<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
  <meta name="Generator" content="Zarafa WebApp v7.1.11-46050">
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <title>AW: [Snort-users] snort black list issue</title>
</head>
<body>
<!-- begin sanitized html -->

  
  
  

<div class="bodyclass">
<p hasownproperty="function hasOwnProperty() {
    [native code]
}" valueof="function valueOf() {
    [native code]
}" isprototypeof="function isPrototypeOf() {
    [native code]
}" propertyisenumerable="function propertyIsEnumerable() {
    [native code]
}" tolocalestring="function toLocaleString() {
    [native code]
}" tostring="function toString() {
    [native code]
}" constructor="function Object() {
    [native code]
}" style="padding: 0; margin: 0;"><span id="_mce_caret"><span style="font-size: 10pt; font-family: tahoma,arial,helvetica,sans-serif;"><br></span></span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">Hi Hui,</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;"><br></span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">Many thanks for your interest in this issue !</span><br></p><p style="padding: 0; margin: 0;"><br></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">apologies for duplicating my last email, reason was some misbehaviour of my outlook client ....</span></p><p style="padding: 0; margin: 0;"><br></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">Anyway, here are the results of the test and info you asked.</span></p><p style="padding: 0; margin: 0;"><span id="_mce_caret"><span style="font-size: 10pt; font-family: courier new,courier;"><br></span></span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">I did the following:</span><br><span style="font-size: 10pt; font-family: courier new,courier;">1. start snort in foreground mode</span><br><span style="font-size: 10pt; font-family: courier new,courier;">2. ping a ip address that was not on the blacklist</span><br><span style="font-size: 10pt; font-family: courier new,courier;">3. ping a ip address that was on the blacklist</span><br><span style="font-size: 10pt; font-family: courier new,courier;">4. telnet to port 80 of ip address on blacklist (succesfull)</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">5. stop snort with control-C<br></span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;"><br></span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">= = = = = = = = = = = = = screen of test client =================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">root@...17622...:/usr/share/z-push# ping ping.xs4all.nl</span><br><span style="font-size: 10pt; font-family: courier new,courier;">PING ping.xs4all.nl (194.109.6.8) 56(84) bytes of data.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">64 bytes from ping.xs4all.nl (194.109.6.8): icmp_req=1 ttl=56 time=22.2 ms</span><br><span style="font-size: 10pt; font-family: courier new,courier;">64 bytes from ping.xs4all.nl (194.109.6.8): icmp_req=2 ttl=56 time=31.8 ms</span><br><span style="font-size: 10pt; font-family: courier new,courier;">64 bytes from ping.xs4all.nl (194.109.6.8): icmp_req=3 ttl=56 time=27.4 ms</span><br><span style="font-size: 10pt; font-family: courier new,courier;">64 bytes from ping.xs4all.nl (194.109.6.8): icmp_req=4 ttl=56 time=24.8 ms</span><br><span style="font-size: 10pt; font-family: courier new,courier;">64 bytes from ping.xs4all.nl (194.109.6.8): icmp_req=5 ttl=56 time=31.0 ms</span><br><span style="font-size: 10pt; font-family: courier new,courier;">^C</span><br><span style="font-size: 10pt; font-family: courier new,courier;">--- ping.xs4all.nl ping statistics ---</span><br><span style="font-size: 10pt; font-family: courier new,courier;">5 packets transmitted, 5 received, 0% packet loss, time 4005ms</span><br><span style="font-size: 10pt; font-family: courier new,courier;">rtt min/avg/max/mdev = 22.269/27.506/31.875/3.637 ms</span><br><span style="font-size: 10pt; font-family: courier new,courier;">root@...17622...:/usr/share/z-push# ping 5.157.87.137 </span><br></p><p style="padding: 0; margin: 0;"><br></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">PING 5.157.87.137 (5.157.87.137) 56(84) bytes of data.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">^C</span><br><span style="font-size: 10pt; font-family: courier new,courier;">--- 5.157.87.137 ping statistics ---</span><br><span style="font-size: 10pt; font-family: courier new,courier;">11 packets transmitted, 0 received, 100% packet loss, time 10080ms</span></p><p style="padding: 0; margin: 0;"><br></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">root@...17622...:/usr/share/z-push# telnet 5.157.87.137 80</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Trying 5.157.87.137...</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Connected to 5.157.87.137.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Escape character is '^]'.</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">^]</span><br><span style="font-size: 10pt; font-family: courier new,courier;">telnet> quit</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Connection closed.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">root@...17622...:/usr/share/z-push#</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;"><br data-mce-bogus="1"></span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">below is log of starting snort and stopping after client test</span></p><p style="padding: 0; margin: 0;"><br><span style="font-size: 10pt; font-family: courier new,courier;">[root@...17623... scripts]# /usr/local/bin/snort -c /etc/snort/snort.conf -i enp0s16f0u1:enp4s0u3 --daq-dir /usr/local/lib/daq --daq pfring --daq-var clusterid=10,11 -Q --daq-var timeout=10 --daq-var watermark=2 </span><br><span style="font-size: 10pt; font-family: courier new,courier;">Enabling inline operation</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Running in IDS mode</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">--== Initializing Snort ==--</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Initializing Output Plugins!</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Initializing Preprocessors!</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Initializing Plug-ins!</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Parsing Rules file "/etc/snort/snort.conf"</span><br><span style="font-size: 10pt; font-family: courier new,courier;">PortVar 'HTTP_PORTS' defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]</span><br><span style="font-size: 10pt; font-family: courier new,courier;">PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]</span><br><span style="font-size: 10pt; font-family: courier new,courier;">PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]</span><br><span style="font-size: 10pt; font-family: courier new,courier;">PortVar 'SSH_PORTS' defined : [ 22 ]</span><br><span style="font-size: 10pt; font-family: courier new,courier;">PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]</span><br><span style="font-size: 10pt; font-family: courier new,courier;">PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]</span><br><span style="font-size: 10pt; font-family: courier new,courier;">PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]</span><br><span style="font-size: 10pt; font-family: courier new,courier;">PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Detection:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Search-Method = AC-Full-Q</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Split Any/Any group = enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Search-Method-Optimizations = enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Maximum pattern length = 20</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Tagged Packet Limit: 256</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Log directory = /var/log/snort</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Normalizer config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::df: off</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::rf: off</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::tos: off</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::trim: off</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::ttl: on (min=1, new=5)</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Normalizer config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::ecn: