:05 EDT 2015*

*1 x Sat Apr 11 13:54:06 EDT 2015*

*13 x Sat Apr 11 13:54:14 EDT 2015*

*13 x Sat Apr 11 13:54:28 EDT 2015*

*9 x Sat Apr 11 13:55:52 EDT 2015*

*2 x Sat Apr 11 13:56:08 EDT 2015*

*1 x Sat Apr 11 13:58:09 EDT 2015*

*2 x Sat Apr 11 14:01:11 EDT 2015*

*1 x Sat Apr 11 14:03:12 EDT 2015*

*1 x Sat Apr 11 14:05:14 EDT 2015*

*2 x Sat Apr 11 14:06:18 EDT 2015*

*1 x Sat Apr 11 14:07:15 EDT 2015*

*1 x Sat Apr 11 16:03:05 EDT 2015*

*1 x Sat Apr 11 16:05:19 EDT 2015*

*26 x Sat Apr 11 16:10:06 EDT 2015*

*15 x Sat Apr 11 16:10:07 EDT 2015*

*2 x Sat Apr 11 16:10:08 EDT 2015*

*2 x Sat Apr 11 16:10:09 EDT 2015*

*3 x Sat Apr 11 16:10:17 EDT 2015*

*2 x Sat Apr 11 16:10:18 EDT 2015*

*13 x Sat Apr 11 16:10:20 EDT 2015*

*28 x Sat Apr 11 16:10:21 EDT 2015*

*3 x Sat Apr 11 16:10:22 EDT 2015*

*2 x Sat Apr 11 16:10:23 EDT 2015*

*3 x Sat Apr 11 16:10:46 EDT 2015*

*2 x Sat Apr 11 16:17:08 EDT 2015*

*1 x Sat Apr 11 16:17:09 EDT 2015*

*1 x Sat Apr 11 16:17:17 EDT 2015*

*92 x Sat Apr 11 16:36:36 EDT 2015*

*52 x Sat Apr 11 16:36:38 EDT 2015*

*74 x Sat Apr 11 16:36:40 EDT 2015*

*87 x Sat Apr 11 16:36:41 EDT 2015*

*8 x Sat Apr 11 16:36:42 EDT 2015*

*13 x Sat Apr 11 16:40:05 EDT 2015*

*13 x Sat Apr 11 16:40:06 EDT 2015*

*2 x Sat Apr 11 16:40:24 EDT 2015*

*1 x Sat Apr 11 16:40:25 EDT 2015*

*1 x Sat Apr 11 21:16:47 EDT 2015*

*5 x Sat Apr 11 21:37:34 EDT 2015*

*17 x Sat Apr 11 21:37:35 EDT 2015*

*2 x Sat Apr 11 22:08:31 EDT 2015*

*1 x Sat Apr 11 22:53:09 EDT 2015*

*11 x Sat Apr 11 22:53:10 EDT 2015*

*1 x Sun Apr 12 00:16:27 EDT 2015*

*1 x Sun Apr 12 00:56:20 EDT 2015*

*6 x Sun Apr 12 00:56:21 EDT 2015*

*5 x Sun Apr 12 00:56:22 EDT 2015*

*10 x Sun Apr 12 07:24:52 EDT 2015*

*14 x Sun Apr 12 07:25:21 EDT 2015*

*26 x Sun Apr 12 07:26:08 EDT 2015*

*1 x Sun Apr 12 07:27:34 EDT 2015*

*1 x Sun Apr 12 07:27:35 EDT 2015*

*14 x Sun Apr 12 07:27:58 EDT 2015*

*2 x Sun Apr 12 07:28:09 EDT 2015*

*3 x Sun Apr 12 14:56:02 EDT 2015*

*1 x Sun Apr 12 18:13:43 EDT 2015*

*15 x Sun Apr 12 18:14:05 EDT 2015*

*3 x Sun Apr 12 18:14:08 EDT 2015*

*12 x Sun Apr 12 18:14:09 EDT 2015*

*3 x Sun Apr 12 18:14:19 EDT 2015*

*12 x Sun Apr 12 18:14:20 EDT 2015*

*15 x Sun Apr 12 18:16:07 EDT 2015*

*15 x Sun Apr 12 18:16:09 EDT 2015*

*1 x Sun Apr 12 18:27:23 EDT 2015*

*2 x Sun Apr 12 18:44:25 EDT 2015*

*1 x Sun Apr 12 19:14:05 EDT 2015*

*15 x Sun Apr 12 19:36:52 EDT 2015*

*16 x Sun Apr 12 19:36:53 EDT 2015*

*15 x Sun Apr 12 19:37:39 EDT 2015*

*2 x Sun Apr 12 19:37:42 EDT 2015*

*42 x Sun Apr 12 19:37:44 EDT 2015*

*20 x Sun Apr 12 19:37:45 EDT 2015*

*15 x Sun Apr 12 19:37:49 EDT 2015*

*16 x Sun Apr 12 19:38:20 EDT 2015*

*1 x Sun Apr 12 20:02:34 EDT 2015*

*24 x Sun Apr 12 20:06:06 EDT 2015*

*107 x Sun Apr 12 20:06:07 EDT 2015*

*15 x Sun Apr 12 20:06:08 EDT 2015*

