[Snort-users] Snort-users Digest, Vol 128, Issue 46

Anna Kowalska annak.koval at ...11827...
Thu Jan 19 16:37:08 EST 2017


Russ, it was:

alert tcp any any -> $HOME_NET 80 (msg:”possible syn flood”; flags:S;
classtype:attempted-dos; threshold: type both, count 20, seconds 1;
sid:1000024;)

2017-01-19 22:02 GMT+01:00 <snort-users-request at lists.sourceforge.net>:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. Re: detection_filter not working (Russ)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 19 Jan 2017 16:01:54 -0500
> From: Russ <rucombs at ...589...>
> Subject: Re: [Snort-users] detection_filter not working
> To: snort-users at lists.sourceforge.net
> Message-ID: <c2951e91-e6ee-d51f-1a93-b5e4e1f13713 at ...589...>
> Content-Type: text/plain; charset="windows-1252"
>
> What is the original rule you had with threshold?
>
> On 1/19/17 3:40 PM, Anna Kowalska wrote:
> > Hi,
> >
> > Fatema, I tried it, but it didn't work. Joel gave me a suggestion that
> > maybe my version of Snort (2.9.8.3) has a bug with detection_filter.
> > After I finish working with my current project I will upgrade to 2.9.9
> > version and check if the problem will be gone.
> >
> > 2017-01-19 12:05 GMT+01:00 Al Lewis (allewi) <allewi at ...589...
> > <mailto:allewi at ...589...>>:
> >
> >     Hello,
> >
> >     Did you get this working?
> >
> >
> >     *Albert Lewis*
> >
> >     ENGINEER.SOFTWARE ENGINEERING
> >
> >     SOURCE*fire*, Inc. now part of *Cisco*
> >
> >     Email: allewi at ...589... <mailto:allewi at ...589...>
> >
> >
> >     From: Anna Kowalska <annak.koval at ...11827...
> >     <mailto:annak.koval at ...11827...>>
> >     Date: Saturday, January 14, 2017 at 8:20 AM
> >     To: 'snort-users' <snort-users at lists.sourceforge.net
> >     <mailto:snort-users at lists.sourceforge.net>>
> >     Subject: [Snort-users] detection_filter not working
> >
> >     Hi all,
> >
> >     I am struggling with making one rule work. I want to set alarm
> >     when snort detects too much of syn packets (possible tcp syn
> >     flood) and it works when I used threshold option in rule. Then I
> >     tried it with detection_filter and it doesn't give any alarm.
> >     Here is the rule I wrote in my local.rules file:
> >
> >     alert tcp any any -> $HOME_NET 80 (msg:"syn flood attempt";
> >     flags:S; classtype:attempted-dos; detection_filter: track by_src,
> >     count 20, seconds 1; sid: 1000024;)
> >
> >     I proceed with hping3, but snort generated no output. Please tell
> >     me what am I doing wrong, maybe I forgot to attach something to
> >     configurtion, but I really have no idea what could it be..
> >
> >     commandline: snort -i eth0 -c /etc/snort/snort.conf -A console
> >
> >     configuration file:
> >     ###################################################
> >     # Step #3: Configure the base detection engine.  For more
> >     information, see  README.decode
> >     ###################################################
> >
> >     # Configure PCRE match limitations
> >     config pcre_match_limit: 3500
> >     config pcre_match_limit_recursion: 1500
> >
> >     # Configure the detection engine  See the Snort Manual,
> >     Configuring Snort - Includes - Config
> >     config detection: search-method ac-split search-optimize
> >     max-pattern-len 20
> >
> >     # Configure the event queue.  For more information, see
> >     README.event_queue
> >     config event_queue: max_queue 8 log 5 order_events content_length
> >
> >     ###################################################
> >     ## Configure GTP if it is to be used.
