No subject


Thu Nov 23 16:36:19 EST 2017


n output from the minimized snort window.  I can't quite figure out what is=
 wrong.  Another set of eyes looking at this is what I am hoping someone wi=
ll do and see a problem.

TIA for your help=20

Rich=20
PS Sorry it is a long post, but I did not want to do an attachment.=20

[Begin config]=20
[************cmd line*********]=20
c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h aaa.bbb.cc=
c.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y

[*NOTE, yes I blanked out my IP above.  It is a public IP*]=20


[***********snort.conf**************]=20
#--------------------------------------------------=20
#   http://www.activeworx.com Snort 1.8.6 Ruleset=20
#     IDS Policy Manager Version: 1.3 Build(31)=20
# Current Database Updated -- May 10, 2002 10:55 AM=20
#--------------------------------------------------=20
#=20
## Variables=20
## ---------=20
#var HOME_NET 10.1.1.0/24=20
#var HOME_NET $eth0_ADDRESS=20
#var HOME_NET [10.1.1.0/24,192.168.1.0/24]=20
var HOME_NET any=20
var EXTERNAL_NET any=20
var SMTP $HOME_NET=20
var HTTP_SERVERS $HOME_NET=20
var SQL_SERVERS $HOME_NET=20
var DNS_SERVERS $HOME_NET=20
#var RULE_PATH ./=20
var RULE_PATH c:\snort\rules=20
var SHELLCODE_PORTS !80=20
#var SPADEDIR .=20
#=20
## Preprocessor Support=20
## --------------------=20
preprocessor http_decode: 80 -cginull -unicode=20
preprocessor rpc_decode: 111 32771=20
preprocessor bo:=20
preprocessor stream4: detect_scans=20
preprocessor stream4_reassemble=20
preprocessor portscan: $HOME_NET 4 3 portscan.log=20
#preprocessor portscan-ignorehosts: 0.0.0.0=20
preprocessor frag2=20
preprocessor telnet_decode=20
#=20
#=20
## Output Modules=20
## --------------=20
#output database: log, unixodbc, dbname=3Dsnort user=3Dsnort host=3Dlocalho=
st password=3Dtest=20
output CSV: log default=20
output log_tcpdump: snorttcp.log=20
#output xml: Log, file=3D/var/log/snortxml=20
output log_unified: filename snort.log, limit 128=20
#=20
#output alert_syslog: LOG_AUTH LOG_ALERT=20
#output alert_unified: filename snort.alert, limit 128=20
#output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x=
 DES -X "" -a SHA -A "" myTrapListener=20
#=20
## Custom Rules=20
## ------------=20
ruletype suspicious=20
{=20
 type log=20
 output log_tcpdump: suspicious.log=20
}=20
ruletype redalert=20
{=20
 type alert=20
 output alert_syslog: LOG_AUTH LOG_ALERT=20
# output database: log, mysql, user=3Dsnort dbname=3Dsnort host=3Dlocalhost=
=20
}=20
#ruletype <New_Custom_Rules>=20
#{=20
#}=20
#=20
## Include Files=20
## -------------=20
include classification.config=20
#=20
include $RULE_PATH/bad-traffic.rules=20
include $RULE_PATH/exploit.rules=20
include $RULE_PATH/scan.rules=20
include $RULE_PATH/finger.rules=20
include $RULE_PATH/ftp.rules=20
include $RULE_PATH/telnet.rules=20
include $RULE_PATH/smtp.rules=20
include $RULE_PATH/rpc.rules=20
include $RULE_PATH/rservices.rules=20
include $RULE_PATH/dos.rules=20
include $RULE_PATH/ddos.rules=20
include $RULE_PATH/dns.rules=20
include $RULE_PATH/tftp.rules=20
include $RULE_PATH/web-cgi.rules=20
include $RULE_PATH/web-coldfusion.rules=20
include $RULE_PATH/web-iis.rules=20
include $RULE_PATH/web-frontpage.rules=20
include $RULE_PATH/web-misc.rules=20
include $RULE_PATH/web-attacks.rules=20
include $RULE_PATH/sql.rules=20
include $RULE_PATH/x11.rules=20
include $RULE_PATH/icmp.rules=20
include $RULE_PATH/netbios.rules=20
include $RULE_PATH/misc.rules=20
include $RULE_PATH/attack-responses.rules=20
include $RULE_PATH/backdoor.rules=20
include $RULE_PATH/shellcode.rules=20
include $RULE_PATH/policy.rules=20
include $RULE_PATH/porn.rules=20
include $RULE_PATH/info.rules=20
include $RULE_PATH/icmp-info.rules=20
include $RULE_PATH/virus.rules=20
#include $RULE_PATH/experimental.rules=20
include $RULE_PATH/local.rules=20


