No subject


Thu Nov 23 16:36:19 EST 2017


output from the minimized snort window.  I can't quite figure out what is
wrong.  Another set of eyes looking at this is what I am hoping someone will
do and see a problem.

TIA for your help 

Rich 
PS Sorry it is a long post, but I did not want to do an attachment. 

[Begin config] 
[************cmd line*********] 
c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h
aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y

[*NOTE, yes I blanked out my IP above.  It is a public IP*] 

 

[***********snort.conf**************] 
#-------------------------------------------------- 
#   http://www.activeworx.com <http://www.activeworx.com>  Snort 1.8.6
Ruleset 
#     IDS Policy Manager Version: 1.3 Build(31) 
# Current Database Updated -- May 10, 2002 10:55 AM 
#-------------------------------------------------- 
# 
## Variables 
## --------- 
#var HOME_NET 10.1.1.0/24 
#var HOME_NET $eth0_ADDRESS 
#var HOME_NET [10.1.1.0/24,192.168.1.0/24] 
var HOME_NET any 
var EXTERNAL_NET any 
var SMTP $HOME_NET 
var HTTP_SERVERS $HOME_NET 
var SQL_SERVERS $HOME_NET 
var DNS_SERVERS $HOME_NET 
#var RULE_PATH ./ 
var RULE_PATH c:\snort\rules 
var SHELLCODE_PORTS !80 
#var SPADEDIR . 
# 
## Preprocessor Support 
## -------------------- 
preprocessor http_decode: 80 -cginull -unicode 
preprocessor rpc_decode: 111 32771 
preprocessor bo: 
preprocessor stream4: detect_scans 
preprocessor stream4_reassemble 
preprocessor portscan: $HOME_NET 4 3 portscan.log 
#preprocessor portscan-ignorehosts: 0.0.0.0 
preprocessor frag2 
preprocessor telnet_decode 
# 
# 
## Output Modules 
## -------------- 
#output database: log, unixodbc, dbname=snort user=snort host=localhost
password=test 
output CSV: log default 
output log_tcpdump: snorttcp.log 
#output xml: Log, file=/var/log/snortxml 
output log_unified: filename snort.log, limit 128 
# 
#output alert_syslog: LOG_AUTH LOG_ALERT 
#output alert_unified: filename snort.alert, limit 128 
#output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x
DES -X "" -a SHA -A "" myTrapListener 
# 
## Custom Rules 
## ------------ 
ruletype suspicious 
{ 
 type log 
 output log_tcpdump: suspicious.log 
} 
ruletype redalert 
{ 
 type alert 
 output alert_syslog: LOG_AUTH LOG_ALERT 
# output database: log, mysql, user=snort dbname=snort host=localhost 
} 
#ruletype <New_Custom_Rules> 
#{ 
#} 
# 
## Include Files 
## ------------- 
include classification.config 
# 
include $RULE_PATH/bad-traffic.rules 
include $RULE_PATH/exploit.rules 
include $RULE_PATH/scan.rules 
include $RULE_PATH/finger.rules 
include $RULE_PATH/ftp.rules 
include $RULE_PATH/telnet.rules 
include $RULE_PATH/smtp.rules 
include $RULE_PATH/rpc.rules 
include $RULE_PATH/rservices.rules 
include $RULE_PATH/dos.rules 
include $RULE_PATH/ddos.rules 
include $RULE_PATH/dns.rules 
include $RULE_PATH/tftp.rules 
include $RULE_PATH/web-cgi.rules 
include $RULE_PATH/web-coldfusion.rules 
include $RULE_PATH/web-iis.rules 
include $RULE_PATH/web-frontpage.rules 
include $RULE_PATH/web-misc.rules 
include $RULE_PATH/web-attacks.rules 
include $RULE_PATH/sql.rules 
include $RULE_PATH/x11.rules 
include $RULE_PATH/icmp.rules 
include $RULE_PATH/netbios.rules 
include $RULE_PATH/misc.rules 
include $RULE_PATH/attack-responses.rules 
include $RULE_PATH/backdoor.rules 
include $RULE_PATH/shellcode.rules 
include $RULE_PATH/policy.rules 
include $RULE_PATH/porn.rules 
include $RULE_PATH/info.rules 
include $RULE_PATH/icmp-info.rules 
include $RULE_PATH/virus.rules 
#include $RULE_PATH/experimental.rules 
include $RULE_PATH/local.rules 

 

