No subject


Thu Nov 23 16:36:19 EST 2017


n output from the minimized snort window.  I can't quite figure out what is=
 wrong.  Another set of eyes looking at this is what I am hoping someone wi=
ll do and see a problem.

TIA for your help=20

Rich=20
PS Sorry it is a long post, but I did not want to do an attachment.=20

[Begin config]=20
[************cmd line*********]=20
c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h aaa.bbb.cc=
c.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y

[*NOTE, yes I blanked out my IP above.  It is a public IP*]=20

=20

[***********snort.conf**************]=20
#--------------------------------------------------=20
#   http://www.activeworx.com Snort 1.8.6 Ruleset=20
#     IDS Policy Manager Version: 1.3 Build(31)=20
# Current Database Updated -- May 10, 2002 10:55 AM=20
#--------------------------------------------------=20
#=20
## Variables=20
## ---------=20
#var HOME_NET 10.1.1.0/24=20
#var HOME_NET $eth0_ADDRESS=20
#var HOME_NET [10.1.1.0/24,192.168.1.0/24]=20
var HOME_NET any=20
var EXTERNAL_NET any=20
var SMTP $HOME_NET=20
var HTTP_SERVERS $HOME_NET=20
var SQL_SERVERS $HOME_NET=20
var DNS_SERVERS $HOME_NET=20
#var RULE_PATH ./=20
var RULE_PATH c:\snort\rules=20
var SHELLCODE_PORTS !80=20
#var SPADEDIR .=20
#=20
## Preprocessor Support=20
## --------------------=20
preprocessor http_decode: 80 -cginull -unicode=20
preprocessor rpc_decode: 111 32771=20
preprocessor bo:=20
preprocessor stream4: detect_scans=20
preprocessor stream4_reassemble=20
preprocessor portscan: $HOME_NET 4 3 portscan.log=20
#preprocessor portscan-ignorehosts: 0.0.0.0=20
preprocessor frag2=20
preprocessor telnet_decode=20
#=20
#=20
## Output Modules=20
## --------------=20
#output database: log, unixodbc, dbname=3Dsnort user=3Dsnort host=3Dlocalho=
st password=3Dtest=20
output CSV: log default=20
output log_tcpdump: snorttcp.log=20
#output xml: Log, file=3D/var/log/snortxml=20
output log_unified: filename snort.log, limit 128=20
#=20
#output alert_syslog: LOG_AUTH LOG_ALERT=20
#output alert_unified: filename snort.alert, limit 128=20
#output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x=
 DES -X "" -a SHA -A "" myTrapListener=20
#=20
## Custom Rules=20
## ------------=20
ruletype suspicious=20
{=20
 type log=20
 output log_tcpdump: suspicious.log=20
}=20
ruletype redalert=20
{=20
 type alert=20
 output alert_syslog: LOG_AUTH LOG_ALERT=20
# output database: log, mysql, user=3Dsnort dbname=3Dsnort host=3Dlocalhost=
=20
}=20
#ruletype <New_Custom_Rules>=20
#{=20
#}=20
#=20
## Include Files=20
## -------------=20
include classification.config=20
#=20
include $RULE_PATH/bad-traffic.rules=20
include $RULE_PATH/exploit.rules=20
include $RULE_PATH/scan.rules=20
include $RULE_PATH/finger.rules=20
include $RULE_PATH/ftp.rules=20
include $RULE_PATH/telnet.rules=20
include $RULE_PATH/smtp.rules=20
include $RULE_PATH/rpc.rules=20
include $RULE_PATH/rservices.rules=20
include $RULE_PATH/dos.rules=20
include $RULE_PATH/ddos.rules=20
include $RULE_PATH/dns.rules=20
include $RULE_PATH/tftp.rules=20
include $RULE_PATH/web-cgi.rules=20
include $RULE_PATH/web-coldfusion.rules=20
include $RULE_PATH/web-iis.rules=20
include $RULE_PATH/web-frontpage.rules=20
include $RULE_PATH/web-misc.rules=20
include $RULE_PATH/web-attacks.rules=20
include $RULE_PATH/sql.rules=20
include $RULE_PATH/x11.rules=20
include $RULE_PATH/icmp.rules=20
include $RULE_PATH/netbios.rules=20
include $RULE_PATH/misc.rules=20
include $RULE_PATH/attack-responses.rules=20
include $RULE_PATH/backdoor.rules=20
include $RULE_PATH/shellcode.rules=20
include $RULE_PATH/policy.rules=20
include $RULE_PATH/porn.rules=20
include $RULE_PATH/info.rules=20
include $RULE_PATH/icmp-info.rules=20
include $RULE_PATH/virus.rules=20
#include $RULE_PATH/experimental.rules=20
include $RULE_PATH/local.rules=20