> >     ## For more information, see README.GTP
> >     ####################################################
> >
> >     # config enable_gtp
> >
> >     ###################################################
> >     # Per packet and rule latency enforcement
> >     # For more information see README.ppm
> >     ###################################################
> >
> >     # Per Packet latency configuration
> >     #config ppm: max-pkt-time 250, \
> >     #   fastpath-expensive-packets, \
> >     #   pkt-log
> >
> >     # Per Rule latency configuration
> >     #config ppm: max-rule-time 200, \
> >     #   threshold 3, \
> >     #   suspend-expensive-rules, \
> >     #   suspend-timeout 20, \
> >     #   rule-log alert
> >
> >     ###################################################
> >     # Configure Perf Profiling for debugging
> >     # For more information see README.PerfProfiling
> >     ###################################################
> >
> >     #config profile_rules: print all, sort avg_ticks
> >     #config profile_preprocs: print all, sort avg_ticks
> >
> >     ###################################################
> >     # Configure protocol aware flushing
> >     # For more information see README.stream5
> >     ###################################################
> >     config paf_max: 16000
> >
> >     ###################################################
> >     # Step #4: Configure dynamic loaded libraries.
> >     # For more information, see Snort Manual, Configuring Snort -
> >     Dynamic Modules
> >     ###################################################
> >
> >     # path to dynamic preprocessor libraries
> >     dynamicpreprocessor directory
> >     /usr/local/lib/snort_dynamicpreprocessor/
> >
> >     # path to base preprocessor engine
> >     dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> >
> >     # path to dynamic rules libraries
> >     dynamicdetection directory /usr/local/lib/snort_dynamicrules
> >
> >     ###################################################
> >     # Step #5: Configure preprocessors
> >     # For more information, see the Snort Manual, Configuring Snort -
> >     Preprocessors
> >     ###################################################
> >
> >     # GTP Control Channle Preprocessor. For more information, see
> >     README.GTP
> >     # preprocessor gtp: ports { 2123 3386 2152 }
> >
> >     # Inline packet normalization. For more information, see
> >     README.normalize
> >     # Does nothing in IDS mode
> >     preprocessor normalize_ip4
> >     preprocessor normalize_tcp: block, rsv, pad, urp, req_urg,
> >     req_pay, req_urp, ips, ecn stream
> >     preprocessor normalize_icmp4
> >     preprocessor normalize_ip6
> >     preprocessor normalize_icmp6
> >
> >     # Target-based IP defragmentation. For more inforation, see
> >     README.frag3
> >     preprocessor frag3_global: max_frags 65536
> >     preprocessor frag3_engine: policy windows detect_anomalies
> >     overlap_limit 10 min_fragment_length 100 timeout 180
> >
> >     # Target-Based stateful inspection/stream reassembly.  For more
> >     inforation, see README.stream5
> >     preprocessor stream5_global: track_tcp yes, \
> >        track_udp yes, \
> >        track_icmp no, \
> >        max_tcp 262144, \
> >        max_udp 131072, \
> >        max_active_responses 2, \
> >        min_response_seconds 5
> >
> >     preprocessor stream5_tcp: policy windows, detect_anomalies,
> >     require_3whs 180, \
> >        overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
> >         ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135
> >     136 137 139 143 \
> >             161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070
> >     6665 6666 6667 6668 6669 \
> >             7000 8181 32770 32771 32772 32773 32774 32775 32776 32777
> >     32778 32779, \
> >         ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443
> >     465 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994
> >     995 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809
> >     2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250
> >     5450 5600 5814 6080 6173 6988 7907 7000 7001 7005 7071 7144 7145
> >     7510 7802 7770 7777 7778 7779 \
> >             7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910
> >     7911 7912 7913 7914 7915 7916 \
> >             7917 7918 7919 7920 8000 8001 8008 8014 8015 8020 8028
> >     8040 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8182 8222
> >     8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899