{*********Snort Screen*************}=20

Log directory =3D c:\snort\log=20

Initializing Network Interface \=20

        --=3D=3D Initializing Snort =3D=3D--=20
Decoding Ethernet on interface \Device\Packet_NdisWanIp=20
Initializing Preprocessors!=20
Initializing Plug-ins!=20
Initializating Output Plugins!=20
Parsing Rules file c:\snort\snort.conf=20

+++++++++++++++++++++++++++++++++++++++++++++++++++=20
Initializing rule chains...=20
Stream4 config:=20
    Stateful inspection: ACTIVE=20
    Session statistics: INACTIVE=20
    Session timeout: 30 seconds=20
    Session memory cap: 8388608 bytes=20
    State alerts: INACTIVE=20
    Scan alerts: ACTIVE=20
    Log Flushed Streams: INACTIVE=20
No arguments to stream4_reassemble, setting defaults:=20
     Reassemble client: ACTIVE=20
     Reassemble server: INACTIVE=20
     Reassemble ports: 21 23 25 53 80 143 110 111 513=20
     Reassembly alerts: ACTIVE=20
     Reassembly method: FAVOR_OLD=20
Using GMT time=20
No arguments to frag2 directive, setting defaults to:=20
    Fragment timeout: 60 seconds=20
    Fragment memory cap: 4194304 bytes=20
ProcessFileOption: c:\snort\log/log=20
WARNING: command line overrides rules file logging plugin!=20
WARNING: command line overrides rules file logging plugin!=20
WARNING: command line overrides rules file logging plugin!=20
980 Snort rules read...=20
980 Option Chains linked into 100 Chain Headers=20
0 Dynamic rules=20
+++++++++++++++++++++++++++++++++++++++++++++++++++=20

Rule application order: ->activation->dynamic->alert->pass->log->suspicious=
->red=20
alert=20

        --=3D=3D Initialization Complete =3D=3D--=20

-*> Snort! <*-=20
Version 1.8-WIN32 (Build 103)=20
By Martin Roesch (roesch at ...1935..., www.snort.org)=20
1.7-WIN32 Port By Michael Davis (mike at ...92..., www.datanerds.net/~mike)=20
1.8-WIN32 Port By Chris Reid (chris.reid at ...3029...)=20
          (based on code from 1.7 port)=20

[End config]=20


------_=_NextPart_001_01C1FC2A.273E6AB4
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
1">
<TITLE>SNORT newbie looking for some help with Snort on Win2k</TITLE>