{*********Snort Screen*************} 

Log directory = c:\snort\log 

Initializing Network Interface \ 

        --== Initializing Snort ==-- 
Decoding Ethernet on interface \Device\Packet_NdisWanIp 
Initializing Preprocessors! 
Initializing Plug-ins! 
Initializating Output Plugins! 
Parsing Rules file c:\snort\snort.conf 

+++++++++++++++++++++++++++++++++++++++++++++++++++ 
Initializing rule chains... 
Stream4 config: 
    Stateful inspection: ACTIVE 
    Session statistics: INACTIVE 
    Session timeout: 30 seconds 
    Session memory cap: 8388608 bytes 
    State alerts: INACTIVE 
    Scan alerts: ACTIVE 
    Log Flushed Streams: INACTIVE 
No arguments to stream4_reassemble, setting defaults: 
     Reassemble client: ACTIVE 
     Reassemble server: INACTIVE 
     Reassemble ports: 21 23 25 53 80 143 110 111 513 
     Reassembly alerts: ACTIVE 
     Reassembly method: FAVOR_OLD 
Using GMT time 
No arguments to frag2 directive, setting defaults to: 
    Fragment timeout: 60 seconds 
    Fragment memory cap: 4194304 bytes 
ProcessFileOption: c:\snort\log/log 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
980 Snort rules read... 
980 Option Chains linked into 100 Chain Headers 
0 Dynamic rules 
+++++++++++++++++++++++++++++++++++++++++++++++++++ 

Rule application order:
->activation->dynamic->alert->pass->log->suspicious->red 
alert 

        --== Initialization Complete ==-- 

-*> Snort! <*- 
Version 1.8-WIN32 (Build 103) 
By Martin Roesch (roesch at ...1935..., www.snort.org) 
1.7-WIN32 Port By Michael Davis (mike at ...92...,
www.datanerds.net/~mike) 
1.8-WIN32 Port By Chris Reid (chris.reid at ...3029...) 
          (based on code from 1.7 port) 

[End config] 


------_=_NextPart_001_01C1FCF7.5BB69AA0
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>SNORT newbie looking for some help with Snort on Win2k</TITLE>