=20

{*********Snort Screen*************}=20

Log directory =3D c:\snort\log=20

Initializing Network Interface \=20

        --=3D=3D Initializing Snort =3D=3D--=20
Decoding Ethernet on interface \Device\Packet_NdisWanIp=20
Initializing Preprocessors!=20
Initializing Plug-ins!=20
Initializating Output Plugins!=20
Parsing Rules file c:\snort\snort.conf=20

+++++++++++++++++++++++++++++++++++++++++++++++++++=20
Initializing rule chains...=20
Stream4 config:=20
    Stateful inspection: ACTIVE=20
    Session statistics: INACTIVE=20
    Session timeout: 30 seconds=20
    Session memory cap: 8388608 bytes=20
    State alerts: INACTIVE=20
    Scan alerts: ACTIVE=20
    Log Flushed Streams: INACTIVE=20
No arguments to stream4_reassemble, setting defaults:=20
     Reassemble client: ACTIVE=20
     Reassemble server: INACTIVE=20
     Reassemble ports: 21 23 25 53 80 143 110 111 513=20
     Reassembly alerts: ACTIVE=20
     Reassembly method: FAVOR_OLD=20
Using GMT time=20
No arguments to frag2 directive, setting defaults to:=20
    Fragment timeout: 60 seconds=20
    Fragment memory cap: 4194304 bytes=20
ProcessFileOption: c:\snort\log/log=20
WARNING: command line overrides rules file logging plugin!=20
WARNING: command line overrides rules file logging plugin!=20
WARNING: command line overrides rules file logging plugin!=20
980 Snort rules read...=20
980 Option Chains linked into 100 Chain Headers=20
0 Dynamic rules=20
+++++++++++++++++++++++++++++++++++++++++++++++++++=20

Rule application order: ->activation->dynamic->alert->pass->log->suspicious=
->red=20
alert=20

        --=3D=3D Initialization Complete =3D=3D--=20

-*> Snort! <*-=20
Version 1.8-WIN32 (Build 103)=20
By Martin Roesch (roesch at ...1935..., www.snort.org)=20
1.7-WIN32 Port By Michael Davis (mike at ...92..., www.datanerds.net/~mike)=20
1.8-WIN32 Port By Chris Reid (chris.reid at ...3029...)=20
          (based on code from 1.7 port)=20

[End config]=20


------_=_NextPart_001_01C1FCF5.5A2A86E3
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
1">
<TITLE>SNORT newbie looking for some help with Snort on Win2k</TITLE>