> >     8983 9000 9002 9060 9080 9090 9091 9111 9290 9443 9447 9710 9788
> >     9999 10000 11371 12601 13014 15489 19980 29991 33300 34412 34443
> >     34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712
> >     preprocessor stream5_icmp: timeout 30
> >     preprocessor stream5_udp: timeout 180
> >
> >     # performance statistics.  For more information, see the Snort
> >     Manual, Configuring Snort - Preprocessors - Performance Monitor
> >     # preprocessor perfmonitor: time 300 file /var/snort/snort.stats
> >     pktcnt 10000
> >
> >     # HTTP normalization and anomaly detection.  For more information,
> >     see README.http_inspect
> >     preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> >     compress_depth 65535 decompress_depth 65535
> >     preprocessor http_inspect_server: server default \
> >         http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK
> >     NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE
> >     TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND
> >     PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST
> >     CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
> >         chunk_length 500000 \
> >         server_flow_depth 0 \
> >         client_flow_depth 0 \
> >         post_depth 65495 \
> >         oversize_dir_length 500 \
> >         max_header_length 750 \
> >         max_headers 100 \
> >         max_spaces 200 \
> >         small_chunk_length { 10 5 } \
> >         ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591
> >     593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942
> >     2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000
> >     4343 4848 5000 5117 5250 5450 5600 5814 6080 6173 6988 7000 7001
> >     7005 7071 7144 7145 7510 7770 7777 7778 7779 8000 8001 8008 8014
> >     8015 8020 8028 8040 8080 8081 8082 8085 8088 8090 8118 8123 8180
> >     8181 8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787
> >     8800 8888 8899 8983 9000 9002 9060 9080 9090 9091 9111 9290 9443
> >     9447 9710 9788 9999 10000 11371 12601 13014 15489 19980 29991
> >     33300 34412 34443 34444 40007 41080 44449 50000 50002 51423 53331
> >     55252 55555 56712 } \
> >         non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
> >         enable_cookie \
> >         extended_response_inspection \
> >         inspect_gzip \
> >         normalize_utf \
> >         unlimited_decompress \
> >         normalize_javascript \
> >         apache_whitespace no \
> >         ascii no \
> >         bare_byte no \
> >         directory no \
> >         double_decode no \
> >         iis_backslash no \
> >         iis_delimiter no \
> >         iis_unicode no \
> >         multi_slash no \
> >         utf_8 no \
> >         u_encode yes \
> >         webroot no
> >
> >     # ONC-RPC normalization and anomaly detection.  For more
> >     information, see the Snort Manual, Configuring Snort -
> >     Preprocessors - RPC Decode
> >     preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775
> >     32776 32777 32778 32779 no_alert_multiple_requests
> >     no_alert_large_fragments no_alert_incomplete
> >
> >     # Back Orifice detection.
> >     preprocessor bo
> >
> >     # FTP / Telnet normalization and anomaly detection.  For more
> >     information, see README.ftptelnet
> >     preprocessor ftp_telnet: global inspection_type stateful
> >     encrypted_traffic no check_encrypted
> >     preprocessor ftp_telnet_protocol: telnet \
> >         ayt_attack_thresh 20 \
> >         normalize ports { 23 } \
> >         detect_anomalies
> >     preprocessor ftp_telnet_protocol: ftp server default \
> >         def_max_param_len 100 \
> >         ports { 21 2100 3535 } \
> >         telnet_cmds yes \
> >         ignore_telnet_erase_cmds yes \
> >         ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
> >         ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
> >         ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
> >         ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
> >         ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
> >         ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
> >         ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
> >         ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
> >         ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
> >         ftp_cmds { XSEN XSHA1 XSHA256 } \
> >         alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV
> >     PWD QUIT REIN STOU SYST XCUP XPWD } \
> >         alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR
> >     STOU XMKD } \
> >         alt_max_param_len 256 { CWD RNTO } \
> >         alt_max_param_len 400 { PORT } \
> >         alt_max_param_len 512 { SIZE } \
> >         chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
> >         chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
> >         chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
> >         chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
> >         chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
> >         chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
> >         chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
> >         chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
> >         cmd_validity ALLO < int [ char R int ] > \
> >         cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
> >         cmd_validity MACB < string > \
> >         cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> >         cmd_validity MODE < char ASBCZ > \
> >         cmd_validity PORT < host_port > \
> >         cmd_validity PROT < char CSEP > \
> >         cmd_validity STRU < char FRPO [ string ] > \
> >         cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [
> >     number ] } >
> >     preprocessor ftp_telnet_protocol: ftp client default \
> >         max_resp_len 256 \
> >         bounce yes \
> >         ignore_telnet_erase_cmds yes \
> >         telnet_cmds yes
> >
> >
> >     # SMTP normalization and anomaly detection.  For more information,
> >     see README.SMTP
> >     preprocessor smtp: ports { 25 465 587 691 } \
> >         inspection_type stateful \
> >         b64_decode_depth 0 \
> >         qp_decode_depth 0 \
> >         bitenc_decode_depth 0 \
> >         uu_decode_depth 0 \
> >         log_mailfrom \
> >         log_rcptto \
> >         log_filename \
> >         log_email_hdrs \
> >         normalize cmds \
> >         normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL
> >     ESAM ESND ESOM ETRN EVFY } \
> >         normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT
> >     RCPT RSET SAML SEND SOML } \
> >         normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY
> >     X-ADAT X-DRCP X-ERCP X-EXCH50 } \
> >         normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50
> >     XGEN XLICENSE XQUE XSTA XTRN XUSR } \
> >         max_command_line_len 512 \
> >         max_header_line_len 1000 \
> >         max_response_line_len 512 \
> >         alt_max_command_line_len 260 { MAIL } \
> >         alt_max_command_line_len 300 { RCPT } \
> >         alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
> >         alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG
> >     EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
> >         alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN
> >     DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS
> >     X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN
> >     XUSR } \
> >         valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM
> >     ESND ESOM ETRN EVFY } \
> >         valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT
> >     RCPT RSET SAML SEND SOML } \
> >         valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT
> >     X-DRCP X-ERCP X-EXCH50 } \
> >         valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
> >     XLICENSE XQUE XSTA XTRN XUSR } \
> >         xlink2state { enabled }
> >
> >     # Portscan detection.  For more information, see README.sfportscan
> >      preprocessor sfportscan: proto  { all } scan_type { all }  memcap
> >     { 10000000 } sense_level { high } logfile {
> >     /var/log/snort/PORTSCAN.log } detect_ack_scans
> >
> >     # ARP spoof detection.  For more information, see the Snort Manual
> >     - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
> >     # preprocessor arpspoof
> >     # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
> >
> >     # SSH anomaly detection.  For more information, see README.ssh
> >     preprocessor ssh: server_ports { 22 } \
> >                       autodetect \
> >                       max_client_bytes 19600 \
> >     max_encrypted_packets 20 \
> >     max_server_version_len 100 \
> >                       enable_respoverflow enable_ssh1crc32 \
> >                       enable_srvoverflow enable_protomismatch
> >
> >     # SMB / DCE-RPC normalization and anomaly detection.  For more
> >     information, see README.dcerpc2