*31 x Sun Apr 12 20:06:09 EDT 2015*

*32 x Sun Apr 12 20:06:11 EDT 2015*

*1 x Sun Apr 12 20:06:13 EDT 2015*

*62 x Sun Apr 12 20:06:14 EDT 2015*

*15 x Sun Apr 12 20:06:16 EDT 2015*

*16 x Sun Apr 12 20:06:17 EDT 2015*

*1 x Sun Apr 12 20:06:18 EDT 2015*

*1 x Sun Apr 12 20:06:23 EDT 2015*

*1 x Sun Apr 12 20:07:40 EDT 2015*

*39 x Sun Apr 12 20:12:47 EDT 2015*

*100 x Sun Apr 12 20:12:49 EDT 2015*

*53 x Sun Apr 12 20:12:51 EDT 2015*

*84 x Sun Apr 12 20:12:53 EDT 2015*

*17 x Sun Apr 12 20:12:54 EDT 2015*

*1 x Sun Apr 12 20:15:04 EDT 2015*

*2 x Sun Apr 12 20:15:09 EDT 2015*

*3 x Sun Apr 12 20:15:11 EDT 2015*

*3 x Sun Apr 12 20:16:47 EDT 2015*

*1 x Sun Apr 12 20:17:39 EDT 2015*

*15 x Sun Apr 12 20:17:42 EDT 2015*

*1 x Sun Apr 12 20:18:16 EDT 2015*

*1 x Sun Apr 12 20:18:17 EDT 2015*

*1 x Sun Apr 12 20:20:14 EDT 2015*

*1 x Sun Apr 12 20:20:16 EDT 2015*

*2 x Sun Apr 12 20:21:44 EDT 2015*

*2 x Sun Apr 12 20:21:45 EDT 2015*

*1 x Sun Apr 12 20:24:29 EDT 2015*

*1 x Sun Apr 12 20:30:52 EDT 2015*

*1 x Sun Apr 12 20:33:05 EDT 2015*

*1 x Sun Apr 12 20:43:45 EDT 2015*

*1 x Sun Apr 12 20:43:46 EDT 2015*

*1 x Sun Apr 12 20:47:32 EDT 2015*

*1 x Sun Apr 12 20:47:33 EDT 2015*

*2 x Sun Apr 12 20:57:23 EDT 2015*

*4 x Sun Apr 12 20:58:31 EDT 2015*

*16 x Sun Apr 12 21:00:12 EDT 2015*

*3 x Sun Apr 12 21:04:46 EDT 2015*

*1 x Sun Apr 12 21:07:44 EDT 2015*

*10 x Mon Apr 13 06:53:30 EDT 2015*

*5 x Mon Apr 13 06:53:31 EDT 2015*

*16 x Mon Apr 13 06:53:32 EDT 2015*

*14 x Mon Apr 13 06:53:36 EDT 2015*

*11 x Mon Apr 13 06:54:43 EDT 2015*

*17 x Mon Apr 13 06:54:50 EDT 2015*

*1 x Mon Apr 13 06:55:13 EDT 2015*

*15 x Mon Apr 13 06:55:14 EDT 2015*

*1 x Mon Apr 13 06:55:15 EDT 2015*

*11 x Mon Apr 13 06:55:23 EDT 2015*

*1 x Mon Apr 13 06:55:26 EDT 2015*

*8 x Mon Apr 13 06:55:43 EDT 2015*

*3 x Mon Apr 13 06:55:44 EDT 2015*

*14 x Mon Apr 13 06:55:50 EDT 2015*

*26 x Mon Apr 13 06:55:59 EDT 2015*

*13 x Mon Apr 13 06:56:05 EDT 2015*

*1 x Mon Apr 13 06:56:35 EDT 2015*

*1 x Mon Apr 13 06:56:55 EDT 2015*

*1 x Mon Apr 13 06:57:00 EDT 2015*

*12 x Mon Apr 13 06:57:17 EDT 2015*

*2 x Mon Apr 13 06:57:18 EDT 2015*

*13 x Mon Apr 13 06:57:31 EDT 2015*

*13 x Mon Apr 13 06:59:29 EDT 2015*

*15 x Mon Apr 13 06:59:48 EDT 2015*

*1 x Mon Apr 13 06:59:49 EDT 2015*

*1 x Mon Apr 13 06:59:51 EDT 2015*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150419/dbef3d48/attachment.html>
-------------- next part --------------

timestamp: 1428698209
Rule Profile Statistics (worst 20 rules)
==========================================================
No rules were profiled

timestamp: 1428698218
Rule Profile Statistics (worst 20 rules)
==========================================================
No rules were profiled

timestamp: 1428714039