<META content=3D"MSHTML 5.00.3502.4856" name=3DGENERATOR>
<STYLE>@font-face {
	font-family: Tahoma;
}
P.MsoNormal {
	FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt
}
LI.MsoNormal {
	FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt
}
DIV.MsoNormal {
	FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt
}
A:link {
	COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
	COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
	COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
	COLOR: blue; TEXT-DECORATION: underline
}
P {
	FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-=
RIGHT: 0in
}
SPAN.EmailStyle18 {
	COLOR: navy; FONT-FAMILY: Arial
}
SPAN.EmailStyle19 {
	COLOR: navy; FONT-FAMILY: Arial
}
DIV.Section1 {
	page: Section1
}
</STYLE>
</HEAD>
<BODY lang=3DEN-US link=3Dblue vLink=3Dblue>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN class=3D964511616-16=
052002>There=20
is no time out period, as far as I am aware.  This is a very common pr=
oblem=20
when running on Windows 2000.  As I mentioned in a previous port,=20
Snort.Panel fixed this for me, as it will restart snort immediately if the=
=20
process dies.</SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
  <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT face=3DTah=
oma=20
  size=3D2>-----Original Message-----<BR><B>From:</B> Steven Garrett=20
  [mailto:StevenG at ...5837...]<BR><B>Sent:</B> Thursday, May 16, 2002 12:04=
=20
  PM<BR><B>To:</B> snort-users at lists.sourceforge.net<BR><B>Subject:</B>=20
  [Snort-users] snort exit<BR><BR></DIV></FONT>
  <DIV><SPAN class=3D838180316-16052002><FONT color=3D#0000ff face=3DArial =
size=3D2>Hi=20
  all.  Is there a defined time-out period for snort.  I leave it=
=20
  running when I leave for the evening and by the time I come back in the=20
  morning it has exited.  All I can see in the logs is that the interf=
ace=20
  has left promiscous mode.  </FONT></SPAN></DIV>
  <DIV><SPAN class=3D838180316-16052002><FONT color=3D#0000ff face=3DArial=
=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D838180316-16052002><FONT color=3D#0000ff face=3DArial =
size=3D2>Any=20
  ideas?  All suggestions and helpful comments are greatly=20
  appreciated.</FONT></SPAN></DIV>
  <DIV><SPAN class=3D838180316-16052002><FONT color=3D#0000ff face=3DArial=
=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D838180316-16052002><FONT color=3D#0000ff face=3DArial=
=20
  size=3D2>Steve</FONT></SPAN></DIV>
  <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
    <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT face=3DT=
ahoma=20
    size=3D2>-----Original Message-----<BR><B>From:</B> Michael Steele=20
    [mailto:michaels at ...155...]<BR><B>Sent:</B> Thursday, May 16, 2002=20
    10:58 AM<BR><B>To:</B> 'Richard Roy';=20
    snort-users at lists.sourceforge.net<BR><B>Subject:</B> RE: [Snort-users] =
SNORT=20
    newbie looking for some help with Snort on Win2k<BR><BR></FONT></DIV>
    <DIV class=3DSection1>
    <P class=3DMsoNormal><FONT color=3Dnavy face=3DArial size=3D2><SPAN=20
    style=3D"COLOR: navy; FONT-FAMILY: Arial; FONT-SIZE: 10pt">Richard,</SP=
AN></FONT></P>
    <P class=3DMsoNormal><FONT color=3Dnavy face=3DArial size=3D2><SPAN=20
    style=3D"COLOR: navy; FONT-FAMILY: Arial; FONT-SIZE: 10pt"></SPAN></FON=
T> </P>
    <P class=3DMsoNormal><FONT color=3Dnavy face=3DArial size=3D2><SPAN=20
    style=3D"COLOR: navy; FONT-FAMILY: Arial; FONT-SIZE: 10pt">Sounds like =
you=20
    have the permissions set incorrectly for the CGI folder. Make sure that=
 the=20
    IUSER has full access to the folder. If you need some guidance then you=
 can=20
    go to our site, there you will find a complete walk through for Windows=
 and=20
    either Snortsnarf or for Acid as your viewer. Let me know how thing=20
    go.</SPAN></FONT></P>
    <DIV>
    <P><FONT color=3Dnavy face=3D"Times New Roman" size=3D2><SPAN=20
    style=3D"COLOR: navy; FONT-SIZE: 10pt">Michael Steele | Support=20
    Technician    <BR><A=20
    href=3D"mailto:michaels at ...155...">mailto:michaels at ...155...</A><BR>Sil=
icon=20
    Defense: IDS solutions - <A=20
    href=3D"http://www.silicondefense.com">http://www.silicondefense.com</A=
><BR>Snort:=20
    Open Source Network IDS - <A=20
    href=3D"http://www.snort.org">http://www.snort.org</A></SPAN></FONT></P=
></DIV>
    <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3DTahoma s=
ize=3D2><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt">-----Original=20
    Message-----<BR><B><SPAN style=3D"FONT-WEIGHT: bold">From:</SPAN></B> R=
ichard=20
    Roy [mailto:royr at ...5882...] <BR><B><SPAN=20
    style=3D"FONT-WEIGHT: bold">Sent:</SPAN></B> </SPAN></FONT><FONT face=
=3DTahoma=20
    size=3D2><SPAN style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt">May 16,=20
    2002</SPAN></FONT><FONT face=3DTahoma size=3D2><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"> </SPAN></FONT><FONT=20
    face=3DTahoma size=3D2><SPAN style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 1=
0pt">7:16=20
    AM</SPAN></FONT><FONT face=3DTahoma size=3D2><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><BR><B><SPAN=20
    style=3D"FONT-WEIGHT: bold">To:</SPAN></B> 'Michael Steele'<BR><B><SPAN=
=20
    style=3D"FONT-WEIGHT: bold">Subject:</SPAN></B> RE: [Snort-users] SNORT=
 newbie=20
    looking for some help with Snort on Win2k</SPAN></FONT></P>
    <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3D"Times N=
ew Roman"=20
    size=3D3><SPAN style=3D"FONT-SIZE: 12pt"></SPAN></FONT> </P>