<META content=3D"MSHTML 5.00.3502.4856" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN class=3D346105915-15=
052002>I've=20
had mixed success with IDSCenter as well.  I have, however, had no tro=
uble=20
at all with Snort.Panel by Xato.  Works like a charm.</SPAN></FONT></D=
IV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D346105915-15052002></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D346105915-15052002><lame_os_plug></SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D346105915-15052002>Incidentally, I've had the best success of all b=
y=20
moving Snort to a different platform!</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN class=3D346105915-15=
052002><FONT=20
color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D346105915-15052002></lame_os_plug></SPAN></FONT></SPAN></FONT=
></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN class=3D346105915-15=
052002><FONT=20
color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D346105915-15052002></SPAN></FONT></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN class=3D346105915-15=
052002><FONT=20
color=3D#0000ff face=3DArial size=3D2><SPAN class=3D346105915-15052002>Sorr=
y about=20
that...</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN class=3D346105915-15=
052002><FONT=20
color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D346105915-15052002></SPAN></FONT></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN class=3D346105915-15=
052002><FONT=20
color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D346105915-15052002>Cheers</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN class=3D346105915-15=
052002><FONT=20
color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D346105915-15052002></SPAN></FONT></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN class=3D346105915-15=
052002><FONT=20
color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D346105915-15052002>Keith</SPAN></FONT></SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
  <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT face=3DTah=
oma=20
  size=3D2>-----Original Message-----<BR><B>From:</B> Slighter, Tim=20
  [mailto:tslighter at ...5174...]<BR><B>Sent:</B> Wednesday, May 15, 2002=20
  11:20 AM<BR><B>To:</B> 'Richard Roy';=20
  snort-users at lists.sourceforge.net<BR><B>Subject:</B> RE: [Snort-users] SN=
ORT=20
  newbie looking for some help with Snort on Win2k<BR><BR></DIV></FONT>
  <DIV><SPAN class=3D190391815-15052002><FONT color=3D#0000ff face=3DArial =
size=3D2>Lots=20
  of weird issues with that IDS center.  Not 100% certain, but seems t=
hat=20
  most individuals resort to command line in order to get snort to work on=
=20
  win2k...at least that is how I managed to get it to function=20
  correctly</FONT></SPAN></DIV>
  <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
    <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT face=3DT=
ahoma=20
    size=3D2>-----Original Message-----<BR><B>From:</B> Richard Roy=20
    [mailto:royr at ...5882...]<BR><B>Sent:</B> Wednesday, May 15, 2002 8:50=20
    AM<BR><B>To:</B> snort-users at lists.sourceforge.net<BR><B>Subject:</B>=20
    [Snort-users] SNORT newbie looking for some help with Snort on=20
    Win2k<BR><BR></FONT></DIV>
    <P><FONT face=3DArial size=3D2>I set up SNORT using IDSCentre and teste=
d the=20