Rule Profile Statistics (worst 20 rules)
==========================================================
No rules were profiled

timestamp: 1428800713
Rule Profile Statistics (worst 20 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs  Avg/Check  Avg/Match Avg/Nonmatch   Disabled
   ===      === === ===     ======   =======    ======           =========  =========  ========= ============   ========
     1    20560   1   7          6         0         0                 251       41.9        0.0         41.9          0
     2    24037   1   5        299         0         0                8856       29.6        0.0         29.6          0
     3    32544   1   1         76         0         0                1969       25.9        0.0         25.9          0
     4    32460   1   1         10         0         0                 255       25.6        0.0         25.6          0
     5    25515   1   2         31         2         0                 722       23.3        1.2         24.8          0
     6    23134   1   3         53         0         0                1132       21.4        0.0         21.4          0
     7    31749   1   1        242         0         0                3691       15.3        0.0          9.5          0
     8    23870   1   6         27         0         0                 362       13.4        0.0         13.4          0
     9    15013   1  12          4         4         0                  39       10.0       10.0          0.0          0
    10    19211   1  12        264       264         0                2508        9.5        9.5          0.0          0
    11    31276   1   1       1390         0         0               12077        8.7        0.0          8.7          0
    12    31279   1   1       1390         0         0               11965        8.6        0.0          8.6          0
    13    28895   1   2         76         0         0                 618        8.1        0.0          8.1          0
    14    21625   1   6         76         0         0                 618        8.1        0.0          8.1          0
    15    32720   1   1          9         0         0                  70        7.8        0.0          7.8          0
    16    16425   1  15          1         0         0                   7        7.5        0.0          7.5          0
    17    24808   1   3       1325         0         0                8006        6.0        0.0          6.0          0
    18    15483   1  13         14        14         0                  81        5.8        5.8          0.0          0
    19    25513   1   3       1026         2         0                5762        5.6        5.2          5.6          0
    20    21623   1   6          8         0         0                  40        5.1        0.0          5.1          0

