No subject


Thu Nov 23 16:36:19 EST 2017


screen output from the minimized snort window.  I can't quite figure out
what is wrong.  Another set of eyes looking at this is what I am hoping
someone will do and see a problem.

TIA for your help 

Rich 
PS Sorry it is a long post, but I did not want to do an attachment. 

[Begin config] 
[************cmd line*********] 
c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h
aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y

[*NOTE, yes I blanked out my IP above.  It is a public IP*] 

 

[***********snort.conf**************] 
#-------------------------------------------------- 
#   http://www.activeworx.com Snort 1.8.6 Ruleset 
#     IDS Policy Manager Version: 1.3 Build(31) 
# Current Database Updated -- May 10, 2002 10:55 AM 
#-------------------------------------------------- 
# 
## Variables 
## --------- 
#var HOME_NET 10.1.1.0/24 
#var HOME_NET $eth0_ADDRESS 
#var HOME_NET [10.1.1.0/24,192.168.1.0/24] 
var HOME_NET any 
var EXTERNAL_NET any 
var SMTP $HOME_NET 
var HTTP_SERVERS $HOME_NET 
var SQL_SERVERS $HOME_NET 
var DNS_SERVERS $HOME_NET 
#var RULE_PATH ./ 
var RULE_PATH c:\snort\rules 
var SHELLCODE_PORTS !80 
#var SPADEDIR . 
# 
## Preprocessor Support 
## -------------------- 
preprocessor http_decode: 80 -cginull -unicode 
preprocessor rpc_decode: 111 32771 
preprocessor bo: 
preprocessor stream4: detect_scans 
preprocessor stream4_reassemble 
preprocessor portscan: $HOME_NET 4 3 portscan.log 
#preprocessor portscan-ignorehosts: 0.0.0.0 
preprocessor frag2 
preprocessor telnet_decode 
# 
# 
## Output Modules 
## -------------- 
#output database: log, unixodbc, dbname=snort user=snort host=localhost
password=test 
output CSV: log default 
output log_tcpdump: snorttcp.log 
#output xml: Log, file=/var/log/snortxml 
output log_unified: filename snort.log, limit 128 
# 
#output alert_syslog: LOG_AUTH LOG_ALERT 
#output alert_unified: filename snort.alert, limit 128 
#output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser
-x DES -X "" -a SHA -A "" myTrapListener 
# 
## Custom Rules 
## ------------ 
ruletype suspicious 
{ 
 type log 
 output log_tcpdump: suspicious.log 
} 
ruletype redalert 
{ 
 type alert 
 output alert_syslog: LOG_AUTH LOG_ALERT 
# output database: log, mysql, user=snort dbname=snort host=localhost 
} 
#ruletype <New_Custom_Rules> 
#{ 
#} 
# 
## Include Files 
## ------------- 
include classification.config 
# 
include $RULE_PATH/bad-traffic.rules 
include $RULE_PATH/exploit.rules 
include $RULE_PATH/scan.rules 
include $RULE_PATH/finger.rules 
include $RULE_PATH/ftp.rules 
include $RULE_PATH/telnet.rules 
include $RULE_PATH/smtp.rules 
include $RULE_PATH/rpc.rules 
include $RULE_PATH/rservices.rules 
include $RULE_PATH/dos.rules 
include $RULE_PATH/ddos.rules 
include $RULE_PATH/dns.rules 
include $RULE_PATH/tftp.rules 
include $RULE_PATH/web-cgi.rules 
include $RULE_PATH/web-coldfusion.rules 
include $RULE_PATH/web-iis.rules 
include $RULE_PATH/web-frontpage.rules 
include $RULE_PATH/web-misc.rules 
include $RULE_PATH/web-attacks.rules 
include $RULE_PATH/sql.rules 
include $RULE_PATH/x11.rules 
include $RULE_PATH/icmp.rules 
include $RULE_PATH/netbios.rules 
include $RULE_PATH/misc.rules 
include $RULE_PATH/attack-responses.rules 
include $RULE_PATH/backdoor.rules 
include $RULE_PATH/shellcode.rules 
include $RULE_PATH/policy.rules 
include $RULE_PATH/porn.rules 
include $RULE_PATH/info.rules 
include $RULE_PATH/icmp-info.rules 
include $RULE_PATH/virus.rules 
#include $RULE_PATH/experimental.rules 
include $RULE_PATH/local.rules 