    <DIV>
    <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT color=3Dblue fa=
ce=3DArial=20
    size=3D2><SPAN style=3D"COLOR: blue; FONT-FAMILY: Arial; FONT-SIZE: 10p=
t">I've=20
    definately got it logging now, without IDS center.  I have it logg=
ing=20
    to MySQL (there were 15 events at last check) but now I can not get ACI=
D to=20
    work at all.  I get a CGI error that "</SPAN></FONT><FONT=20
    color=3Dblack><SPAN style=3D"COLOR: black">The specified CGI applicatio=
n=20
    misbehaved by not returning a complete set of HTTP headers. The headers=
 it=20
    did return are"   But that is it, no headers are there. =
 It=20
    is supposed to be using PHP and the .cgi is mapped the same as .php whi=
ch=20
    didn't help.  Any thoughts?  </SPAN></FONT></P></DIV>
    <DIV>
    <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3DTahoma s=
ize=3D3><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 12pt"><BR></SPAN></FONT><FONT=
=20
    color=3Dblue face=3DArial size=3D2><SPAN=20
    style=3D"COLOR: blue; FONT-FAMILY: Arial; FONT-SIZE: 10pt">[Rich=20
    Roy] </SPAN></FONT></P></DIV>
    <DIV>
    <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3DTahoma s=
ize=3D3><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 12pt"></SPAN></FONT> </P>=
</DIV>
    <DIV>
    <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3DTahoma s=
ize=3D3><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 12pt"></SPAN></FONT> </P>=
</DIV>
    <DIV>
    <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3DTahoma s=
ize=3D3><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 12pt"></SPAN></FONT> </P>=
</DIV>
    <DIV>
    <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3DTahoma s=
ize=3D3><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 12pt"></SPAN></FONT> </P>=
</DIV>
    <DIV>
    <P class=3DMsoNormal=20
    style=3D"MARGIN-BOTTOM: 12pt; MARGIN-LEFT: 0.5in; MARGIN-RIGHT: 0in"><F=
ONT=20
    face=3DTahoma size=3D2><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"> -----Original=20
    Message-----<BR><B><SPAN style=3D"FONT-WEIGHT: bold">From:</SPAN></B> M=
ichael=20
    Steele [mailto:michaels at ...155...]<BR><B><SPAN=20
    style=3D"FONT-WEIGHT: bold">Sent:</SPAN></B> </SPAN></FONT><FONT face=
=3DTahoma=20
    size=3D2><SPAN style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt">Wednesday=
, May 15,=20
    2002</SPAN></FONT><FONT face=3DTahoma size=3D2><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"> </SPAN></FONT><FONT=20
    face=3DTahoma size=3D2><SPAN style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 1=
0pt">5:29=20
    PM</SPAN></FONT><FONT face=3DTahoma size=3D2><SPAN=20
    style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><BR><B><SPAN=20
    style=3D"FONT-WEIGHT: bold">To:</SPAN></B> 'Richard Roy'<BR><B><SPAN=20
    style=3D"FONT-WEIGHT: bold">Subject:</SPAN></B> RE: [Snort-users] SNORT=
 newbie=20
    looking for some help with Snort on Win2k</SPAN></FONT></P></DIV>
    <BLOCKQUOTE=20
      style=3D"MARGIN-BOTTOM: 5pt; MARGIN-RIGHT: 0in; MARGIN-TOP: 5pt"><P=20
      class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT color=3Dnavy fac=
e=3DArial=20
      size=3D2><SPAN=20
      style=3D"COLOR: navy; FONT-FAMILY: Arial; FONT-SIZE: 10pt">Richard,</=
SPAN></FONT></P>
      <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT color=3Dnavy =
face=3DArial=20
      size=3D2><SPAN=20
      style=3D"COLOR: navy; FONT-FAMILY: Arial; FONT-SIZE: 10pt"></SPAN></F=
ONT> </P>
      <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT color=3Dnavy =
face=3DArial=20
      size=3D2><SPAN style=3D"COLOR: navy; FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt">If=20
      you are not sure your logging, you can place this rule in your local.=
rules=20
      file and activate the local.rules file in the snort.conf file. Now=20
      generate some traffic with your browser and you should see your log f=
ile=20
      grow.</SPAN></FONT></P>
      <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT color=3Dnavy =
face=3DArial=20
      size=3D2><SPAN=20
      style=3D"COLOR: navy; FONT-FAMILY: Arial; FONT-SIZE: 10pt"></SPAN></F=
ONT> </P>
      <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT color=3Dnavy =
face=3DArial=20
      size=3D2><SPAN=20
      style=3D"COLOR: navy; FONT-FAMILY: Arial; FONT-SIZE: 10pt"></SPAN></F=
ONT> </P>
      <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT color=3Dnavy =
face=3DArial=20
      size=3D2><SPAN=20
      style=3D"COLOR: navy; FONT-FAMILY: Arial; FONT-SIZE: 10pt">alert tcp =
any any=20
      <> any any (msg:"alert-local test";)</SPAN></FONT></P>
      <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT color=3Dnavy =
face=3DArial=20
      size=3D2><SPAN=20
      style=3D"COLOR: navy; FONT-FAMILY: Arial; FONT-SIZE: 10pt"></SPAN></F=
ONT> </P>
      <DIV>
      <P=20
      style=3D"MARGIN-BOTTOM: 12pt; MARGIN-LEFT: 0.5in; MARGIN-RIGHT: 0in">=
<FONT=20
      color=3Dnavy face=3D"Times New Roman" size=3D2><SPAN=20
      style=3D"COLOR: navy; FONT-SIZE: 10pt">Michael Steele | Support=20
      Technician<BR><A=20
      href=3D"mailto:michaels at ...155...">mailto:michaels at ...155...</A><BR>S=
ilicon=20
      Defense: IDS solutions - <A=20
      href=3D"http://www.silicondefense.com">http://www.silicondefense.com<=
/A><BR>Snort:=20
      Open Source Network IDS - <A=20
      href=3D"http://www.snort.org">http://www.snort.org</A></SPAN></FONT><=
/P></DIV>
      <P class=3DMsoNormal style=3D"MARGIN-LEFT: 1in"><FONT face=3DTahoma s=