timestamp: 1428940048
Rule Profile Statistics (worst 20 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs  Avg/Check  Avg/Match Avg/Nonmatch   Disabled
   ===      === === ===     ======   =======    ======           =========  =========  ========= ============   ========
     1    32460   1   1         12         0         0                 401       33.5        0.0         33.5          0
     2    20560   1   7          9         0         0                 283       31.5        0.0         31.5          0
     3    24037   1   5        694         0         0               17456       25.2        0.0         25.2          0
     4    25515   1   2        181         1         0                3807       21.0        1.9         21.1          0
     5    23134   1   3         69         0         0                1360       19.7        0.0         19.7          0
     6    31749   1   1        354         0         0                5690       16.1        0.0          8.9          0
     7    23870   1   6         12         0         0                 176       14.7        0.0         14.7          0
     8    15237   1  10          1         0         0                  13       14.0        0.0         14.0          0
     9    15865   1  13          2         2         0                  23       11.8       11.8          0.0          0
    10    32544   1   1        268         0         0                2854       10.7        0.0         10.7          0
    11    19211   1  12        724       723         0                6931        9.6        9.6          5.3          0
    12    21623   1   6         20         0         0                 175        8.8        0.0          8.8          0
    13    28896   1   2         20         0         0                 175        8.8        0.0          8.8          0
    14    27598   1   1          3         0         0                  21        7.0        0.0          7.0          0
    15    25513   1   3       2691         0         0               17642        6.6        0.0          6.6          0
    16    15483   1  13         49        49         0                 302        6.2        6.2          0.0          0
    17    24808   1   3       1466         0         0                8932        6.1        0.0          6.1          0
    18    32720   1   1         10         0         0                  57        5.7        0.0          5.7          0
    19    31276   1   1        322         0         0                1839        5.7        0.0          5.7          0
    20    31279   1   1        322         0         0                1710        5.3        0.0          5.3          0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.stats
Type: application/octet-stream
Size: 226569 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150419/dbef3d48/attachment.obj>
-------------- next part --------------

timestamp: 1428698209
Preprocessor Profile Statistics (worst 20)
==========================================================
No Preprocessors were profiled

timestamp: 1428698218
Preprocessor Profile Statistics (worst 20)
==========================================================
No Preprocessors were profiled

timestamp: 1428714039
Preprocessor Profile Statistics (worst 20)
==========================================================
No Preprocessors were profiled