> >     preprocessor dcerpc2: memcap 102400, events [co ]
> >     preprocessor dcerpc2_server: default, policy WinXP, \
> >         detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server
> >     593], \
> >         autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
> >         smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
> >
> >     # DNS anomaly detection.  For more information, see README.dns
> >     preprocessor dns: ports { 53 } enable_rdata_overflow
> >
> >     # SSL anomaly detection and traffic bypass.  For more information,
> >     see README.ssl
> >     preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 5061
> >     7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910
> >     7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers,
> >     noinspect_encrypted
> >
> >     # SDF sensitive data preprocessor. For more information see
> >     README.sensitive_data
> >     preprocessor sensitive_data: alert_threshold 25
> >
> >     # SIP Session Initiation Protocol preprocessor.  For more
> >     information see README.sip
> >     preprocessor sip: max_sessions 40000, \
> >        ports { 5060 5061 5600 }, \
> >        methods { invite \
> >                  cancel \
> >                  ack \
> >                  bye \
> >                  register \
> >                  options \
> >                  refer \
> >                  subscribe \
> >                  update \
> >                  join \
> >                  info \
> >                  message \
> >                  notify \
> >                  benotify \
> >                  do \
> >                  qauth \
> >                  sprack \
> >                  publish \
> >                  service \
> >                  unsubscribe \
> >                  prack }, \
> >        max_uri_len 512, \
> >        max_call_id_len 80, \
> >        max_requestName_len 20, \
> >        max_from_len 256, \
> >        max_to_len 256, \
> >        max_via_len 1024, \
> >        max_contact_len 512, \
> >        max_content_len 2048
> >
> >     # IMAP preprocessor.  For more information see README.imap
> >     preprocessor imap: \
> >        ports { 143 } \
> >        b64_decode_depth 0 \
> >        qp_decode_depth 0 \
> >        bitenc_decode_depth 0 \
> >        uu_decode_depth 0
> >
> >     # POP preprocessor. For more information see README.pop
> >     preprocessor pop: \
> >        ports { 110 } \
> >        b64_decode_depth 0 \
> >        qp_decode_depth 0 \
> >        bitenc_decode_depth 0 \
> >        uu_decode_depth 0
> >
> >     # Modbus preprocessor. For more information see README.modbus
> >     preprocessor modbus: ports { 502 }
> >
> >     # DNP3 preprocessor. For more information see README.dnp3
> >     preprocessor dnp3: ports { 20000 } \
> >        memcap 262144 \
> >        check_crc
> >
> >     # Reputation preprocessor. For more information see README.reputation
> >     preprocessor reputation: \
> >        memcap 500, \
> >        priority whitelist, \
> >        nested_ip inner, \
> >        whitelist $WHITE_LIST_PATH/white_list.rules, \
> >        blacklist $BLACK_LIST_PATH/black_list.rules
> >
> >     ###################################################
> >     # Step #6: Configure output plugins
> >     # For more information, see Snort Manual, Configuring Snort -
> >     Output Modules
> >     ###################################################
> >
> >     # unified2
> >     # Recommended for most installs
> >     # output unified2: filename merged.log, limit 128, nostamp,
> >     mpls_event_types, vlan_event_types
> >
> >     # Additional configuration for specific types of installs
> >     # output alert_unified2: filename snort.alert, limit 128, nostamp
> >     # output log_unified2: filename snort.log, limit 128, nostamp
> >
> >     # syslog
> >     # output alert_syslog: LOG_AUTH LOG_ALERT
> >
> >     # pcap
> >     # output log_tcpdump: tcpdump.log
> >
> >     # metadata reference data.  do not modify these lines
> >     include classification.config
> >     include reference.config
> >
> >
> >     ###################################################
> >     # Step #7: Customize your rule set
> >     # For more information, see Snort Manual, Writing Snort Rules
> >     #
> >     # NOTE: All categories are enabled in this conf file
> >     ###################################################
> >
> >     # site specific rules
> >     include $RULE_PATH/local.rules
> >
> >     include $RULE_PATH/app-detect.rules
> >     include $RULE_PATH/attack-responses.rules