ize=3D2><SPAN=20
      style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt">-----Original=20
      Message-----<BR><B><SPAN style=3D"FONT-WEIGHT: bold">From:</SPAN></B>=
=20
      snort-users-admin at lists.sourceforge.net=20
      [mailto:snort-users-admin at lists.sourceforge.net] <B><SPAN=20
      style=3D"FONT-WEIGHT: bold">On Behalf Of </SPAN></B>Richard Roy<BR><B=
><SPAN=20
      style=3D"FONT-WEIGHT: bold">Sent:</SPAN></B> </SPAN></FONT><FONT face=
=3DTahoma=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt">Wednesd=
ay, May=20
      15, 2002</SPAN></FONT><FONT face=3DTahoma size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"> </SPAN></FONT><FONT=20
      face=3DTahoma size=3D2><SPAN style=3D"FONT-FAMILY: Tahoma; FONT-SIZE:=
 10pt">7:50=20
      AM</SPAN></FONT><FONT face=3DTahoma size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><BR><B><SPAN=20
      style=3D"FONT-WEIGHT: bold">To:</SPAN></B> </SPAN></FONT><FONT face=
=3DTahoma=20
      size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt">snort-users at ...4626...=
ceforge.net</SPAN></FONT><FONT=20
      face=3DTahoma size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><BR><B><SPAN=20
      style=3D"FONT-WEIGHT: bold">Subject:</SPAN></B> [Snort-users] SNORT n=
ewbie=20
      looking for some help with Snort on Win2k</SPAN></FONT></P>
      <P class=3DMsoNormal style=3D"MARGIN-LEFT: 1in"><FONT face=3D"Times N=
ew Roman"=20
      size=3D3><SPAN style=3D"FONT-SIZE: 12pt"></SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">I set up SNORT using ID=
SCentre=20
      and tested the config using the applet.  I received no error=20
      messages, the SNORT window is minimized and things appear to work, ye=
t=20
      there are no alerts, no log entries, nothing.  I know we are und=
er=20
      hits all the time, my firewall reports blocking them. =20
      </SPAN></FONT></P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Setup:</SPAN></FONT> <B=
R><FONT=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt">W2K=20
      Pro p3 733.  On a hub with router and firewall external=20
      interface.  I have 64 public IP's and I'd like to scan the range=
 if=20
      possible.  I am including the following.  =20
      </SPAN></FONT></P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">From IDSCentre the comm=
and=20
      line it fires, the snort.conf file and the screen output from the=20
      minimized snort window.  I can't quite figure out what is=20
      wrong.  Another set of eyes looking at this is what I am hoping=
=20
      someone will do and see a problem.</SPAN></FONT></P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">TIA for your=20
      help</SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Rich</SPAN></FONT> <BR>=
<FONT=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt">PS=20
      Sorry it is a long post, but I did not want to do an=20
      attachment.</SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">[Begin config]</SPAN></=
FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">[************cmd=20
      line*********]</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">c:\snort\Snort.exe -c=20
      "c:\snort\snort.conf" -l "c:\snort\log" -h aaa.bbb.ccc.ddd/32 -i 1 -a=
 -b=20
      -C -d -e -O -X -I -G basic -U -y</SPAN></FONT></P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">[*NOTE, yes I blanked o=
ut my=20
      IP above.  It is a public IP*]</SPAN></FONT> </P>
      <P class=3DMsoNormal style=3D"MARGIN-LEFT: 1in"><FONT face=3D"Times N=
ew Roman"=20
      size=3D3><SPAN style=3D"FONT-SIZE: 12pt"></SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">[***********snort.conf*=
*************]</SPAN></FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#----------------------=
----------------------------</SPAN></FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#   <A=20
      href=3D"http://www.activeworx.com"=20
      target=3D_blank>http://www.activeworx.com</A> Snort 1.8.6=20
      Ruleset</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#   &nbs=
p; IDS=20
      Policy Manager Version: 1.3 Build(31)</SPAN></FONT> <BR><FONT face=3D=
Arial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt"># Curren=
t=20
      Database Updated -- May 10, 2002 10:55 AM</SPAN></FONT> <BR><FONT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#----------------------=
----------------------------</SPAN></FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#</SPAN></FONT> <BR><FO=
NT=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt">##=20
      Variables</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">## ---------</SPAN></FO=
NT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#var HOME_NET=20
      10.1.1.0/24</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#var HOME_NET=20
      $eth0_ADDRESS</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#var HOME_NET=20
      [10.1.1.0/24,192.168.1.0/24]</SPAN></FONT> <BR><FONT face=3DArial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">var HOME=
_NET=20
      any</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">var EXTERNAL_NET=20
      any</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">var SMTP=20
      $HOME_NET</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">var HTTP_SERVERS=20
      $HOME_NET</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">var SQL_SERVERS=20
      $HOME_NET</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">var DNS_SERVERS=20