<META content="MSHTML 6.00.2712.300" name=GENERATOR>
<STYLE>@font-face {
	font-family: Tahoma;
}
P.MsoNormal {
	FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
	FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
	FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
	COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
	COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
	COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
	COLOR: blue; TEXT-DECORATION: underline
}
P {
	FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman"
}
SPAN.EmailStyle18 {
	COLOR: navy; FONT-FAMILY: Arial
}
SPAN.EmailStyle19 {
	COLOR: navy; FONT-FAMILY: Arial
}
DIV.Section1 {
	page: Section1
}
</STYLE>
</HEAD>
<BODY lang=EN-US vLink=blue link=blue>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=087033216-16052002>Thanks 
Keith,</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=087033216-16052002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=087033216-16052002>Although I should have mentioned that I'm running snort 
on a freebsd box, not an NT box.  Any ideas on what would cause it to stop 
running on a freebsd box?  The logs are silent as mentioned earlier in the 
thread.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=087033216-16052002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=087033216-16052002>Thanks 
all</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=087033216-16052002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN 
class=087033216-16052002>Steve</SPAN></FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
  <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma 
  size=2>-----Original Message-----<BR><B>From:</B> McCammon, Keith 
  [mailto:Keith.McCammon at ...3497...]<BR><B>Sent:</B> Thursday, May 16, 2002 
  12:19 PM<BR><B>To:</B> Steven Garrett; 
  snort-users at lists.sourceforge.net<BR><B>Subject:</B> RE: [Snort-users] snort 
  exit<BR><BR></FONT></DIV>
  <DIV><FONT face=Arial color=#0000ff size=2><SPAN 
  class=964511616-16052002>There is no time out period, as far as I am 
  aware.  This is a very common problem when running on Windows 2000.  
  As I mentioned in a previous port, Snort.Panel fixed this for me, as it will 
  restart snort immediately if the process dies.</SPAN></FONT></DIV>
  <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
    <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma 
    size=2>-----Original Message-----<BR><B>From:</B> Steven Garrett 
    [mailto:StevenG at ...5837...]<BR><B>Sent:</B> Thursday, May 16, 2002 
    12:04 PM<BR><B>To:</B> snort-users at lists.sourceforge.net<BR><B>Subject:</B> 
    [Snort-users] snort exit<BR><BR></DIV></FONT>
    <DIV><SPAN class=838180316-16052002><FONT face=Arial color=#0000ff size=2>Hi 
    all.  Is there a defined time-out period for snort.  I leave it 
    running when I leave for the evening and by the time I come back in the 
    morning it has exited.  All I can see in the logs is that the interface 
    has left promiscous mode.  </FONT></SPAN></DIV>
    <DIV><SPAN class=838180316-16052002><FONT face=Arial color=#0000ff 
    size=2></FONT></SPAN> </DIV>
    <DIV><SPAN class=838180316-16052002><FONT face=Arial color=#0000ff 
    size=2>Any ideas?  All suggestions and helpful comments are greatly 
    appreciated.</FONT></SPAN></DIV>
    <DIV><SPAN class=838180316-16052002><FONT face=Arial color=#0000ff 
    size=2></FONT></SPAN> </DIV>
    <DIV><SPAN class=838180316-16052002><FONT face=Arial color=#0000ff 
    size=2>Steve</FONT></SPAN></DIV>
    <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
      <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma 
      size=2>-----Original Message-----<BR><B>From:</B> Michael Steele 
      [mailto:michaels at ...155...]<BR><B>Sent:</B> Thursday, May 16, 
      2002 10:58 AM<BR><B>To:</B> 'Richard Roy'; 
      snort-users at lists.sourceforge.net<BR><B>Subject:</B> RE: [Snort-users] 
      SNORT newbie looking for some help with Snort on 
Win2k<BR><BR></FONT></DIV>
      <DIV class=Section1>
      <P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN 
      style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Richard,</SPAN></FONT></P>
      <P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN 
      style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
      <P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN 
      style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Sounds like you 
      have the permissions set incorrectly for the CGI folder. Make sure that 
      the IUSER has full access to the folder. If you need some guidance then 
      you can go to our site, there you will find a complete walk through for 
      Windows and either Snortsnarf or for Acid as your viewer. Let me know how 
      thing go.</SPAN></FONT></P>
      <DIV>
      <P><FONT face="Times New Roman" color=navy size=2><SPAN 
      style="FONT-SIZE: 10pt; COLOR: navy">Michael Steele | Support 
      Technician    <BR><A 
      href="mailto:michaels at ...155...">mailto:michaels at ...155...</A><BR>Silicon 
      Defense: IDS solutions - <A 
      href="http://www.silicondefense.com">http://www.silicondefense.com</A><BR>Snort: 
      Open Source Network IDS - <A 
      href="http://www.snort.org">http://www.snort.org</A></SPAN></FONT></P></DIV>
      <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Tahoma 
      size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">-----Original 
      Message-----<BR><B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> 
      Richard Roy [mailto:royr at ...5882...] <BR><B><SPAN 
      style="FONT-WEIGHT: bold">Sent:</SPAN></B> </SPAN></FONT><FONT face=Tahoma 
      size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">May 16, 
      2002</SPAN></FONT><FONT face=Tahoma size=2><SPAN 
      style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"> </SPAN></FONT><FONT 
      face=Tahoma size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">7:16 
      AM</SPAN></FONT><FONT face=Tahoma size=2><SPAN 
      style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"><BR><B><SPAN 
      style="FONT-WEIGHT: bold">To:</SPAN></B> 'Michael Steele'<BR><B><SPAN 
      style="FONT-WEIGHT: bold">Subject:</SPAN></B> RE: [Snort-users] SNORT 
      newbie looking for some help with Snort on Win2k</SPAN></FONT></P>
      <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face="Times New Roman" 
      size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P>
      <DIV>
      <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial color=blue 
      size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">I've 
      definately got it logging now, without IDS center.  I have it logging 
      to MySQL (there were 15 events at last check) but now I can not get ACID 
      to work at all.  I get a CGI error that "</SPAN></FONT><FONT 
      color=black><SPAN style="COLOR: black">The specified CGI application 
      misbehaved by not returning a complete set of HTTP headers. The headers it 
      did return are"   But that is it, no headers are there.  It 
      is supposed to be using PHP and the .cgi is mapped the same as .php which 