 

{*********Snort Screen*************} 

Log directory = c:\snort\log 

Initializing Network Interface \ 

        --== Initializing Snort ==-- 
Decoding Ethernet on interface \Device\Packet_NdisWanIp 
Initializing Preprocessors! 
Initializing Plug-ins! 
Initializating Output Plugins! 
Parsing Rules file c:\snort\snort.conf 

+++++++++++++++++++++++++++++++++++++++++++++++++++ 
Initializing rule chains... 
Stream4 config: 
    Stateful inspection: ACTIVE 
    Session statistics: INACTIVE 
    Session timeout: 30 seconds 
    Session memory cap: 8388608 bytes 
    State alerts: INACTIVE 
    Scan alerts: ACTIVE 
    Log Flushed Streams: INACTIVE 
No arguments to stream4_reassemble, setting defaults: 
     Reassemble client: ACTIVE 
     Reassemble server: INACTIVE 
     Reassemble ports: 21 23 25 53 80 143 110 111 513 
     Reassembly alerts: ACTIVE 
     Reassembly method: FAVOR_OLD 
Using GMT time 
No arguments to frag2 directive, setting defaults to: 
    Fragment timeout: 60 seconds 
    Fragment memory cap: 4194304 bytes 
ProcessFileOption: c:\snort\log/log 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
980 Snort rules read... 
980 Option Chains linked into 100 Chain Headers 
0 Dynamic rules 
+++++++++++++++++++++++++++++++++++++++++++++++++++ 

Rule application order:
->activation->dynamic->alert->pass->log->suspicious->red 
alert 

        --== Initialization Complete ==-- 

-*> Snort! <*- 
Version 1.8-WIN32 (Build 103) 
By Martin Roesch (roesch at ...1935..., www.snort.org) 
1.7-WIN32 Port By Michael Davis (mike at ...92...,
www.datanerds.net/~mike) 
1.8-WIN32 Port By Chris Reid (chris.reid at ...3029...) 
          (based on code from 1.7 port) 

[End config] 


------=_NextPart_000_0031_01C1FCAF.747EADE0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">
<title>SNORT newbie looking for some help with Snort on Win2k</title>

<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:blue;
	text-decoration:underline;}
p
	{margin-right:0in;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle18
	{font-family:Arial;
	color:navy;}
span.EmailStyle19
	{font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dblue>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Richard,</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Sounds like you have the permissions s=
et
incorrectly for the CGI folder. Make sure that the IUSER has full access to=
 the
folder. If you need some guidance then you can go to our site, there you wi=
ll
find a complete walk through for Windows and either Snortsnarf or for Acid =
as
your viewer. Let me know how thing go.</span></font></p>

<div>

<p><font size=3D2 color=3Dnavy face=3D"Times New Roman"><span style=3D'font=
-size:10.0pt;
color:navy'>Michael Steele | Support Technician    <br>
<a href=3D"mailto:michaels at ...155...">mailto:michaels at ...155...</a><br>
Silicon Defense: IDS solutions - <a href=3D"http://www.silicondefense.com">=
http://www.silicondefense.com</a><br>
Snort: Open Source Network IDS - <a href=3D"http://www.snort.org">http://ww=
w.snort.org</a></span></font></p>