      $HOME_NET</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#var RULE_PATH=20
      ./</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">var RULE_PATH=20
      c:\snort\rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">var SHELLCODE_PORTS=20
      !80</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#var SPADEDIR .</SPAN><=
/FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#</SPAN></FONT> <BR><FO=
NT=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt">##=20
      Preprocessor Support</SPAN></FONT> <BR><FONT face=3DArial size=3D2><S=
PAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">##=20
      --------------------</SPAN></FONT> <BR><FONT face=3DArial size=3D2><S=
PAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">preprocessor http_decod=
e: 80=20
      -cginull -unicode</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=
=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">preprocessor rpc_decode=
: 111=20
      32771</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">preprocessor bo:</SPAN>=
</FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">preprocessor stream4:=20
      detect_scans</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">preprocessor=20
      stream4_reassemble</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPA=
N=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">preprocessor portscan:=
=20
      $HOME_NET 4 3 portscan.log</SPAN></FONT> <BR><FONT face=3DArial size=
=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#preprocessor=20
      portscan-ignorehosts: 0.0.0.0</SPAN></FONT> <BR><FONT face=3DArial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">preproce=
ssor=20
      frag2</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">preprocessor=20
      telnet_decode</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#</SPAN></FONT> <BR><FO=
NT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#</SPAN></FONT> <BR><FO=
NT=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt">##=20
      Output Modules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">##=20
      --------------</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#output database: log,=
=20
      unixodbc, dbname=3Dsnort user=3Dsnort host=3Dlocalhost=20
      password=3Dtest</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">output CSV: log=20
      default</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">output log_tcpdump:=20
      snorttcp.log</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#output xml: Log,=20
      file=3D/var/log/snortxml</SPAN></FONT> <BR><FONT face=3DArial size=3D=
2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">output log_unified: fil=
ename=20
      snort.log, limit 128</SPAN></FONT> <BR><FONT face=3DArial size=3D2><S=
PAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#</SPAN></FONT> <BR><FO=
NT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#output alert_syslog: L=
OG_AUTH=20
      LOG_ALERT</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#output alert_unified:=
=20
      filename snort.alert, limit 128</SPAN></FONT> <BR><FONT face=3DArial=
=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#output=
=20
      trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x D=
ES -X=20
      "" -a SHA -A "" myTrapListener</SPAN></FONT> <BR><FONT face=3DArial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#</SPAN>=
</FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">## Custom Rules</SPAN><=
/FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">## ------------</SPAN><=
/FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">ruletype=20
      suspicious</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">{</SPAN></FONT> <BR><FO=
NT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt"> type log</SPAN></=
FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt"> output log_tcpdum=
p:=20
      suspicious.log</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">}</SPAN></FONT> <BR><FO=
NT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">ruletype=20
      redalert</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">{</SPAN></FONT> <BR><FO=
NT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt"> type alert</SPAN>=
</FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt"> output alert_sysl=
og:=20
      LOG_AUTH LOG_ALERT</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPA=
N=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt"># output database: log,=
 mysql,=20
      user=3Dsnort dbname=3Dsnort host=3Dlocalhost</SPAN></FONT> <BR><FONT =
face=3DArial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">}</SPAN>=
</FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#ruletype=20
      <New_Custom_Rules></SPAN></FONT> <BR><FONT face=3DArial size=3D=
2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#{</SPAN></FONT> <BR><F=
ONT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#}</SPAN></FONT> <BR><F=
ONT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#</SPAN></FONT> <BR><FO=
NT=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt">##=20
      Include Files</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">## -------------</SPAN>=
</FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      classification.config</SPAN></FONT> <BR><FONT face=3DArial size=3D2><=
SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#</SPAN></FONT> <BR><FO=
NT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/bad-traffic.rules</SPAN></FONT> <BR><FONT face=3DArial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=