      didn't help.  Any thoughts?  </SPAN></FONT></P></DIV>
      <DIV>
      <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Tahoma 
      size=3><SPAN 
      style="FONT-SIZE: 12pt; FONT-FAMILY: Tahoma"><BR></SPAN></FONT><FONT 
      face=Arial color=blue size=2><SPAN 
      style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">[Rich 
      Roy] </SPAN></FONT></P></DIV>
      <DIV>
      <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Tahoma 
      size=3><SPAN 
      style="FONT-SIZE: 12pt; FONT-FAMILY: Tahoma"></SPAN></FONT> </P></DIV>
      <DIV>
      <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Tahoma 
      size=3><SPAN 
      style="FONT-SIZE: 12pt; FONT-FAMILY: Tahoma"></SPAN></FONT> </P></DIV>
      <DIV>
      <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Tahoma 
      size=3><SPAN 
      style="FONT-SIZE: 12pt; FONT-FAMILY: Tahoma"></SPAN></FONT> </P></DIV>
      <DIV>
      <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Tahoma 
      size=3><SPAN 
      style="FONT-SIZE: 12pt; FONT-FAMILY: Tahoma"></SPAN></FONT> </P></DIV>
      <DIV>
      <P class=MsoNormal 
      style="MARGIN-BOTTOM: 12pt; MARGIN-LEFT: 0.5in; MARGIN-RIGHT: 0in"><FONT 
      face=Tahoma size=2><SPAN 
      style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"> -----Original 
      Message-----<BR><B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> 
      Michael Steele [mailto:michaels at ...155...]<BR><B><SPAN 
      style="FONT-WEIGHT: bold">Sent:</SPAN></B> </SPAN></FONT><FONT face=Tahoma 
      size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">Wednesday, May 
      15, 2002</SPAN></FONT><FONT face=Tahoma size=2><SPAN 
      style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"> </SPAN></FONT><FONT 
      face=Tahoma size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">5:29 
      PM</SPAN></FONT><FONT face=Tahoma size=2><SPAN 
      style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"><BR><B><SPAN 
      style="FONT-WEIGHT: bold">To:</SPAN></B> 'Richard Roy'<BR><B><SPAN 
      style="FONT-WEIGHT: bold">Subject:</SPAN></B> RE: [Snort-users] SNORT 
      newbie looking for some help with Snort on Win2k</SPAN></FONT></P></DIV>
      <BLOCKQUOTE 
style="MARGIN-TOP: 5pt; MARGIN-BOTTOM: 5pt; MARGIN-RIGHT: 0in">
        <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial 
        color=navy size=2><SPAN 
        style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Richard,</SPAN></FONT></P>
        <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial 
        color=navy size=2><SPAN 
        style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
        <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial 
        color=navy size=2><SPAN 
        style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">If you are not 
        sure your logging, you can place this rule in your local.rules file and 
        activate the local.rules file in the snort.conf file. Now generate some 
        traffic with your browser and you should see your log file 
        grow.</SPAN></FONT></P>
        <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial 
        color=navy size=2><SPAN 
        style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
        <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial 
        color=navy size=2><SPAN 
        style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
        <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial 
        color=navy size=2><SPAN 
        style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">alert tcp any 
        any <> any any (msg:"alert-local test";)</SPAN></FONT></P>
        <P class=MsoNormal style="MARGIN-LEFT: 0.5in"><FONT face=Arial 
        color=navy size=2><SPAN 
        style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
        <DIV>
        <P 
        style="MARGIN-BOTTOM: 12pt; MARGIN-LEFT: 0.5in; MARGIN-RIGHT: 0in"><FONT 
        face="Times New Roman" color=navy size=2><SPAN 
        style="FONT-SIZE: 10pt; COLOR: navy">Michael Steele | Support 
        Technician<BR><A 
        href="mailto:michaels at ...155...">mailto:michaels at ...155...</A><BR>Silicon 
        Defense: IDS solutions - <A 
        href="http://www.silicondefense.com">http://www.silicondefense.com</A><BR>Snort: 
        Open Source Network IDS - <A 
        href="http://www.snort.org">http://www.snort.org</A></SPAN></FONT></P></DIV>
        <P class=MsoNormal style="MARGIN-LEFT: 1in"><FONT face=Tahoma 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">-----Original 
        Message-----<BR><B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> 
        snort-users-admin at lists.sourceforge.net 
        [mailto:snort-users-admin at lists.sourceforge.net] <B><SPAN 
        style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>Richard 
        Roy<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> 
        </SPAN></FONT><FONT face=Tahoma size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">Wednesday, May 15, 
        2002</SPAN></FONT><FONT face=Tahoma size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"> </SPAN></FONT><FONT 
        face=Tahoma size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">7:50 AM</SPAN></FONT><FONT 
        face=Tahoma size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"><BR><B><SPAN 
        style="FONT-WEIGHT: bold">To:</SPAN></B> </SPAN></FONT><FONT face=Tahoma 
        size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">snort-users at lists.sourceforge.net</SPAN></FONT><FONT 
        face=Tahoma size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"><BR><B><SPAN 
        style="FONT-WEIGHT: bold">Subject:</SPAN></B> [Snort-users] SNORT newbie 
        looking for some help with Snort on Win2k</SPAN></FONT></P>
        <P class=MsoNormal style="MARGIN-LEFT: 1in"><FONT face="Times New Roman" 
        size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I set up SNORT using 
        IDSCentre and tested the config using the applet.  I received no 
        error messages, the SNORT window is minimized and things appear to work, 
        yet there are no alerts, no log entries, nothing.  I know we are 
        under hits all the time, my firewall reports blocking them.  
        </SPAN></FONT></P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Setup:</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">W2K Pro p3 733.  On a 
        hub with router and firewall external interface.  I have 64 public 
        IP's and I'd like to scan the range if possible.  I am including 
        the following.   </SPAN></FONT></P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">From IDSCentre the command 
        line it fires, the snort.conf file and the screen output from the 
        minimized snort window.  I can't quite figure out what is 
        wrong.  Another set of eyes looking at this is what I am hoping 
        someone will do and see a problem.</SPAN></FONT></P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">TIA for your 
        help</SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Rich</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">PS 