    config using the applet.  I received no error messages, the SNORT=
=20
    window is minimized and things appear to work, yet there are no alerts,=
 no=20
    log entries, nothing.  I know we are under hits all the time, my=20
    firewall reports blocking them.  </FONT></P>
    <P><FONT face=3DArial size=3D2>Setup:</FONT> <BR><FONT face=3DArial siz=
e=3D2>W2K Pro=20
    p3 733.  On a hub with router and firewall external interface.&nbs=
p; I=20
    have 64 public IP's and I'd like to scan the range if possible.  I=
 am=20
    including the following.   </FONT></P>
    <P><FONT face=3DArial size=3D2>From IDSCentre the command line it fires=
, the=20
    snort.conf file and the screen output from the minimized snort window.&=
nbsp;=20
    I can't quite figure out what is wrong.  Another set of eyes looki=
ng at=20
    this is what I am hoping someone will do and see a problem.</FONT></P>
    <P><FONT face=3DArial size=3D2>TIA for your help</FONT> </P>
    <P><FONT face=3DArial size=3D2>Rich</FONT> <BR><FONT face=3DArial size=
=3D2>PS Sorry=20
    it is a long post, but I did not want to do an attachment.</FONT> </P>
    <P><FONT face=3DArial size=3D2>[Begin config]</FONT> <BR><FONT face=3DA=
rial=20
    size=3D2>[************cmd line*********]</FONT> <BR><FONT face=3DArial=
=20
    size=3D2>c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" =
-h=20
    aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y</FONT></=
P>
    <P><FONT face=3DArial size=3D2>[*NOTE, yes I blanked out my IP above.&n=
bsp; It=20
    is a public IP*]</FONT> </P><BR>
    <P><FONT face=3DArial size=3D2>[***********snort.conf**************]</F=
ONT>=20
    <BR><FONT face=3DArial=20
    size=3D2>#--------------------------------------------------</FONT> <BR=
><FONT=20
    face=3DArial size=3D2>#   <A href=3D"http://www.activeworx.co=
m"=20
    target=3D_blank>http://www.activeworx.com</A> Snort 1.8.6 Ruleset</FONT=
>=20
    <BR><FONT face=3DArial size=3D2>#     IDS Policy Ma=
nager=20
    Version: 1.3 Build(31)</FONT> <BR><FONT face=3DArial size=3D2># Current=
 Database=20
    Updated -- May 10, 2002 10:55 AM</FONT> <BR><FONT face=3DArial=20
    size=3D2>#--------------------------------------------------</FONT> <BR=
><FONT=20
    face=3DArial size=3D2>#</FONT> <BR><FONT face=3DArial size=3D2>## Varia=
bles</FONT>=20
    <BR><FONT face=3DArial size=3D2>## ---------</FONT> <BR><FONT face=3DAr=
ial=20
    size=3D2>#var HOME_NET 10.1.1.0/24</FONT> <BR><FONT face=3DArial size=
=3D2>#var=20
    HOME_NET $eth0_ADDRESS</FONT> <BR><FONT face=3DArial size=3D2>#var HOME=
_NET=20
    [10.1.1.0/24,192.168.1.0/24]</FONT> <BR><FONT face=3DArial size=3D2>var=
 HOME_NET=20
    any</FONT> <BR><FONT face=3DArial size=3D2>var EXTERNAL_NET any</FONT> =
<BR><FONT=20
    face=3DArial size=3D2>var SMTP $HOME_NET</FONT> <BR><FONT face=3DArial =
size=3D2>var=20
    HTTP_SERVERS $HOME_NET</FONT> <BR><FONT face=3DArial size=3D2>var SQL_S=
ERVERS=20
    $HOME_NET</FONT> <BR><FONT face=3DArial size=3D2>var DNS_SERVERS=20
    $HOME_NET</FONT> <BR><FONT face=3DArial size=3D2>#var RULE_PATH ./</FON=
T>=20
    <BR><FONT face=3DArial size=3D2>var RULE_PATH c:\snort\rules</FONT> <BR=
><FONT=20
    face=3DArial size=3D2>var SHELLCODE_PORTS !80</FONT> <BR><FONT face=3DA=
rial=20
    size=3D2>#var SPADEDIR .</FONT> <BR><FONT face=3DArial size=3D2>#</FONT=
> <BR><FONT=20