timestamp: 1428800713
Preprocessor Profile Statistics (worst 20)
==========================================================
 Num            Preprocessor Layer     Checks      Exits           Microsecs  Avg/Check Pct of Caller Pct of Total
 ===            ============ =====     ======      =====           =========  ========= ============= ============
  1                    frag3     0         40         40                 385       9.63          0.00         0.00
   1             frag3insert     1         23         23                  35       1.56          9.31         0.00
   2            frag3rebuild     1         17         17                  16       0.96          4.24         0.00
  2                   detect     0    7684924    7684924            68923119       8.97         47.14        47.14
   1                    mpse     1    5545628    5545628            68037431      12.27         98.71        46.53
   2               rule eval     1    5164918    5164918             1260865       0.24          1.83         0.86
    1               rtn eval     2        459        459                 371       0.81          0.03         0.00
    2         rule tree eval     2    5164918    5164918             1085754       0.21         86.11         0.74
     1                  pcre     3       1598       1598               14856       9.30          1.37         0.01
     2               content     3      48618      48618               65541       1.35          6.04         0.04
     3             byte_test     3        599        599                 479       0.80          0.04         0.00
     4            uricontent     3          1          1                   0       0.56          0.00         0.00
     5             byte_jump     3          4          4                   1       0.44          0.00         0.00
     6  preproc_rule_options     3      98632      98632               23560       0.24          2.17         0.02
     7          urilen_check     3         13         13                   1       0.15          0.00         0.00
     8             file_data     3      54787      54787                1240       0.02          0.11         0.00
     9                  flow     3    4315769    4315769               84262       0.02          7.76         0.06
    10              flowbits     3    2849766    2849766               53382       0.02          4.92         0.04
  3                       s5     0    7446525    7446525            61955727       8.32         42.37        42.37
   1                   s5tcp     1    6953068    6953068            56430269       8.12         91.08        38.59
    1             s5TcpState     2    6940090    6940090            52366743       7.55         92.80        35.81
     1            s5TcpFlush     3     581802     581802             1357666       2.33          2.59         0.93
      1  s5TcpProcessRebuilt     4     581816     581816            40863060      70.23       3009.80        27.95
      2     s5TcpBuildPacket     4     581816     581816              674924       1.16         49.71         0.46
     2             s5TcpData     3    4035914    4035914             3944591       0.98          7.53         2.70
      1       s5TcpPktInsert     4    3034872    3034872             3026144       1.00         76.72         2.07
     3              s5TcpPAF     3    4261148    4261148              699773       0.16          1.34         0.48
    2           s5TcpNewSess     2      51598      51598              104922       2.03          0.19         0.07
   2                   s5udp     1     493457     493457              598120       1.21          0.97         0.41
  4               DceRpcMain     0    3951134    3951134            22102796       5.59         15.12        15.12
   1            DceRpcDetect     1     406316     406316            19242291      47.36         87.06        13.16
   2           DceRpcCoReass     1      34454      34454              252394       7.33          1.14         0.17
   3             DceRpcCoSeg     1          1          1                   1       1.43          0.00         0.00
   4            DceRpcCoFrag     1     352010     352010              241325       0.69          1.09         0.17
   5      DceRpcSmbNegotiate     1        539        539                 347       0.65          0.00         0.00
   6           DceRpcSession     1    3951134    3951682             1290833       0.33          5.84         0.88
    1       DceRpcNewSession     2    1814321    1814321              524483       0.29         40.63         0.36
    2     DceRpcSessionState     2     406865     406865               30920       0.08          2.40         0.02
   7            DceRpcSmbReq     1       1626       1626                 386       0.24          0.00         0.00
   8            DceRpcSmbFid     1        548        548                  78       0.14          0.00         0.00
   9             DceRpcCoCtx     1     433848     433848               60375       0.14          0.27         0.04
  10               DceRpcLog     1     475772     475772               57855       0.12          0.26         0.04
  5                      ssl     0     135023     135023              746230       5.53          0.51         0.51
  6              httpinspect     0    3656470    3656470             8389253       2.29          5.74         5.74
  7            ftptelnet_ftp     0        334        334                 632       1.89          0.00         0.00
  8                   decode     0    7697914    7697914             9822374       1.28          6.72         6.72
  9               sfportscan     0    7439929    7439929             3294390       0.44          2.25         2.25
 10                  perfmon     0    8270269    8270269             2564024       0.31          1.75         1.75
 11                     dnp3     0     494535     494535              134210       0.27          0.09         0.09
 12                      sip     0     675089     675089              153716       0.23          0.11         0.11
 13                     smtp     0    3133640    3133640              663215       0.21          0.45         0.45
 14               reputation     0    7527572    7527572             1152611       0.15          0.79         0.79
 15                      dns     0      59163      59163                8890       0.15          0.01         0.01
 16                   eventq     0   15960639   15960639             1683147       0.11          1.15         1.15
 17                   modbus     0    3131051    3131051              319937       0.10          0.22         0.22
 18                      ssh     0    3131051    3131051              301924       0.10          0.21         0.21
 total                 total     0    7689403    7689403           146222707      19.02          0.00         0.00