> >     include $RULE_PATH/backdoor.rules
> >     include $RULE_PATH/bad-traffic.rules
> >     include $RULE_PATH/blacklist.rules
> >     include $RULE_PATH/botnet-cnc.rules
> >     include $RULE_PATH/browser-chrome.rules
> >     include $RULE_PATH/browser-firefox.rules
> >     include $RULE_PATH/browser-ie.rules
> >     include $RULE_PATH/browser-other.rules
> >     include $RULE_PATH/browser-plugins.rules
> >     include $RULE_PATH/browser-webkit.rules
> >     include $RULE_PATH/chat.rules
> >     include $RULE_PATH/content-replace.rules
> >     include $RULE_PATH/ddos.rules
> >     include $RULE_PATH/dns.rules
> >     include $RULE_PATH/dos.rules
> >     include $RULE_PATH/experimental.rules
> >     include $RULE_PATH/exploit-kit.rules
> >     include $RULE_PATH/exploit.rules
> >     include $RULE_PATH/file-executable.rules
> >     include $RULE_PATH/file-flash.rules
> >     include $RULE_PATH/file-identify.rules
> >     include $RULE_PATH/file-image.rules
> >     include $RULE_PATH/file-java.rules
> >     include $RULE_PATH/file-multimedia.rules
> >     include $RULE_PATH/file-office.rules
> >     include $RULE_PATH/file-other.rules
> >     include $RULE_PATH/file-pdf.rules
> >     include $RULE_PATH/finger.rules
> >     include $RULE_PATH/ftp.rules
> >     include $RULE_PATH/icmp-info.rules
> >     include $RULE_PATH/icmp.rules
> >     include $RULE_PATH/imap.rules
> >     include $RULE_PATH/indicator-compromise.rules
> >     include $RULE_PATH/indicator-obfuscation.rules
> >     include $RULE_PATH/indicator-scan.rules
> >     include $RULE_PATH/indicator-shellcode.rules
> >     include $RULE_PATH/info.rules
> >     include $RULE_PATH/malware-backdoor.rules
> >     include $RULE_PATH/malware-cnc.rules
> >     include $RULE_PATH/malware-other.rules
> >     include $RULE_PATH/malware-tools.rules
> >     include $RULE_PATH/misc.rules
> >     include $RULE_PATH/multimedia.rules
> >     include $RULE_PATH/mysql.rules
> >     include $RULE_PATH/netbios.rules
> >     include $RULE_PATH/nntp.rules
> >     include $RULE_PATH/oracle.rules
> >     include $RULE_PATH/os-linux.rules
> >     include $RULE_PATH/os-mobile.rules
> >     include $RULE_PATH/os-other.rules
> >     include $RULE_PATH/os-solaris.rules
> >     include $RULE_PATH/os-windows.rules
> >     include $RULE_PATH/other-ids.rules
> >     include $RULE_PATH/p2p.rules
> >     include $RULE_PATH/phishing-spam.rules
> >     include $RULE_PATH/policy-multimedia.rules
> >     include $RULE_PATH/policy-other.rules
> >     include $RULE_PATH/policy.rules
> >     include $RULE_PATH/policy-social.rules
> >     include $RULE_PATH/policy-spam.rules
> >     include $RULE_PATH/pop2.rules
> >     include $RULE_PATH/pop3.rules
> >     include $RULE_PATH/protocol-dns.rules
> >     include $RULE_PATH/protocol-finger.rules
> >     include $RULE_PATH/protocol-ftp.rules
> >     include $RULE_PATH/protocol-icmp.rules
> >     include $RULE_PATH/protocol-imap.rules
> >     include $RULE_PATH/protocol-nntp.rules
> >     include $RULE_PATH/protocol-other.rules
> >     include $RULE_PATH/protocol-pop.rules
> >     include $RULE_PATH/protocol-rpc.rules
> >     include $RULE_PATH/protocol-scada.rules
> >     include $RULE_PATH/protocol-services.rules
> >     include $RULE_PATH/protocol-snmp.rules
> >     include $RULE_PATH/protocol-telnet.rules
> >     include $RULE_PATH/protocol-tftp.rules
> >     include $RULE_PATH/protocol-voip.rules
> >     include $RULE_PATH/pua-adware.rules
> >     include $RULE_PATH/pua-other.rules
> >     include $RULE_PATH/pua-p2p.rules
> >     include $RULE_PATH/pua-toolbars.rules
> >     include $RULE_PATH/rpc.rules
> >     include $RULE_PATH/rservices.rules
> >     include $RULE_PATH/scada.rules
> >     include $RULE_PATH/scan.rules
> >     include $RULE_PATH/server-apache.rules
> >     include $RULE_PATH/server-iis.rules
> >     include $RULE_PATH/server-mail.rules
> >     include $RULE_PATH/server-mssql.rules
> >     include $RULE_PATH/server-mysql.rules
> >     include $RULE_PATH/server-oracle.rules
> >     include $RULE_PATH/server-other.rules
> >     include $RULE_PATH/server-samba.rules
> >     include $RULE_PATH/server-webapp.rules
> >     include $RULE_PATH/shellcode.rules
> >     include $RULE_PATH/smtp.rules
> >     include $RULE_PATH/snmp.rules
> >     include $RULE_PATH/specific-threats.rules
> >     include $RULE_PATH/spyware-put.rules
> >     include $RULE_PATH/sql.rules
> >     include $RULE_PATH/telnet.rules
> >     include $RULE_PATH/tftp.rules