    face=3DArial size=3D2>## Preprocessor Support</FONT> <BR><FONT face=3DA=
rial=20
    size=3D2>## --------------------</FONT> <BR><FONT face=3DArial=20
    size=3D2>preprocessor http_decode: 80 -cginull -unicode</FONT> <BR><FON=
T=20
    face=3DArial size=3D2>preprocessor rpc_decode: 111 32771</FONT> <BR><FO=
NT=20
    face=3DArial size=3D2>preprocessor bo:</FONT> <BR><FONT face=3DArial=20
    size=3D2>preprocessor stream4: detect_scans</FONT> <BR><FONT face=3DAri=
al=20
    size=3D2>preprocessor stream4_reassemble</FONT> <BR><FONT face=3DArial=
=20
    size=3D2>preprocessor portscan: $HOME_NET 4 3 portscan.log</FONT> <BR><=
FONT=20
    face=3DArial size=3D2>#preprocessor portscan-ignorehosts: 0.0.0.0</FONT=
>=20
    <BR><FONT face=3DArial size=3D2>preprocessor frag2</FONT> <BR><FONT fac=
e=3DArial=20
    size=3D2>preprocessor telnet_decode</FONT> <BR><FONT face=3DArial=20
    size=3D2>#</FONT> <BR><FONT face=3DArial size=3D2>#</FONT> <BR><FONT fa=
ce=3DArial=20
    size=3D2>## Output Modules</FONT> <BR><FONT face=3DArial size=3D2>##=20
    --------------</FONT> <BR><FONT face=3DArial size=3D2>#output database:=
 log,=20
    unixodbc, dbname=3Dsnort user=3Dsnort host=3Dlocalhost password=3Dtest<=
/FONT>=20
    <BR><FONT face=3DArial size=3D2>output CSV: log default</FONT> <BR><FON=
T=20
    face=3DArial size=3D2>output log_tcpdump: snorttcp.log</FONT> <BR><FONT=
=20
    face=3DArial size=3D2>#output xml: Log, file=3D/var/log/snortxml</FONT>=
 <BR><FONT=20
    face=3DArial size=3D2>output log_unified: filename snort.log, limit 128=
</FONT>=20
    <BR><FONT face=3DArial size=3D2>#</FONT> <BR><FONT face=3DArial size=3D=
2>#output=20
    alert_syslog: LOG_AUTH LOG_ALERT</FONT> <BR><FONT face=3DArial size=3D2=
>#output=20
    alert_unified: filename snort.alert, limit 128</FONT> <BR><FONT face=3D=
Arial=20
    size=3D2>#output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u=
=20
    snortUser -x DES -X "" -a SHA -A "" myTrapListener</FONT> <BR><FONT=20
    face=3DArial size=3D2>#</FONT> <BR><FONT face=3DArial size=3D2>## Custo=
m=20
    Rules</FONT> <BR><FONT face=3DArial size=3D2>## ------------</FONT> <BR=
><FONT=20
    face=3DArial size=3D2>ruletype suspicious</FONT> <BR><FONT face=3DArial=
=20
    size=3D2>{</FONT> <BR><FONT face=3DArial size=3D2> type log</FONT>=
 <BR><FONT=20
    face=3DArial size=3D2> output log_tcpdump: suspicious.log</FONT> <=
BR><FONT=20
    face=3DArial size=3D2>}</FONT> <BR><FONT face=3DArial size=3D2>ruletype=
=20
    redalert</FONT> <BR><FONT face=3DArial size=3D2>{</FONT> <BR><FONT face=
=3DArial=20
    size=3D2> type alert</FONT> <BR><FONT face=3DArial size=3D2> =
output=20
    alert_syslog: LOG_AUTH LOG_ALERT</FONT> <BR><FONT face=3DArial size=3D2=
># output=20
    database: log, mysql, user=3Dsnort dbname=3Dsnort host=3Dlocalhost</FON=
T>=20
    <BR><FONT face=3DArial size=3D2>}</FONT> <BR><FONT face=3DArial size=3D=
2>#ruletype=20
    <New_Custom_Rules></FONT> <BR><FONT face=3DArial size=3D2>#{</FON=
T>=20
    <BR><FONT face=3DArial size=3D2>#}</FONT> <BR><FONT face=3DArial size=
=3D2>#</FONT>=20
    <BR><FONT face=3DArial size=3D2>## Include Files</FONT> <BR><FONT face=
=3DArial=20
    size=3D2>## -------------</FONT> <BR><FONT face=3DArial size=3D2>includ=
e=20
    classification.config</FONT> <BR><FONT face=3DArial size=3D2>#</FONT> <=
BR><FONT=20