timestamp: 1428940048
Preprocessor Profile Statistics (worst 20)
==========================================================
 Num            Preprocessor Layer     Checks      Exits           Microsecs  Avg/Check Pct of Caller Pct of Total
 ===            ============ =====     ======      =====           =========  ========= ============= ============
  1                    frag3     0        599        599                5665       9.46          0.00         0.00
   1             frag3insert     1        302        302                 339       1.12          6.00         0.00
   2            frag3rebuild     1        297        297                 255       0.86          4.50         0.00
  2                   detect     0   18882958   18882958           154157544       8.16         43.96        43.96
   1                    mpse     1   13579495   13579495           142394746      10.49         92.37        40.61
   2               rule eval     1    7621378    7621378             2380766       0.31          1.54         0.68
    1               rtn eval     2       1137       1137                 915       0.81          0.04         0.00
    2         rule tree eval     2    7621378    7621378             2022970       0.27         84.97         0.58
     1                  pcre     3       3835       3835               33434       8.72          1.65         0.01
     2            uricontent     3          5          5                   9       1.93          0.00         0.00
     3               content     3      92741      92741              101562       1.10          5.02         0.03
     4             byte_test     3       1427       1427                1226       0.86          0.06         0.00
     5             byte_jump     3          4          4                   1       0.48          0.00         0.00
     6  preproc_rule_options     3     258235     258235               58111       0.23          2.87         0.02
     7              isdataat     3          2          2                   0       0.18          0.00         0.00
     8          urilen_check     3         51         51                   6       0.14          0.00         0.00
     9             file_data     3      17056      17056                 679       0.04          0.03         0.00
    10                  flow     3    6787978    6787978              175649       0.03          8.68         0.05
    11              flowbits     3    2517563    2517563               57140       0.02          2.82         0.02
  3                       s5     0   18674874   18674874           130341125       6.98         37.17        37.17
   1                   s5tcp     1   16439136   16439136           113705106       6.92         87.24        32.42
    1             s5TcpState     2   16434191   16434191           104067409       6.33         91.52        29.68
     1            s5TcpFlush     3    1359152    1359152             2790831       2.05          2.68         0.80
      1  s5TcpProcessRebuilt     4    1359171    1359171            79166251      58.25       2836.65        22.58
      2     s5TcpBuildPacket     4    1359171    1359171             1308550       0.96         46.89         0.37
     2             s5TcpData     3    9953165    9953165             7644370       0.77          7.35         2.18
      1       s5TcpPktInsert     4    6146388    6146388             5476132       0.89         71.64         1.56
     3              s5TcpPAF     3   10451411   10451411             1575618       0.15          1.51         0.45
    2           s5TcpNewSess     2      92917      92917              182355       1.96          0.16         0.05
   2                   s5udp     1    2235738    2235738             2878024       1.29          2.21         0.82
  4                      ssl     0     207944     207944             1244064       5.98          0.35         0.35
  5               DceRpcMain     0   11789317   11789317            62760638       5.32         17.90        17.90
   1            DceRpcDetect     1    1108158    1108158            53855013      48.60         85.81        15.36
   2           DceRpcCoReass     1      96319      96319              714368       7.42          1.14         0.20
   3            DceRpcCoFrag     1     988079     988079              652801       0.66          1.04         0.19
   4      DceRpcSmbNegotiate     1       1697       1697                1085       0.64          0.00         0.00
   5           DceRpcSession     1   11789317   11791039             4492159       0.38          7.16         1.28
    1       DceRpcNewSession     2    5794629    5794629             2023486       0.35         45.04         0.58