        Sorry it is a long post, but I did not want to do an 
        attachment.</SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">[Begin config]</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">[************cmd 
        line*********]</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">c:\snort\Snort.exe -c 
        "c:\snort\snort.conf" -l "c:\snort\log" -h aaa.bbb.ccc.ddd/32 -i 1 -a -b 
        -C -d -e -O -X -I -G basic -U -y</SPAN></FONT></P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">[*NOTE, yes I blanked out my 
        IP above.  It is a public IP*]</SPAN></FONT> </P>
        <P class=MsoNormal style="MARGIN-LEFT: 1in"><FONT face="Times New Roman" 
        size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">[***********snort.conf**************]</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#--------------------------------------------------</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#   <A 
        href="http://www.activeworx.com" 
        target=_blank>http://www.activeworx.com</A> Snort 1.8.6 
        Ruleset</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#     
        IDS Policy Manager Version: 1.3 Build(31)</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"># 
        Current Database Updated -- May 10, 2002 10:55 AM</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#--------------------------------------------------</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">## 
        Variables</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">## ---------</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#var HOME_NET 
        10.1.1.0/24</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#var HOME_NET 
        $eth0_ADDRESS</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#var HOME_NET 
        [10.1.1.0/24,192.168.1.0/24]</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">var HOME_NET 
        any</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">var EXTERNAL_NET 
        any</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">var SMTP 
        $HOME_NET</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">var HTTP_SERVERS 
        $HOME_NET</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">var SQL_SERVERS 
        $HOME_NET</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">var DNS_SERVERS 
        $HOME_NET</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#var RULE_PATH 
        ./</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">var RULE_PATH 
        c:\snort\rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">var SHELLCODE_PORTS 
        !80</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#var SPADEDIR 
        .</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">## 
        Preprocessor Support</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">## 
        --------------------</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">preprocessor http_decode: 80 
        -cginull -unicode</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">preprocessor rpc_decode: 111 
        32771</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">preprocessor 
        bo:</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">preprocessor stream4: 
        detect_scans</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">preprocessor 
        stream4_reassemble</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">preprocessor portscan: 
        $HOME_NET 4 3 portscan.log</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#preprocessor 
        portscan-ignorehosts: 0.0.0.0</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">preprocessor 
        frag2</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">preprocessor 
        telnet_decode</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">## 
        Output Modules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">## 
        --------------</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#output database: log, 
        unixodbc, dbname=snort user=snort host=localhost 
        password=test</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">output CSV: log 
        default</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">output log_tcpdump: 
        snorttcp.log</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#output xml: Log, 
        file=/var/log/snortxml</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">output log_unified: filename 
        snort.log, limit 128</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#output alert_syslog: 
        LOG_AUTH LOG_ALERT</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#output alert_unified: 
        filename snort.alert, limit 128</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#output 
        trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x DES 
        -X "" -a SHA -A "" myTrapListener</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">## Custom 
        Rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">## 
        ------------</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">ruletype 
        suspicious</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">{</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> type log</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> output log_tcpdump: 
        suspicious.log</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">}</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">ruletype 
        redalert</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">{</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> type 
        alert</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> output alert_syslog: 
        LOG_AUTH LOG_ALERT</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"># output database: log, 
        mysql, user=snort dbname=snort host=localhost</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">}</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#ruletype 
        <New_Custom_Rules></SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#{</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#}</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">## 
        Include Files</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">## 