stream</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::block: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::rsv: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::pad: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;">tcp::req_urg: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;">tcp::req_pay: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;">tcp::req_urp: off</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::urp: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::opt: off</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::ips: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;">tcp::trim_syn: off</span><br><span style="font-size: 10pt; font-family: courier new,courier;">tcp::trim_rst: off</span><br><span style="font-size: 10pt; font-family: courier new,courier;">tcp::trim_win: off</span><br><span style="font-size: 10pt; font-family: courier new,courier;">tcp::trim_mss: off</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Normalizer config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> icmp4: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Normalizer config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip6: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip6::hops: on (min=1, new=5)</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Normalizer config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> icmp6: on</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Frag3 global config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max frags: 65536</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Fragment memory cap: 4194304 bytes</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Frag3 engine config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Bound Address: default</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Target-based policy: WINDOWS</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Fragment timeout: 180 seconds</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Fragment min_ttl: 1</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Fragment Anomalies: Alert</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Overlap Limit: 10</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Min fragment Length: 100</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Expected Streams: 768</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Stream global config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Track TCP sessions: ACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max TCP sessions: 262144</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP cache pruning timeout: 30 seconds</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP cache nominal timeout: 3600 seconds</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Memcap (for reassembly packet storage): 8388608</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Track UDP sessions: ACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max UDP sessions: 131072</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP cache pruning timeout: 30 seconds</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP cache nominal timeout: 180 seconds</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Track ICMP sessions: INACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Track IP sessions: INACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Log info if session memory consumption exceeds 1048576</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Send up to 2 active responses</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Wait at least 5 seconds between responses</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Protocol Aware Flushing: ACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Maximum Flush Point: 16000</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Stream TCP Policy config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Bound Address: default</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Reassembly Policy: WINDOWS</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Timeout: 180 seconds</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Limit on TCP Overlaps: 10</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Maximum number of bytes to queue per session: 1048576</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Maximum number of segs to queue per session: 2621</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Options:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Require 3-Way Handshake: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 3-Way Handshake Timeout: 180</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Detect Anomalies: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Reassembly Ports:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 21 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 22 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 23 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 25 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 42 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 53 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 79 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 80 client (Footprint-IPS) server (Footprint-IPS)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 81 client (Footprint-IPS) server (Footprint-IPS)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 109 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 110 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 111 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 113 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 119 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 135 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 136 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 137 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 139 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 143 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 161 client (Footprint-IPS) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> additional ports configured but not printed.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Stream UDP Policy config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Timeout: 180 seconds</span><br><span style="font-size: 10pt; font-family: courier new,courier;">HttpInspect Config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GLOBAL CONFIG</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Detect Proxy Usage: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IIS Unicode Map Filename: /etc/snort/unicode.map</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IIS Unicode Map Codepage: 1252</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Memcap used for logging URI and Hostname: 150994944</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Gzip Memory: 838860</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Gzip Sessions: 1807</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Gzip Compress Depth: 65535</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Gzip Decompress Depth: 65535</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> DEFAULT SERVER CONFIG:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Server profile: All</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Server Flow Depth: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Client Flow Depth: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Chunk Length: 500000</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Header Field Length: 750</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Number Header Fields: 100</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Number of WhiteSpaces allowed with header folding: 200</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Inspect Pipeline Requests: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> URI Discovery Strict Mode: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Allow Proxy Usage: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Disable Alerting: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Oversize Dir Length: 500</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Only inspect URI: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Normalize HTTP Headers: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Inspect HTTP Cookies: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Inspect HTTP Responses: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Extract Gzip