    2     DceRpcSessionState     2    1109880    1109880               82462       0.07          1.84         0.02
   6            DceRpcSmbReq     1       5116       5116                1272       0.25          0.00         0.00
   7            DceRpcSmbFid     1       1722       1722                 262       0.15          0.00         0.00
   8             DceRpcCoCtx     1    1200643    1200643              152222       0.13          0.24         0.04
   9               DceRpcLog     1    1302518    1302518              147165       0.11          0.23         0.04
  6            ftptelnet_ftp     0       1103       1103                2110       1.91          0.00         0.00
  7                   decode     0   19024618   19024618            25240228       1.33          7.20         7.20
  8              httpinspect     0    9917192    9917192            11205946       1.13          3.20         3.20
  9               sfportscan     0   18628919   18628919            11173468       0.60          3.19         3.19
 10                  perfmon     0   20365934   20365934             6409812       0.31          1.83         1.83
 11                     dnp3     0    2238800    2238800              573925       0.26          0.16         0.16
 12                      sip     0    4832721    4832721             1131755       0.23          0.32         0.32
 13                     smtp     0    8639541    8639541             2004228       0.23          0.57         0.57
 14                      ssh     0    8638697    8638697             1782666       0.21          0.51         0.51
 15               reputation     0   18742989   18742989             3070248       0.16          0.88         0.88
 16                      dns     0     119856     119856               16207       0.14          0.00         0.00
 17                   eventq     0   39376316   39376316             4465001       0.11          1.27         1.27
 18                   modbus     0    8638697    8638697              903829       0.10          0.26         0.26
 total                 total     0   19008424   19008424           350673636      18.45          0.00         0.00
-------------- next part --------------
config ppm:max-pkt-time 1000, fastpath-expensive-packets, pkt-log alert
config detection:search-method ac-nq search-optimize max-pattern-len 20
config flowbits_size:576
config event_queue:max_queue 8 log 3 order_events content_length
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config checksum_mode:all
config pcre_match_limit:3500
config pcre_match_limit_recursion:1500
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
config profile_preprocs:print 20, sort avg_ticks, filename preproc.stats.log append
config profile_rules:print 20, sort avg_ticks, filename rules.stats.log append
config daq_mode:inline
config daq_dir:/usr/lib64/daq
config daq:afpacket
config daq_var:buffer_size_mb=1024
config enable_decode_drops
var HOME_NET [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var FTP_SERVERS $HOME_NET
var SSH_SERVERS $HOME_NET
var POP_SERVERS $HOME_NET
var IMAP_SERVERS $HOME_NET
var RPC_SERVERS $HOME_NET
var WWW_SERVERS $HOME_NET
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,4000,4343,4848,5117,5250,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8888,8899,9000,9060,9080,9090,9091,9111,9443,9999,10000,11371,12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1024:
var AUTH_PORTS 113
var DNS_PORTS 53
var FINGER_PORTS 79
var FTP_PORTS [21,2100,3535]
var IMAP_PORTS 143
var IRC_PORTS [6665,6666,6667,6668,6669,7000]
var MSSQL_PORTS 1433
var NNTP_PORTS 119
var POP2_PORTS 109
var POP3_PORTS 110
var SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
var RLOGIN_PORTS 513
var RSH_PORTS 514
var SMB_PORTS [139,445]
var SMTP_PORTS 25
var SNMP_PORTS 161
var SSH_PORTS 22
var TELNET_PORTS 23
var MAIL_PORTS [25,143,465,691]
var SSL_PORTS [25,443,465,636,993,995]
var DCERPC_NCACN_IP_TCP [139,445]
var DCERPC_NCADG_IP_UDP [138,1024:]
var DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
var DCERPC_NCACN_UDP_LONG [135,1024:]
var DCERPC_NCACN_UDP_SHORT [135,593,1024:]
var DCERPC_NCACN_TCP [2103,2105,2107]
var DCERPC_BRIGHTSTORE [6503,6504]
var RULE_PATH ../rules
var SIP_SERVERS $HOME_NET 
var SIP_PORTS [5060,5061,5600]
var FILE_DATA_PORTS [$HTTP_PORTS,110,143]
var GTP_PORTS [2123,2152,3386] 
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
preprocessor frag3_global:max_frags 65536
preprocessor frag3_engine:policy Windows detect_anomalies min_ttl 1 timeout 180
preprocessor http_inspect:global decompress_depth 65535 compress_depth 65535 iis_unicode_map unicode.map 1252