</div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 face=3DTahom=
a><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> Richard Roy
[mailto:royr at ...5882...] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> </span></font><font si=
ze=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>Ma=
y 16, 2002</span></font><font
size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>=
 </span></font><font size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt=
;font-family:Tahoma'>7:16 AM</span></font><font
size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>=
<br>
<b><span style=3D'font-weight:bold'>To:</span></b> 'Michael Steele'<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: [Snort-users] S=
NORT
newbie looking for some help with Snort on Win2k</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 face=3D"Time=
s New Roman"><span
style=3D'font-size:12.0pt'> </span></font></p>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 color=3Dblue=
 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:blue'>I've definately got=
 it
logging now, without IDS center.  I have it logging to MySQL (there we=
re
15 events at last check) but now I can not get ACID to work at all.  I=
 get
a CGI error that "</span></font><font color=3Dblack><span style=3D'col=
or:black'>The
specified CGI application misbehaved by not returning a complete set of HTTP
headers. The headers it did return are"   But that is it, no
headers are there.  It is supposed to be using PHP and the .cgi is map=
ped
the same as .php which didn't help.  Any thoughts?  </span></font=
></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 face=3DTahom=
a><span
style=3D'font-size:12.0pt;font-family:Tahoma'><br>
</span></font><font size=3D2 color=3Dblue face=3DArial><span style=3D'font-=
size:10.0pt;
font-family:Arial;color:blue'>[Rich Roy] </span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 face=3DTahom=
a><span
style=3D'font-size:12.0pt;font-family:Tahoma'> </span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 face=3DTahom=
a><span
style=3D'font-size:12.0pt;font-family:Tahoma'> </span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 face=3DTahom=
a><span
style=3D'font-size:12.0pt;font-family:Tahoma'> </span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 face=3DTahom=
a><span
style=3D'font-size:12.0pt;font-family:Tahoma'> </span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-right:0in;margin-bottom:12.0pt;margin-=
left:
.5in'><font size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-fam=
ily:Tahoma'> -----Original
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> Michael Steele
[mailto:michaels at ...155...]<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> </span></font><font si=
ze=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>We=
dnesday, May
 15, 2002</span></font><font size=3D2 face=3DTahoma><span style=3D'font-siz=
e:10.0pt;
font-family:Tahoma'> </span></font><font size=3D2 face=3DTahoma><span
 style=3D'font-size:10.0pt;font-family:Tahoma'>5:29 PM</span></font><font s=
ize=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'><br>
<b><span style=3D'font-weight:bold'>To:</span></b> 'Richard Roy'<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: [Snort-users] S=
NORT
newbie looking for some help with Snort on Win2k</span></font></p>

</div>

<blockquote style=3D'margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 color=3Dnavy=
 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'>Richard,</span></fo=
nt></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 color=3Dnavy=
 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> </span></font=
></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 color=3Dnavy=
 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'>If you are not sure=
 your
logging, you can place this rule in your local.rules file and activate the
local.rules file in the snort.conf file. Now generate some traffic with your
browser and you should see your log file grow.</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 color=3Dnavy=
 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> </span></font=
></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 color=3Dnavy=
 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> </span></font=
></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 color=3Dnavy=
 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'>alert tcp any any
<> any any (msg:"alert-local test";)</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 color=3Dnavy=
 face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> </span></font=
></p>

<div>

<p style=3D'margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'><font s=
ize=3D2
color=3Dnavy face=3D"Times New Roman"><span style=3D'font-size:10.0pt;color=
:navy'>Michael
Steele | Support Technician<br>
<a href=3D"mailto:michaels at ...155...">mailto:michaels at ...155...</a><br>
Silicon Defense: IDS solutions - <a href=3D"http://www.silicondefense.com">=
http://www.silicondefense.com</a><br>
Snort: Open Source Network IDS - <a href=3D"http://www.snort.org">http://ww=
w.snort.org</a></span></font></p>