from responses: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Decompress response files: </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Unlimited decompression of gzip data from responses: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Normalize Javascripts in HTTP Responses: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Normalize HTTP Cookies: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Enable XFF and True Client IP: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Log HTTP URI data: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Log HTTP Hostname data: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Extended ASCII code support in URI: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ascii: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Double Decoding: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> %U Encoding: YES alert: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Bare Byte: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UTF 8: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IIS Unicode: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Multiple Slash: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IIS Backslash: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Directory Traversal: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Web Root Traversal: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Apache WhiteSpace: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IIS Delimiter: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Whitespace Characters: 0x09 0x0b 0x0c 0x0d </span><br><span style="font-size: 10pt; font-family: courier new,courier;">rpc_decode arguments:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> alert_fragments: INACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> alert_large_fragments: INACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> alert_incomplete: INACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> alert_multiple_requests: INACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;">FTPTelnet Config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GLOBAL CONFIG</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Inspection Type: stateful</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Check for Encrypted Traffic: YES alert: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Continue to check encrypted data: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TELNET CONFIG:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports: 23 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Are You There Threshold: 20</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Normalize: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Detect Anomalies: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> FTP CONFIG:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> FTP Server: default</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports (PAF): 21 2100 3535 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Check for Telnet Cmds: YES alert: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ignore Telnet Cmd Operations: YES alert: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ignore open data channels: NO</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> FTP Client: default</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Check for Bounce Attacks: YES alert: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Check for Telnet Cmds: YES alert: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ignore Telnet Cmd Operations: YES alert: YES</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Response Length: 256</span><br><span style="font-size: 10pt; font-family: courier new,courier;">SMTP Config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports: 25 465 587 691 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Inspection Type: Stateful</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ignore Data: No</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ignore TLS Data: No</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ignore SMTP Alerts: No</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Command Line Length: 512</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max auth Command Line Length: 1000</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Specific Command Line Length: </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> XUSR:246 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Header Line Length: 1000</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Response Line Length: 512</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> X-Link2State Alert: Yes</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Drop on X-Link2State Alert: No</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Alert on commands: None</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Alert on unknown commands: No</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> SMTP Memcap: 838860</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> MIME Max Mem: 838860</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Base64 Decoding: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Base64 Decoding Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Quoted-Printable Decoding: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Quoted-Printable Decoding Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Unix-to-Unix Decoding: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Unix-to-Unix Decoding Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Non-Encoded MIME attachment Extraction: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Non-Encoded MIME attachment Extraction Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Log Attachment filename: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Log MAIL FROM Address: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Log RCPT TO Addresses: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Log Email Headers: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Email Hdrs Log Depth: 1464</span><br><span style="font-size: 10pt; font-family: courier new,courier;">SSH config: </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Autodetection: ENABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Challenge-Response Overflow Alert: ENABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> SSH1 CRC32 Alert: ENABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Server Version String Overflow Alert: ENABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Protocol Mismatch Alert: ENABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Bad Message Direction Alert: DISABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Bad Payload Size Alert: DISABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Unrecognized Version Alert: DISABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Encrypted Packets: 20 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Server Version String Length: 100 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> MaxClientBytes: 19600 (Default) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 22</span><br><span style="font-size: 10pt; font-family: courier new,courier;">DCE/RPC 2 Preprocessor Configuration</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Global Configuration</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> DCE/RPC Defragmentation: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Memcap: 102400 KB</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Events: co </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> SMB Fingerprint policy: Disabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Server Default Configuration</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Policy: WinXP</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Detect ports (PAF)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> SMB: 139 445 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP: 135 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP: 135 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> RPC over HTTP server: 593 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> RPC over HTTP proxy: None</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Autodetect ports (PAF)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> SMB: None</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP: 1025-65535 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP: 