> >     include $RULE_PATH/virus.rules
> >     include $RULE_PATH/voip.rules
> >     include $RULE_PATH/web-activex.rules
> >     include $RULE_PATH/web-attacks.rules
> >     include $RULE_PATH/web-cgi.rules
> >     include $RULE_PATH/web-client.rules
> >     include $RULE_PATH/web-coldfusion.rules
> >     include $RULE_PATH/web-frontpage.rules
> >     include $RULE_PATH/web-iis.rules
> >     include $RULE_PATH/web-misc.rules
> >     include $RULE_PATH/web-php.rules
> >     include $RULE_PATH/x11.rules
> >
> >     #Include MyRULES
> >
> >     include $RULE_PATH/mytest.rules
> >     include $RULE_PATH/mylog.rules
> >
> >     ###################################################
> >     # Step #8: Customize your preprocessor and decoder alerts
> >     # For more information, see README.decoder_preproc_rules
> >     ###################################################
> >
> >     # decoder and preprocessor event rules
> >      include $PREPROC_RULE_PATH/preprocessor.rules
> >      include $PREPROC_RULE_PATH/decoder.rules
> >      include $PREPROC_RULE_PATH/sensitive-data.rules
> >
> >     ###################################################
> >     # Step #9: Customize your Shared Object Snort Rules
> >     # For more information, see
> >     http://vrt-blog.snort.org/2009/01/using-vrt-certified-
> shared-object-rules.html
> >     <http://vrt-blog.snort.org/2009/01/using-vrt-certified-
> shared-object-rules.html>
> >     ###################################################
> >
> >     # dynamic library rules
> >     # include $SO_RULE_PATH/browser-ie.rules
> >     # include $SO_RULE_PATH/browser-other.rules
> >     # include $SO_RULE_PATH/exploit-kit.rules
> >     # include $SO_RULE_PATH/file-flash.rules
> >     # include $SO_RULE_PATH/file-image.rules
> >     # include $SO_RULE_PATH/file-java.rules
> >     # include $SO_RULE_PATH/file-multimedia.rules
> >     # include $SO_RULE_PATH/file-office.rules
> >     # include $SO_RULE_PATH/file-other.rules
> >     # include $SO_RULE_PATH/file-pdf.rules
> >     # include $SO_RULE_PATH/indicator-shellcode.rules
> >     # include $SO_RULE_PATH/malware-cnc.rules
> >     # include $SO_RULE_PATH/malware-other.rules
> >     # include $SO_RULE_PATH/netbios.rules
> >     # include $SO_RULE_PATH/os-linux.rules
> >     # include $SO_RULE_PATH/os-other.rules
> >     # include $SO_RULE_PATH/os-windows.rules
> >     # include $SO_RULE_PATH/policy-social.rules
> >     # include $SO_RULE_PATH/protocol-dns.rules
> >     # include $SO_RULE_PATH/protocol-nntp.rules
> >     # include $SO_RULE_PATH/protocol-other.rules
> >     # include $SO_RULE_PATH/protocol-snmp.rules
> >     # include $SO_RULE_PATH/protocol-voip.rules
> >     # include $SO_RULE_PATH/pua-p2p.rules
> >     # include $SO_RULE_PATH/server-apache.rules
> >     # include $SO_RULE_PATH/server-iis.rules
> >     # include $SO_RULE_PATH/server-mail.rules
> >     # include $SO_RULE_PATH/server-mysql.rules
> >     # include $SO_RULE_PATH/server-oracle.rules
> >     # include $SO_RULE_PATH/server-other.rules
> >     # include $SO_RULE_PATH/server-webapp.rules
> >
> >     # legacy dynamic library rule files
> >     # include $SO_RULE_PATH/bad-traffic.rules
> >     # include $SO_RULE_PATH/browser-ie.rules
> >     # include $SO_RULE_PATH/chat.rules
> >     # include $SO_RULE_PATH/dos.rules
> >     # include $SO_RULE_PATH/exploit.rules
> >     # include $SO_RULE_PATH/file-flash.rules
> >     # include $SO_RULE_PATH/icmp.rules
> >     # include $SO_RULE_PATH/imap.rules
> >     # include $SO_RULE_PATH/misc.rules
> >     # include $SO_RULE_PATH/multimedia.rules
> >     # include $SO_RULE_PATH/netbios.rules
> >     # include $SO_RULE_PATH/nntp.rules
> >     # include $SO_RULE_PATH/p2p.rules
> >     # include $SO_RULE_PATH/smtp.rules
> >     # include $SO_RULE_PATH/snmp.rules
> >     # include $SO_RULE_PATH/specific-threats.rules
> >     # include $SO_RULE_PATH/web-activex.rules
> >     # include $SO_RULE_PATH/web-client.rules
> >     # include $SO_RULE_PATH/web-iis.rules
> >     # include $SO_RULE_PATH/web-misc.rules
> >
> >     # Event thresholding or suppression commands. See threshold.conf
> >     include threshold.conf
> >
> >     rate_filter \
> >             gen_id 135, sig_id 1, \
> >             track by_src, \
> >             count 100, seconds 5, \
> >            new_action alert, timeout 10
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 128, Issue 46
> ********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170119/d8275626/attachment.html>


More information about the Snort-users mailing list