=20
      $RULE_PATH/exploit.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D=
2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/scan.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><=
SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/finger.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2=
><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/ftp.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><S=
PAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/telnet.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2=
><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/smtp.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><=
SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/rpc.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><S=
PAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/rservices.rules</SPAN></FONT> <BR><FONT face=3DArial size=
=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/dos.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><S=
PAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/ddos.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><=
SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/dns.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><S=
PAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/tftp.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><=
SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/web-cgi.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D=
2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/web-coldfusion.rules</SPAN></FONT> <BR><FONT face=3DArial=
=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=
=20
      $RULE_PATH/web-iis.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D=
2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/web-frontpage.rules</SPAN></FONT> <BR><FONT face=3DArial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=
=20
      $RULE_PATH/web-misc.rules</SPAN></FONT> <BR><FONT face=3DArial size=
=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/web-attacks.rules</SPAN></FONT> <BR><FONT face=3DArial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=
=20
      $RULE_PATH/sql.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><S=
PAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/x11.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><S=
PAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/icmp.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><=
SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/netbios.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D=
2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/misc.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><=
SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/attack-responses.rules</SPAN></FONT> <BR><FONT face=3DAria=
l=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=
=20
      $RULE_PATH/backdoor.rules</SPAN></FONT> <BR><FONT face=3DArial size=
=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/shellcode.rules</SPAN></FONT> <BR><FONT face=3DArial size=
=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/policy.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2=
><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/porn.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><=
SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/info.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2><=
SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/icmp-info.rules</SPAN></FONT> <BR><FONT face=3DArial size=
=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=20
      $RULE_PATH/virus.rules</SPAN></FONT> <BR><FONT face=3DArial size=3D2>=
<SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">#include=20
      $RULE_PATH/experimental.rules</SPAN></FONT> <BR><FONT face=3DArial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">include=
=20
      $RULE_PATH/local.rules</SPAN></FONT> </P>
      <P class=3DMsoNormal style=3D"MARGIN-LEFT: 1in"><FONT face=3D"Times N=
ew Roman"=20
      size=3D3><SPAN style=3D"FONT-SIZE: 12pt"></SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">{*********Snort=20
      Screen*************}</SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Log directory =3D=20
      c:\snort\log</SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Initializing Network In=
terface=20
      \</SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">   &nbsp=
;   =20
      --=3D=3D Initializing Snort =3D=3D--</SPAN></FONT> <BR><FONT face=3DA=
rial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Decoding=
 Ethernet=20
      on interface \Device\Packet_NdisWanIp</SPAN></FONT> <BR><FONT face=3D=
Arial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Initiali=
zing=20
      Preprocessors!</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Initializing=20
      Plug-ins!</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Initializating Output=20
      Plugins!</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Parsing Rules file=20
      c:\snort\snort.conf</SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">+++++++++++++++++++++++=
++++++++++++++++++++++++++++</SPAN></FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Initializing rule=20
      chains...</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Stream4 config:</SPAN><=
/FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">    Stat=
eful=20
      inspection: ACTIVE</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPA=