</div>

<p class=3DMsoNormal style=3D'margin-left:1.0in'><font size=3D2 face=3DTaho=
ma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b>
snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] <b><span style=3D'font-wei=
ght:
bold'>On Behalf Of </span></b>Richard Roy<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> </span></font><font si=
ze=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>We=
dnesday, May
 15, 2002</span></font><font size=3D2 face=3DTahoma><span style=3D'font-siz=
e:10.0pt;
font-family:Tahoma'> </span></font><font size=3D2 face=3DTahoma><span
 style=3D'font-size:10.0pt;font-family:Tahoma'>7:50 AM</span></font><font s=
ize=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'><br>
<b><span style=3D'font-weight:bold'>To:</span></b> </span></font><font size=
=3D2
 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>snort-us=
ers at lists.sourceforge.net</span></font><font
size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>=
<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] SNORT
newbie looking for some help with Snort on Win2k</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:1.0in'><font size=3D3 face=3D"Tim=
es New Roman"><span
style=3D'font-size:12.0pt'> </span></font></p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>I set up SNORT using IDSCentre and tested the con=
fig
using the applet.  I received no error messages, the SNORT window is m=
inimized
and things appear to work, yet there are no alerts, no log entries,
nothing.  I know we are under hits all the time, my firewall reports
blocking them.  </span></font></p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>Setup:</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>W2K
Pro p3 733.  On a hub with router and firewall external interface.&nbs=
p; I
have 64 public IP's and I'd like to scan the range if possible.  I am
including the following.   </span></font></p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>From IDSCentre the command line it fires, the
snort.conf file and the screen output from the minimized snort window.&nbsp=
; I
can't quite figure out what is wrong.  Another set of eyes looking at =
this
is what I am hoping someone will do and see a problem.</span></font></p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>TIA for your help</span></font> </p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>Rich</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>PS
Sorry it is a long post, but I did not want to do an attachment.</span></fo=
nt> </p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>[Begin config]</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>[************cmd
line*********]</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>c:\snort\Snort.exe
-c "c:\snort\snort.conf" -l "c:\snort\log" -h
aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y</span></font=
></p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>[*NOTE, yes I blanked out my IP above.  It i=
s a
public IP*]</span></font> </p>

<p class=3DMsoNormal style=3D'margin-left:1.0in'><font size=3D3 face=3D"Tim=
es New Roman"><span
style=3D'font-size:12.0pt'> </span></font></p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>[***********snort.conf**************]</span></fon=
t> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#--------------------------------------------------</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#  
<a href=3D"http://www.activeworx.com" target=3D"_blank">http://www.activewo=
rx.com</a>
Snort 1.8.6 Ruleset</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#    
IDS Policy Manager Version: 1.3 Build(31)</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#
Current Database Updated -- May 10, 2002 10:55 AM</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#--------------------------------------------------</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>##
Variables</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>##
---------</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#var
HOME_NET 10.1.1.0/24</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#var
HOME_NET $eth0_ADDRESS</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#var
HOME_NET [10.1.1.0/24,192.168.1.0/24]</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>var
HOME_NET any</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>var
EXTERNAL_NET any</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>var
SMTP $HOME_NET</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>var
HTTP_SERVERS $HOME_NET</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>var
SQL_SERVERS $HOME_NET</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>var
DNS_SERVERS $HOME_NET</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#var
RULE_PATH ./</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>var
RULE_PATH c:\snort\rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>var
SHELLCODE_PORTS !80</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#var
SPADEDIR .</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>##
Preprocessor Support</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>##
--------------------</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>preprocessor
http_decode: 80 -cginull -unicode</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>preprocessor
rpc_decode: 111 32771</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>preprocessor
bo:</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>preprocessor
stream4: detect_scans</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>preprocessor
stream4_reassemble</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>preprocessor
portscan: $HOME_NET 4 3 portscan.log</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#preprocessor
portscan-ignorehosts: 0.0.0.0</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>preprocessor
frag2</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>preprocessor
telnet_decode</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>##
Output Modules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>##
--------------</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#output
database: log, unixodbc, dbname=3Dsnort user=3Dsnort host=3Dlocalhost passw=
ord=3Dtest</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>output
CSV: log default</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>output
log_tcpdump: snorttcp.log</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#output
xml: Log, file=3D/var/log/snortxml</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>output
log_unified: filename snort.log, limit 128</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#output
alert_syslog: LOG_AUTH LOG_ALERT</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#output
alert_unified: filename snort.alert, limit 128</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#output
trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x DES -X
"" -a SHA -A "" myTrapListener</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>##
Custom Rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>##
------------</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>ruletype
suspicious</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>{</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'> type
log</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'> output
log_tcpdump: suspicious.log</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>}</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>ruletype
redalert</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>{</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'> type
alert</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'> output
alert_syslog: LOG_AUTH LOG_ALERT</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#
output database: log, mysql, user=3Dsnort dbname=3Dsnort host=3Dlocalhost</=
span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>}</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#ruletype
<New_Custom_Rules></span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#{</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#}</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>## Include
Files</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>##
-------------</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
classification.config</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/bad-traffic.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/exploit.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/scan.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/finger.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/ftp.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/telnet.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/smtp.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/rpc.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/rservices.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/dos.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/ddos.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/dns.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/tftp.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/web-cgi.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/web-coldfusion.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/web-iis.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/web-frontpage.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/web-misc.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/web-attacks.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/sql.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/x11.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/icmp.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/netbios.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/misc.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/attack-responses.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/backdoor.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/shellcode.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/policy.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/porn.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/info.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/icmp-info.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/virus.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>#include
$RULE_PATH/experimental.rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>include
$RULE_PATH/local.rules</span></font> </p>