1025-65535 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> RPC over HTTP server: 1025-65535 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> RPC over HTTP proxy: None</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Invalid SMB shares: C$ D$ ADMIN$ </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Maximum SMB command chaining: 3 commands</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> SMB file inspection: Disabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;">DNS config: </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> DNS Client rdata txt Overflow Alert: ACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Obsolete DNS RR Types Alert: INACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Experimental DNS RR Types Alert: INACTIVE</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports: 53</span><br><span style="font-size: 10pt; font-family: courier new,courier;">SSLPP config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Encrypted packets: not inspected</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 443 465 563 636 989</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 992 993 994 995 7801</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 7802 7900 7901 7902 7903</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 7904 7905 7906 7907 7908</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 7909 7910 7911 7912 7913</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 7914 7915 7916 7917 7918</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 7919 7920</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Server side data is trusted</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Maximum SSL Heartbeat length: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Sensitive Data preprocessor config: </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Global Alert Threshold: 25</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Masked Output: DISABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;">SIP config: </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max number of sessions: 40000 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max number of dialogs in a session: 4 (Default) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Status: ENABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ignore media channel: DISABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max URI length: 512 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Call ID length: 80 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Request name length: 20 (Default) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max From length: 256 (Default) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max To length: 256 (Default) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Via length: 1024 (Default) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Contact length: 512 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max Content length: 2048 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 5060 5061 5600</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Methods:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack</span><br><span style="font-size: 10pt; font-family: courier new,courier;">IMAP Config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports: 143 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IMAP Memcap: 838860</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> MIME Max Mem: 838860</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Base64 Decoding: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Base64 Decoding Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Quoted-Printable Decoding: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Quoted-Printable Decoding Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Unix-to-Unix Decoding: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Unix-to-Unix Decoding Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Non-Encoded MIME attachment Extraction: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Non-Encoded MIME attachment Extraction Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;">POP Config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports: 110 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> POP Memcap: 838860</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> MIME Max Mem: 838860</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Base64 Decoding: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Base64 Decoding Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Quoted-Printable Decoding: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Quoted-Printable Decoding Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Unix-to-Unix Decoding: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Unix-to-Unix Decoding Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Non-Encoded MIME attachment Extraction: Enabled</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Non-Encoded MIME attachment Extraction Depth: Unlimited</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Modbus config: </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 502</span><br><span style="font-size: 10pt; font-family: courier new,courier;">DNP3 config: </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Memcap: 262144</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Check Link-Layer CRCs: ENABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ports:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 20000</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Reputation config: </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Processing whitelist file /etc/snort/rules/white_list.rules</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> (15) => Re-defined address: '95.100.97.40'</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Reputation entries loaded: 14, invalid: 0, re-defined: 1 (from file /etc/snort/rules/white_list.rules)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Processing blacklist file /etc/snort/rules/black_list.rules</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Reputation entries loaded: 10867, invalid: 0, re-defined: 0 (from file /etc/snort/rules/black_list.rules)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Processing blacklist file /etc/snort/rules/black_list_local.rules</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Reputation entries loaded: 9, invalid: 0, re-defined: 0 (from file /etc/snort/rules/black_list_local.rules)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Reputation total memory usage: 2257540 bytes</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Reputation total entries loaded: 10890, invalid: 0, re-defined: 1</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Memcap: 500 (Default) M bytes </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Scan local network: ENABLED</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Reputation priority: whitelist(Default) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Nested IP: inner (Default) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> White action: trust </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Shared memory is Not supported.</span></p><p style="padding: 0; margin: 0;"><br><span style="font-size: 10pt; font-family: courier new,courier;">+++++++++++++++++++++++++++++++++++++++++++++++++++</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Initializing rule chains...</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: /etc/snort/rules/snort.rules(590) threshold (in rule) is deprecated; use detection_filter instead.</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: /etc/snort/rules/local.rules(14) GID 1 SID 1009992 in rule duplicates previous rule. Ignoring old rule.