N=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">    Sess=
ion=20
      statistics: INACTIVE</SPAN></FONT> <BR><FONT face=3DArial size=3D2><S=
PAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">    Sess=
ion=20
      timeout: 30 seconds</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SP=
AN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">    Sess=
ion=20
      memory cap: 8388608 bytes</SPAN></FONT> <BR><FONT face=3DArial size=
=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">    Stat=
e=20
      alerts: INACTIVE</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=
=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">    Scan=
=20
      alerts: ACTIVE</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">    Log =
Flushed=20
      Streams: INACTIVE</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=
=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">No arguments to=20
      stream4_reassemble, setting defaults:</SPAN></FONT> <BR><FONT face=3D=
Arial=20
      size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">   &nbsp=
;=20
      Reassemble client: ACTIVE</SPAN></FONT> <BR><FONT face=3DArial size=
=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">   &nbsp=
;=20
      Reassemble server: INACTIVE</SPAN></FONT> <BR><FONT face=3DArial=20
      size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">   &nbsp=
;=20
      Reassemble ports: 21 23 25 53 80 143 110 111 513</SPAN></FONT> <BR><F=
ONT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">   &nbsp=
;=20
      Reassembly alerts: ACTIVE</SPAN></FONT> <BR><FONT face=3DArial size=
=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">   &nbsp=
;=20
      Reassembly method: FAVOR_OLD</SPAN></FONT> <BR><FONT face=3DArial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Using GM=
T=20
      time</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">No arguments to frag2=20
      directive, setting defaults to:</SPAN></FONT> <BR><FONT face=3DArial=
=20
      size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">    Frag=
ment=20
      timeout: 60 seconds</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SP=
AN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">    Frag=
ment=20
      memory cap: 4194304 bytes</SPAN></FONT> <BR><FONT face=3DArial size=
=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">ProcessFileOption:=20
      c:\snort\log/log</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=
=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">WARNING: command line=20
      overrides rules file logging plugin!</SPAN></FONT> <BR><FONT face=3DA=
rial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">WARNING:=
 command=20
      line overrides rules file logging plugin!</SPAN></FONT> <BR><FONT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">WARNING: command line=20
      overrides rules file logging plugin!</SPAN></FONT> <BR><FONT face=3DA=
rial=20
      size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">980 Snor=
t rules=20
      read...</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">980 Option Chains linke=
d into=20
      100 Chain Headers</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=
=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">0 Dynamic rules</SPAN><=
/FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">+++++++++++++++++++++++=
++++++++++++++++++++++++++++</SPAN></FONT>=20
      </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Rule application order:=
=20
      ->activation->dynamic->alert->pass->log->suspicious=
->red</SPAN></FONT>=20
      <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">alert</SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">   &nbsp=
;   =20
      --=3D=3D Initialization Complete =3D=3D--</SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">-*> Snort!=20
      <*-</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Version 1.8-WIN32 (Buil=
d=20
      103)</SPAN></FONT> <BR><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">By Martin Roesch=20
      (roesch at ...1935..., www.snort.org)</SPAN></FONT> <BR><FONT face=3DAri=
al=20
      size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">1.7-WIN32</SPAN></FONT>=
<FONT=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt">=20
      </SPAN></FONT><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Port</SPAN></FONT><FONT=
=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt"> By=20
      Michael </SPAN></FONT><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Davis</SPAN></FONT><FON=
T=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt">=20
      (mike at ...92..., www.datanerds.net/~mike)</SPAN></FONT> <BR><FONT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">1.8-WIN32</SPAN></FONT>=
<FONT=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt">=20
      </SPAN></FONT><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">Port</SPAN></FONT><FONT=
=20
      face=3DArial size=3D2><SPAN style=3D"FONT-FAMILY: Arial; FONT-SIZE: 1=
0pt"> By=20
      Chris Reid (chris.reid at ...3029...)</SPAN></FONT> <BR><FONT=20
      face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">   &nbsp=
;     =20
      (based on code from 1.7 port)</SPAN></FONT> </P>
      <P style=3D"MARGIN-LEFT: 1in"><FONT face=3DArial size=3D2><SPAN=20
      style=3D"FONT-FAMILY: Arial; FONT-SIZE: 10pt">[End config]</SPAN></FO=
NT>=20
    </P></BLOCKQUOTE></DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C1FCF5.5A2A86E3--




More information about the Snort-users mailing list