    face=3DArial size=3D2>include $RULE_PATH/bad-traffic.rules</FONT> <BR><=
FONT=20
    face=3DArial size=3D2>include $RULE_PATH/exploit.rules</FONT> <BR><FONT=
=20
    face=3DArial size=3D2>include $RULE_PATH/scan.rules</FONT> <BR><FONT fa=
ce=3DArial=20
    size=3D2>include $RULE_PATH/finger.rules</FONT> <BR><FONT face=3DArial=
=20
    size=3D2>include $RULE_PATH/ftp.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/telnet.rules</FONT> <BR><FONT face=3DArial=
=20
    size=3D2>include $RULE_PATH/smtp.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/rpc.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/rservices.rules</FONT> <BR><FONT face=3DAri=
al=20
    size=3D2>include $RULE_PATH/dos.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/ddos.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/dns.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/tftp.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/web-cgi.rules</FONT> <BR><FONT face=3DArial=
=20
    size=3D2>include $RULE_PATH/web-coldfusion.rules</FONT> <BR><FONT face=
=3DArial=20
    size=3D2>include $RULE_PATH/web-iis.rules</FONT> <BR><FONT face=3DArial=
=20
    size=3D2>include $RULE_PATH/web-frontpage.rules</FONT> <BR><FONT face=
=3DArial=20
    size=3D2>include $RULE_PATH/web-misc.rules</FONT> <BR><FONT face=3DAria=
l=20
    size=3D2>include $RULE_PATH/web-attacks.rules</FONT> <BR><FONT face=3DA=
rial=20
    size=3D2>include $RULE_PATH/sql.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/x11.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/icmp.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/netbios.rules</FONT> <BR><FONT face=3DArial=
=20
    size=3D2>include $RULE_PATH/misc.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/attack-responses.rules</FONT> <BR><FONT fac=
e=3DArial=20
    size=3D2>include $RULE_PATH/backdoor.rules</FONT> <BR><FONT face=3DAria=
l=20
    size=3D2>include $RULE_PATH/shellcode.rules</FONT> <BR><FONT face=3DAri=
al=20
    size=3D2>include $RULE_PATH/policy.rules</FONT> <BR><FONT face=3DArial=
=20
    size=3D2>include $RULE_PATH/porn.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/info.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>include $RULE_PATH/icmp-info.rules</FONT> <BR><FONT face=3DAri=
al=20
    size=3D2>include $RULE_PATH/virus.rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>#include $RULE_PATH/experimental.rules</FONT> <BR><FONT face=
=3DArial=20
    size=3D2>include $RULE_PATH/local.rules</FONT> </P><BR>
    <P><FONT face=3DArial size=3D2>{*********Snort Screen*************}</FO=
NT> </P>
    <P><FONT face=3DArial size=3D2>Log directory =3D c:\snort\log</FONT> </=
P>
    <P><FONT face=3DArial size=3D2>Initializing Network Interface \</FONT> =
</P>
    <P><FONT face=3DArial size=3D2>      &nbs=
p; --=3D=3D=20
    Initializing Snort =3D=3D--</FONT> <BR><FONT face=3DArial size=3D2>Deco=
ding Ethernet=20
    on interface \Device\Packet_NdisWanIp</FONT> <BR><FONT face=3DArial=20
    size=3D2>Initializing Preprocessors!</FONT> <BR><FONT face=3DArial=20
    size=3D2>Initializing Plug-ins!</FONT> <BR><FONT face=3DArial=20
    size=3D2>Initializating Output Plugins!</FONT> <BR><FONT face=3DArial=20
    size=3D2>Parsing Rules file c:\snort\snort.conf</FONT> </P>
    <P><FONT face=3DArial=20
    size=3D2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT> <BR=
><FONT=20