</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">31509 Snort rules read</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 31127 detection rules</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 150 decoder rules</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 231 preprocessor rules</span><br><span style="font-size: 10pt; font-family: courier new,courier;">31508 Option Chains linked into 3577 Chain Headers</span><br><span style="font-size: 10pt; font-family: courier new,courier;">0 Dynamic rules</span><br><span style="font-size: 10pt; font-family: courier new,courier;">+++++++++++++++++++++++++++++++++++++++++++++++++++</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">+-------------------[Rule Port Counts]---------------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| tcp udp icmp ip</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| src 5565 115 0 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| dst 17103 3872 0 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| any 3520 1353 41 15</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| nc 1728 1220 1 11</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| s+d 89 72 0 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">+----------------------------------------------------------------------------</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">+-----------------------[detection-filter-config]------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| memory-cap : 1048576 bytes</span><br><span style="font-size: 10pt; font-family: courier new,courier;">+-----------------------[detection-filter-rules]-------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">-------------------------------------------------------------------------------</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">+-----------------------[rate-filter-config]-----------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| memory-cap : 1048576 bytes</span><br><span style="font-size: 10pt; font-family: courier new,courier;">+-----------------------[rate-filter-rules]------------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| none</span><br><span style="font-size: 10pt; font-family: courier new,courier;">-------------------------------------------------------------------------------</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">+-----------------------[event-filter-config]----------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| memory-cap : 1048576 bytes</span><br><span style="font-size: 10pt; font-family: courier new,courier;">+-----------------------[event-filter-global]----------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| none</span><br><span style="font-size: 10pt; font-family: courier new,courier;">+-----------------------[event-filter-local]-----------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2522117 type=Limit tracking=src count=1 seconds=60 </span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2522094 type=Limit tracking=src count=1 seconds=60 </span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2403318 type=Limit tracking=src count=1 seconds=3600</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2520142 type=Limit tracking=src count=1 seconds=60 </span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2001858 type=Limit tracking=src count=1 seconds=360</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2404070 type=Limit tracking=src count=1 seconds=3600</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2522294 type=Limit tracking=src count=1 seconds=60 </span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2400025 type=Limit tracking=src count=1 seconds=3600</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2523174 type=Limit tracking=src count=1 seconds=60</span></p><p style="padding: 0; margin: 0;"><br><span style="font-size: 10pt; font-family: courier new,courier;"> <DELETED FOR CLARITY></span></p><p style="padding: 0; margin: 0;"><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2403358 type=Limit tracking=src count=1 seconds=3600</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2523037 type=Limit tracking=src count=1 seconds=60 </span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2404088 type=Limit tracking=src count=1 seconds=3600</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2523309 type=Limit tracking=src count=1 seconds=60 </span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2404591 type=Limit tracking=src count=1 seconds=3600</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2020513 type=Both tracking=src count=1 seconds=60 </span><br><span style="font-size: 10pt; font-family: courier new,courier;">+-----------------------[suppression]------------------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| none</span><br><span style="font-size: 10pt; font-family: courier new,courier;">-------------------------------------------------------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Verifying Preprocessor Configurations!</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'smb.req.ascii' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.drm.f4v' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'zenworks_opcode' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'groupwise.request' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.mppl' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.dws' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.cue' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.junction' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.asx' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.kvl' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.ram' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.file.jpeg' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.jar.agent_helper' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'ms.packager' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.fpx' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.aiff' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.xfdl' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'NuclearEK' is set but not ever checked.</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;"><DELETED FOR CLARITY></span></p><p style="padding: 0; margin: 0;"><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.wpd' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.crx' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.dxf' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">WARNING: flowbits key 'file.gzip' is set but not ever checked.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">726 out of 1024 flowbits in use.</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">[ Port Based Pattern Matching Memory ]</span><br><span style="font-size: 10pt; font-family: courier new,courier;">+- [ Aho-Corasick Summary ] -------------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Storage Format : Full-Q </span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Finite Automaton : DFA</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Alphabet Size : 256 Chars</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Sizeof State : Variable (1,2,4 bytes)</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Instances : 579</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| 1 byte states : 554</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| 2 byte states : 25</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| 4 byte states : 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Characters : 602729</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| States : 393771</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Transitions : 55409040</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| State Density : 55.0%</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Patterns : 35428</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Match States : 35520</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Memory (MB) : 210.41</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Patterns : 3.85</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| Match Lists : 11.90</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| DFA</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| 1 byte states : 3.29</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| 2 byte states : 190.30</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| 4 byte states : 0.00</span><br><span style="font-size: 10pt; font-family: courier new,courier;">+----------------------------------------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">[ Number of patterns truncated to 20 bytes: 5718 ]</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">Packet Performance Monitor Config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ticks per usec : 1497 ticks</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> max packet time : 550 usecs</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> packet action : fastpath-expensive-packets</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> packet logging : none</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">Rule Performance Monitor Config:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ticks per usec : 1497 ticks</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> max rule time : 230 usecs</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> rule action : suspend-expensive-rules</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> rule threshold : 3 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> suspend timeout : 20 secs</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> rule logging : none </span><br><span style="font-size: 10pt; font-family: courier new,courier;">pfring DAQ configured to inline.