<html>

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">


<meta name=Generator content="Microsoft Word 10 (filtered)">

<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
p
        {margin-right:0in;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman";}
span.emailstyle17
        {font-family:Arial;
        color:windowtext;}
span.emailstyle20
        {font-family:Arial;
        color:navy;}
span.EmailStyle22
        {font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>

</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hi Michael,</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Love the site and forum, keep up the good work.
</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Here is my config;</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor frag2</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor stream4: detect_scans,
disable_evasion_alerts</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor
stream4_reassemble</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor http_decode: 80
unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor rpc_decode: 111
32771</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor bo: -nobrute</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor telnet_decode</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor asn1_decode</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor conversation: allowed_ip_protocols
all, timeout 60, max_conversations 32000</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor portscan2: scanners_max
3200, targets_max 5000, target_limit 3, port_limit 5, timeout 120</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>output database: log, mysql,
user=XXXX dbname=XXXX host=XXXXX sensor_name=XXXXXX</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>output alert_syslog:
LOG_AUTH LOG_ALERT </span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'> </span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>I am running this as a
service using Firedaemon, the command line executed is d:\snort\snort.exe -c
d:\snort\snort.conf -l d:\snort\logs -i1</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'> </span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>Should I add the comments to
the preprocessor portscan line, and will this then log portscans into the Mysql
database?</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'> </span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>I know the portscans are
being detected because it fills my W2K Event Logs full of notifications.</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'> </span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>Thanks in advance</span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'> </span></font></p>

<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>Steve</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<div>

<p class=MsoPlainText><font size=1 color=navy face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:navy'>Steve Williams</span></font></p>

<p class=MsoPlainText><font size=1 color=navy face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:navy'>Communications
Support Engineer</span></font></p>

<p class=MsoPlainText><font size=1 color=navy face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:navy'>Computershare Technology
Services</span></font></p>

<p class=MsoPlainText><font size=1 color=navy face=Arial><st1:City><st1:place><span
style='font-size:7.5pt;font-family:Arial;color:navy'>Melbourne </st1:place></st1:City><st1:country-region><st1:place>Australia</span></st1:place></st1:country-region></font></p>

<p class=MsoPlainText><font size=1 color=navy face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:navy'><a
href="mailto:steven.williams@...4864...">steven.williams@...4864...</a></span></font></p>

<p class=MsoPlainText><font size=1 color=navy face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:navy'>+61 3 9235 5651</span></font></p>

<p class=MsoPlainText><font size=2 color=navy face="Courier New"><span
style='font-size:10.0pt;color:navy'> </span></font></p>

<p class=MsoPlainText><font size=1 color=navy face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:navy'><a
href="http://www.computershare.com">www.computershare.com</a></span></font></p>

<p class=MsoPlainText><font size=2 color=navy face="Courier New"><span
style='font-size:10.0pt;color:navy'> </span></font></p>

<p class=MsoPlainText><font size=3 color=navy face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman";color:navy'> </span></font></p>

<p class=MsoAutoSig><font size=3 color=navy face="Times New Roman"><span
style='font-size:12.0pt;color:navy'> </span></font></p>

</div>

<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> Michael Steele
[mailto:michaels@...9077...] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Monday, June 02, 2003 2:15
PM<br>
<b><span style='font-weight:bold'>To:</span></b> '</span></font><font size=2
 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>Steven Williams</span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>';
snort-users@lists.sourceforge.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [Snort-users] Snort
Config W2K</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Steven,</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Have you got this line in
your snort.conf?</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>preprocessor portscan:
$HOME_NET 4 3 d:/IDS/Snort/log/portscan.log</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'>Make sure the path exists</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>What is your run line?</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Are you running it with
the ‘-A fast’ ?</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Have you tried running a
vulnerability scanner on your network?</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Have you got any data in
the portscan.log file?</span></font></p>