        -------------</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        classification.config</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/bad-traffic.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/exploit.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/scan.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/finger.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/ftp.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/telnet.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/smtp.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/rpc.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/rservices.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/dos.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/ddos.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/dns.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/tftp.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/web-cgi.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/web-coldfusion.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/web-iis.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/web-frontpage.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/web-misc.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/web-attacks.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/sql.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/x11.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/icmp.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/netbios.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/misc.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/attack-responses.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/backdoor.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/shellcode.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/policy.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/porn.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/info.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/icmp-info.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/virus.rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#include 
        $RULE_PATH/experimental.rules</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">include 
        $RULE_PATH/local.rules</SPAN></FONT> </P>
        <P class=MsoNormal style="MARGIN-LEFT: 1in"><FONT face="Times New Roman" 
        size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">{*********Snort 
        Screen*************}</SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Log directory = 
        c:\snort\log</SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Initializing Network 
        Interface \</SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">        
        --== Initializing Snort ==--</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Decoding 
        Ethernet on interface \Device\Packet_NdisWanIp</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Initializing 
        Preprocessors!</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Initializing 
        Plug-ins!</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Initializating Output 
        Plugins!</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Parsing Rules file 
        c:\snort\snort.conf</SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">+++++++++++++++++++++++++++++++++++++++++++++++++++</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Initializing rule 
        chains...</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Stream4 
        config:</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">    Stateful 
        inspection: ACTIVE</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">    Session 
        statistics: INACTIVE</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">    Session 
        timeout: 30 seconds</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">    Session 
        memory cap: 8388608 bytes</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">    State 
        alerts: INACTIVE</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">    Scan 
        alerts: ACTIVE</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">    Log 
        Flushed Streams: INACTIVE</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">No arguments to 
        stream4_reassemble, setting defaults:</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">     
        Reassemble client: ACTIVE</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">     
        Reassemble server: INACTIVE</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">     
        Reassemble ports: 21 23 25 53 80 143 110 111 513</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">     
        Reassembly alerts: ACTIVE</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">     
        Reassembly method: FAVOR_OLD</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Using GMT 
        time</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">No arguments to frag2 
        directive, setting defaults to:</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">    Fragment 
        timeout: 60 seconds</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">    Fragment 
        memory cap: 4194304 bytes</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">ProcessFileOption: 
        c:\snort\log/log</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">WARNING: command line 
        overrides rules file logging plugin!</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">WARNING: 
        command line overrides rules file logging plugin!</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">WARNING: command line 
        overrides rules file logging plugin!</SPAN></FONT> <BR><FONT face=Arial 
        size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">980 Snort rules 
        read...</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">980 Option Chains linked 
        into 100 Chain Headers</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">0 Dynamic 
        rules</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">+++++++++++++++++++++++++++++++++++++++++++++++++++</SPAN></FONT> 
        </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Rule application order: 
        ->activation->dynamic->alert->pass->log->suspicious->red</SPAN></FONT> 
        <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">alert</SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">        
        --== Initialization Complete ==--</SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">-*> Snort! 
        <*-</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Version 1.8-WIN32 (Build 
        103)</SPAN></FONT> <BR><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">By Martin Roesch 
        (roesch at ...1935..., www.snort.org)</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">1.7-WIN32</SPAN></FONT><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> 
        </SPAN></FONT><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Port</SPAN></FONT><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> By 
        Michael </SPAN></FONT><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Davis</SPAN></FONT><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> 
        (mike at ...92..., www.datanerds.net/~mike)</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">1.8-WIN32</SPAN></FONT><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> 
        </SPAN></FONT><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Port</SPAN></FONT><FONT 
        face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> By 
        Chris Reid (chris.reid at ...3029...)</SPAN></FONT> <BR><FONT 
        face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">          
        (based on code from 1.7 port)</SPAN></FONT> </P>
        <P style="MARGIN-LEFT: 1in"><FONT face=Arial size=2><SPAN 
        style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">[End config]</SPAN></FONT> 
        </P></BLOCKQUOTE></DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C1FCF7.5BB69AA0--




More information about the Snort-users mailing list