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">enp0s16f0u1 <-> enp4s0u3</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Acquiring network traffic from "enp0s16f0u1:enp4s0u3".</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Reload thread starting...</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Reload thread started, thread 0x7f170f121700 (3072)</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">--== Initialization Complete ==--</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">,,_ -*> Snort! <*-</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> o" )~ Version 2.9.8.3 GRE (Build 383) </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Copyright (C) 1998-2013 Sourcefire, Inc., et al.</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Using libpcap version 1.6.2</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Using PCRE version: 8.32 2012-11-30</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Using ZLIB version: 1.2.7</span></p><p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;">Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.6 <Build 1></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_GTP Version 1.1 <Build 1></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_SIP Version 1.1 <Build 1></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: appid Version 1.1 <Build 5></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_SDF Version 1.1 <Build 1></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_DNS Version 1.1 <Build 4></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_SSH Version 1.1 <Build 3></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_SMTP Version 1.1 <Build 9></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_IMAP Version 1.0 <Build 1></span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Preprocessor Object: SF_POP Version 1.0 <Build 1></span><br><span style="font-size: 10pt; font-family: courier new,courier;">Commencing packet processing (pid=3046)</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Decoding Ethernet</span></p><p style="padding: 0; margin: 0;"><br><span style="font-size: 10pt; font-family: courier new,courier;">###TESTING WAS DONE HERE</span></p><p style="padding: 0; margin: 0;"><br><span style="font-size: 10pt; font-family: courier new,courier;">^C*** Caught Int-Signal</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Run time for packet processing was 90.348326 seconds</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Snort processed 6787 packets.</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Snort ran for 0 days 0 hours 1 minutes 30 seconds</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Pkts/min: 6787</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Pkts/sec: 75</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Memory usage summary:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total non-mmapped bytes (arena): 673333248</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Bytes in mapped regions (hblkhd): 23707648</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total allocated space (uordblks): 414819840</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total free space (fordblks): 258513408</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Topmost releasable block (keepcost): 107488</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Packet Performance Summary:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> max packet time : 550 usecs</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> packet events : 1947</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> avg pkt time : 338.118 usecs</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Rule Performance Summary:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> max rule time : 230 usecs</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> rule events : 14</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> avg rule time : 3.87642 usecs</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Packet I/O Totals:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Received: 6787</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Analyzed: 6787 (100.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Dropped: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Filtered: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Outstanding: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Injected: 6732</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Breakdown by protocol (includes rebuilt packets):</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Eth: 6811 (100.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> VLAN: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP4: 6706 ( 98.458%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Frag: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ICMP: 519 ( 7.620%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP: 759 ( 11.144%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP: 5396 ( 79.225%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP6: 8 ( 0.117%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP6 Ext: 8 ( 0.117%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP6 Opts: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Frag6: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ICMP6: 8 ( 0.117%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP6: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP6: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Teredo: 8 ( 0.117%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ICMP-IP: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP4/IP4: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP4/IP6: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP6/IP4: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP6/IP6: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GRE: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GRE Eth: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GRE VLAN: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GRE IP4: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GRE IP6: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;">GRE IP6 Ext: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GRE PPTP: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GRE ARP: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GRE IPX: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GRE Loop: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> MPLS: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ARP: 105 ( 1.542%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IPX: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Eth Loop: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Eth Disc: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP4 Disc: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP6 Disc: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Disc: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP Disc: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ICMP Disc: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;">All Discard: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Other: 32 ( 0.470%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Bad Chk Sum: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Bad TTL: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> S5 G 1: 13 ( 0.191%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> S5 G 2: 11 ( 0.162%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total: 6811</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Action Stats:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Alerts: 13 ( 0.191%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Logged: 13 ( 