preprocessor http_inspect_server:server default max_spaces 200 extended_response_inspection inspect_gzip unlimited_decompress enable_cookie normalize_javascript http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } normalize_utf webroot no iis_delimiter no apache_whitespace no directory no iis_backslash no multi_slash no non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } bare_byte no u_encode yes double_decode no iis_unicode no utf_8 no ascii no oversize_dir_length 500 no_alerts chunk_length 500000 post_depth 65495 client_flow_depth 0 server_flow_depth 0 ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000 11371 12601 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 }
preprocessor perfmonitor:pktcnt 5000 snortfile snort.stats time 300
preprocessor rpc_decode:111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779  no_alert_large_fragments no_alert_incomplete no_alert_multiple_requests
preprocessor sfportscan:sense_level { low } scan_type { all } proto { tcp udp }
preprocessor stream5_global:max_udp 131072,track_icmp no,track_udp yes,max_udp 131072,track_tcp yes,max_tcp 262144,memcap 134217728
preprocessor stream5_tcp:max_queued_segs 2621,ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7907 7000 7001 7071 7144 7145 7510 7802 7770 7777 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000 11371 12601 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712,policy windows,timeout 180
preprocessor stream5_udp:ignore_any_rules,timeout 180
preprocessor dcerpc2:events [co ],memcap 102400
preprocessor dcerpc2_server:default,smb_invalid_shares ["C$", "D$", "ADMIN$"],smb_max_chain 3,autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:],detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593],policy WinXP
preprocessor dns:enable_rdata_overflow ports { 53 }
preprocessor ftp_telnet:global inspection_type stateful encrypted_traffic no
preprocessor ftp_telnet_protocol:telnet normalize ayt_attack_thresh 60
preprocessor ftp_telnet_protocol:ftp server default data_chan chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } cmd_validity ALLO < int [ char R int ] > cmd_validity EPSV < [ { char 12 | char A char L char L } ] > cmd_validity MACB < string > cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > cmd_validity MODE < char ASBCZ > cmd_validity PORT < host_port > cmd_validity PROT < char CSEP > cmd_validity STRU < char FRPO [ string ] > cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } alt_max_param_len 256 { CWD RNTO } alt_max_param_len 400 { PORT } alt_max_param_len 512 { SIZE } def_max_param_len 100 ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } ports { 21 2100 3535 }
preprocessor ftp_telnet_protocol:ftp client default bounce yes max_resp_len 256 telnet_cmds no
preprocessor smtp:log_email_hdrs log_filename log_rcptto log_mailfrom uu_decode_depth 0 bitenc_decode_depth 0 qp_decode_depth 0 b64_decode_depth 0 valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } xlink2state { enable } alt_max_command_line_len 260 { MAIL } alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN EHLO } alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } no_alerts max_response_line_len 512 max_header_line_len 1000 max_command_line_len 512 normalize cmds inspection_type stateful ports { 25 465 587 691 }
preprocessor ssh:enable_srvoverflow enable_ssh1crc32 enable_respoverflow max_server_version_len 100 max_client_bytes 19600 max_encrypted_packets 20 autodetect server_ports { 22 }
preprocessor ssl:trustservers,noinspect_encrypted,ports { 443 465 563 636 989 992 993 994 995 7801 7702 7802 7900 7901 7902 7903 7904 7905 7906 6907 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }
preprocessor sip:max_content_len 1024,max_contact_len 512,max_via_len 1024,max_to_len 256,max_from_len 256,max_requestName_len 20,max_call_id_len 80,max_uri_len 512,methods { invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack },ports { 5060 5061 5600 },max_sessions 10000
preprocessor modbus:ports { 502 }
preprocessor dnp3:check_crc memcap 262144 ports { 20000 }
preprocessor normalize_ip4
preprocessor normalize_tcp:ecn stream ips
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
preprocessor reputation:white trust,scan_local,blacklist $BLACK_LIST_PATH/blacklist.list,whitelist $WHITE_LIST_PATH/whitelist.list,nested_ip inner,priority whitelist,memcap 500
suppress gen_id 123, sig_id 8 
suppress gen_id 122, sig_id 27 
suppress gen_id 126, sig_id 2 
suppress gen_id 140, sig_id 2 
suppress gen_id 140, sig_id 10 
suppress gen_id 145, sig_id 2 
suppress gen_id 120, sig_id 8 
suppress gen_id 140, sig_id 12 
suppress gen_id 137, sig_id 1 
suppress gen_id 133, sig_id 27 
suppress gen_id 133, sig_id 28 
suppress gen_id 120, sig_id 8 
suppress gen_id 136, sig_id 2
output unified2:filename snort.log,limit 256
include include_rule_files.config


More information about the Snort-users mailing list