<p class=3DMsoNormal style=3D'margin-left:1.0in'><font size=3D3 face=3D"Tim=
es New Roman"><span
style=3D'font-size:12.0pt'> </span></font></p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>{*********Snort Screen*************}</span></font=
> </p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>Log directory =3D c:\snort\log</span></font> </p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>Initializing Network Interface \</span></font> </=
p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>        --=3D=
=3D
Initializing Snort =3D=3D--</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>Decoding
Ethernet on interface \Device\Packet_NdisWanIp</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>Initializing
Preprocessors!</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>Initializing
Plug-ins!</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>Initializating
Output Plugins!</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>Parsing
Rules file c:\snort\snort.conf</span></font> </p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>+++++++++++++++++++++++++++++++++++++++++++++++++=
++</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>Initializing
rule chains...</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>Stream4
config:</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>   
Stateful inspection: ACTIVE</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>   
Session statistics: INACTIVE</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>   
Session timeout: 30 seconds</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>   
Session memory cap: 8388608 bytes</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>   
State alerts: INACTIVE</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>   
Scan alerts: ACTIVE</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>   
Log Flushed Streams: INACTIVE</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>No
arguments to stream4_reassemble, setting defaults:</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>    
Reassemble client: ACTIVE</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>    
Reassemble server: INACTIVE</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>    
Reassemble ports: 21 23 25 53 80 143 110 111 513</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>    
Reassembly alerts: ACTIVE</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>    
Reassembly method: FAVOR_OLD</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>Using
GMT time</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>No
arguments to frag2 directive, setting defaults to:</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>   
Fragment timeout: 60 seconds</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>   
Fragment memory cap: 4194304 bytes</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>ProcessFileOption:
c:\snort\log/log</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>WARNING:
command line overrides rules file logging plugin!</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>WARNING:
command line overrides rules file logging plugin!</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>WARNING:
command line overrides rules file logging plugin!</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>980
Snort rules read...</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>980
Option Chains linked into 100 Chain Headers</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>0
Dynamic rules</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>+++++++++++++++++++++++++++++++++++++++++++++++++++</span></font>
</p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>Rule application order:
->activation->dynamic->alert->pass->log->suspicious->r=
ed</span></font>
<br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>alert</span></font>
</p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>        --=3D=
=3D
Initialization Complete =3D=3D--</span></font> </p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>-*> Snort! <*-</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>Version
1.8-WIN32 (Build 103)</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>By
Martin Roesch (roesch at ...1935..., www.snort.org)</span></font> <br>
  <font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:A=
rial'>1.7-WIN32</span></font><font
 size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> =
</span></font><font
  size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>=
Port</span></font><font
size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> B=
y Michael </span></font><font
  size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>=
Davis</span></font><font
size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>
(mike at ...92..., www.datanerds.net/~mike)</span></font> <br>
  <font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:A=
rial'>1.8-WIN32</span></font><font
 size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> =
</span></font><font
  size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>=
Port</span></font><font
size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> B=
y Chris
Reid (chris.reid at ...3029...)</span></font> <br>
<font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Ari=
al'>         
(based on code from 1.7 port)</span></font> </p>

<p style=3D'margin-left:1.0in'><font size=3D2 face=3DArial><span style=3D'f=
ont-size:
10.0pt;font-family:Arial'>[End config]</span></font> </p>

</blockquote>

</div>

</body>

</html>

------=_NextPart_000_0031_01C1FCAF.747EADE0--






More information about the Snort-users mailing list