    face=3DArial size=3D2>Initializing rule chains...</FONT> <BR><FONT face=
=3DArial=20
    size=3D2>Stream4 config:</FONT> <BR><FONT face=3DArial size=3D2> &=
nbsp; =20
    Stateful inspection: ACTIVE</FONT> <BR><FONT face=3DArial=20
    size=3D2>    Session statistics: INACTIVE</FONT> <BR><FO=
NT=20
    face=3DArial size=3D2>    Session timeout: 30 seconds</F=
ONT>=20
    <BR><FONT face=3DArial size=3D2>    Session memory cap: =
8388608=20
    bytes</FONT> <BR><FONT face=3DArial size=3D2>    State a=
lerts:=20
    INACTIVE</FONT> <BR><FONT face=3DArial size=3D2>    Scan=
 alerts:=20
    ACTIVE</FONT> <BR><FONT face=3DArial size=3D2>    Log Fl=
ushed=20
    Streams: INACTIVE</FONT> <BR><FONT face=3DArial size=3D2>No arguments t=
o=20
    stream4_reassemble, setting defaults:</FONT> <BR><FONT face=3DArial=20
    size=3D2>     Reassemble client: ACTIVE</FONT> <BR>=
<FONT=20
    face=3DArial size=3D2>     Reassemble server:=20
    INACTIVE</FONT> <BR><FONT face=3DArial size=3D2>   &nbsp=
;=20
    Reassemble ports: 21 23 25 53 80 143 110 111 513</FONT> <BR><FONT face=
=3DArial=20
    size=3D2>     Reassembly alerts: ACTIVE</FONT> <BR>=
<FONT=20
    face=3DArial size=3D2>     Reassembly method:=20
    FAVOR_OLD</FONT> <BR><FONT face=3DArial size=3D2>Using GMT time</FONT> =
<BR><FONT=20
    face=3DArial size=3D2>No arguments to frag2 directive, setting defaults=
=20
    to:</FONT> <BR><FONT face=3DArial size=3D2>    Fragment =
timeout:=20
    60 seconds</FONT> <BR><FONT face=3DArial size=3D2>    Fr=
agment=20
    memory cap: 4194304 bytes</FONT> <BR><FONT face=3DArial=20
    size=3D2>ProcessFileOption: c:\snort\log/log</FONT> <BR><FONT face=3DAr=
ial=20
    size=3D2>WARNING: command line overrides rules file logging plugin!</FO=
NT>=20
    <BR><FONT face=3DArial size=3D2>WARNING: command line overrides rules f=
ile=20
    logging plugin!</FONT> <BR><FONT face=3DArial size=3D2>WARNING: command=
 line=20
    overrides rules file logging plugin!</FONT> <BR><FONT face=3DArial size=
=3D2>980=20
    Snort rules read...</FONT> <BR><FONT face=3DArial size=3D2>980 Option C=
hains=20
    linked into 100 Chain Headers</FONT> <BR><FONT face=3DArial size=3D2>0 =
Dynamic=20
    rules</FONT> <BR><FONT face=3DArial=20
    size=3D2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT> </P>
    <P><FONT face=3DArial size=3D2>Rule application order:=20
    ->activation->dynamic->alert->pass->log->suspicious-&=
gt;red</FONT>=20
    <BR><FONT face=3DArial size=3D2>alert</FONT> </P>
    <P><FONT face=3DArial size=3D2>      &nbs=
p; --=3D=3D=20
    Initialization Complete =3D=3D--</FONT> </P>
    <P><FONT face=3DArial size=3D2>-*> Snort! <*-</FONT> <BR><FONT fa=
ce=3DArial=20
    size=3D2>Version 1.8-WIN32 (Build 103)</FONT> <BR><FONT face=3DArial si=
ze=3D2>By=20
    Martin Roesch (roesch at ...1935..., www.snort.org)</FONT> <BR><FONT=20
    face=3DArial size=3D2>1.7-WIN32 Port By Michael Davis (mike at ...92...,=20
    www.datanerds.net/~mike)</FONT> <BR><FONT face=3DArial size=3D2>1.8-WIN=
32 Port=20
    By Chris Reid (chris.reid at ...3029...)</FONT> <BR><FONT=20
    face=3DArial size=3D2>        &=
nbsp;=20
    (based on code from 1.7 port)</FONT> </P>
    <P><FONT face=3DArial size=3D2>[End config]</FONT>=20
</P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C1FC2A.273E6AB4--




More information about the Snort-users mailing list