<div>

<p style='margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'><font size=2
color=navy face="Times New Roman"><span style='font-size:10.0pt;color:navy'>Cheers...<br>
<br>
-Michael Steele<br>
--<br>
 System Engineer / Security Support Technician    <br>
 <a href="mailto:michaels@...9077...">mailto:michaels@...9077...</a>   <br>
 Website: <a href="http://www.winsnort.com">http://www.winsnort.com</a><br>
 Snort: Open Source Network IDS - <a href="http://www.snort.org">http://www.snort.org</a></span></font></p>

</div>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b>
snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net]
<b><span style='font-weight:bold'>On Behalf Of </span></b>Steven Williams<br>
<b><span style='font-weight:bold'>Sent:</span></b> Sunday, June 01, 2003 8:04
PM<br>
<b><span style='font-weight:bold'>To:</span></b>
snort-users@lists.sourceforge.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> [Snort-users] Snort
Config W2K</span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Hi,</span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> </span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>I have Snort 2.0 running on W2K and
works great.</span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> </span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>However, any portscans detected and
logged into the event log and not the MySQL database. All the other alerts log
into Mysql fine.</span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> </span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>What am I doing wrong?</span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> </span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Thanks</span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> </span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Steve</span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> </span></font></p>

<p class=MsoPlainText style='margin-left:1.0in'><font size=1 face=Arial><span
style='font-size:7.5pt;font-family:Arial'>Steve Williams</span></font></p>

<p class=MsoPlainText style='margin-left:1.0in'><font size=1 face=Arial><span
style='font-size:7.5pt;font-family:Arial'>Communications Support Engineer</span></font></p>

<p class=MsoPlainText style='margin-left:1.0in'><font size=1 face=Arial><span
style='font-size:7.5pt;font-family:Arial'>Computershare Technology Services</span></font></p>

<p class=MsoPlainText style='margin-left:1.0in'><font size=1 face=Arial><st1:City><st1:place><span
style='font-size:7.5pt;font-family:Arial'>Melbourne </st1:place></st1:City><st1:country-region><st1:place>Australia</span></st1:place></st1:country-region></font></p>

<p class=MsoPlainText style='margin-left:1.0in'><font size=1 face=Arial><span
style='font-size:7.5pt;font-family:Arial'><a
href="mailto:steven.williams@...4864..."><font face="Courier New"><span
style='font-family:"Courier New"'>steven.williams@...4864...</span></font></a></span></font></p>

<p class=MsoPlainText style='margin-left:1.0in'><font size=1 face=Arial><span
style='font-size:7.5pt;font-family:Arial'>+61 3 9235 5651</span></font></p>

<p class=MsoPlainText style='margin-left:1.0in'><font size=2 face="Courier New"><span
style='font-size:10.0pt'> </span></font></p>

<p class=MsoPlainText style='margin-left:1.0in'><font size=1 face=Arial><span
style='font-size:7.5pt;font-family:Arial'><a href="http://www.computershare.com"><font
face="Courier New"><span style='font-family:"Courier New"'>www.computershare.com</span></font></a></span></font></p>

<p class=MsoPlainText style='margin-left:1.0in'><font size=2 face="Courier New"><span
style='font-size:10.0pt'> </span></font></p>

<p class=MsoPlainText style='margin-left:1.0in'><font size=3
face="Times New Roman"><span style='font-size:12.0pt;font-family:"Times New Roman"'> </span></font></p>

<p class=MsoAutoSig style='margin-left:1.0in'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><br>
<br>
---<br>
This email and any files transmitted with it are solely intended for the use of
the addressee(s) and may contain information that is confidential and
privileged. If you receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the email, delete it
and destroy any copies immediately.<br>
Computershare Limited and its subsidiaries do not accept liability for the
views expressed in the email or for the consequences of any computer viruses
that may be transmitted with this email.<br>
This email is also subject to copyright. No part of it should be reproduced,
adapted or transmitted without the written consent of the copyright owner.</span></font></p>

</div>

<FONT SIZE=3><BR>
<BR>
---<BR>
This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged.  If you receive this email in error, please advise us by return email immediately.  Please also disregard the contents of the email, delete it and destroy any copies immediately.<BR>
Computershare Limited and its subsidiaries do not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email.<BR>
This email is also subject to copyright.  No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner.<BR>
</FONT>
</body>

</html>