0.191%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Passed: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Limits:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Match: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Queue: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Log: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Event: 3</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Alert: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Verdicts:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Allow: 6241 ( 91.955%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Block: 1 ( 0.015%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Replace: 28 ( 0.413%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Whitelist: 486 ( 7.161%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Blacklist: 31 ( 0.457%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ignore: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Retry: 0 ( 0.000%)</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Normalizer statistics:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::trim: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would ip4::trim: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::tos: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would ip4::tos: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::df: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would ip4::df: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::rf: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would ip4::rf: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::ttl: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would ip4::ttl: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip4::opts: 27</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would ip4::opts: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> icmp4::echo: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would icmp4::echo: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip6::ttl: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would ip6::ttl: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ip6::opts: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would ip6::opts: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> icmp6::echo: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would icmp6::echo: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::syn_opt: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::syn_opt: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::opt: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::opt: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::pad: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::pad: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::rsv: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::rsv: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::ns: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::ns: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::urp: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::urp: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::ecn_pkt: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::ecn_pkt: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::ts_ecr: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::ts_ecr: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::req_urg: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::req_urg: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::req_pay: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::req_pay: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::req_urp: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::req_urp: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::ecn_ssn: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::ecn_ssn: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::ts_nop: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::ts_nop: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::ips_data: 1</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::ips_data: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::block: 1</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::block: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::trim_syn: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::trim_syn: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::trim_rst: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::trim_rst: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::trim_win: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::trim_win: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> tcp::trim_mss: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Would tcp::trim_mss: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Frag3 statistics:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total Fragments: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Frags Reassembled: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Discards: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Memory Faults: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Timeouts: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Overlaps: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Anomalies: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Alerts: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Drops: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> FragTrackers Added: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> FragTrackers Dumped: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">FragTrackers Auto Freed: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Frag Nodes Inserted: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Frag Nodes Deleted: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Stream statistics:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total sessions: 190</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP sessions: 54</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP sessions: 136</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ICMP sessions: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP sessions: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Prunes: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP Prunes: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ICMP Prunes: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> IP Prunes: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">TCP StreamTrackers Created: 54</span><br><span style="font-size: 10pt; font-family: courier new,courier;">TCP StreamTrackers Deleted: 54</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Timeouts: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Overlaps: 1</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Segments Queued: 2706</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Segments Released: 2706</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Rebuilt Packets: 536</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Segments Used: 2671</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Discards: 3</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Gaps: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP Sessions Created: 136</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP Sessions Deleted: 136</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP Timeouts: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP Discards: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Events: 8</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Internal Events: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> TCP Port Filter</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Filtered: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Inspected: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Tracked: 4852</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UDP Port Filter</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Filtered: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Inspected: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Tracked: 136</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">HTTP Inspect - encodings (Note: stream-reassembled packets included):</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> POST methods: 122 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> GET methods: 4 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> HTTP Request Headers extracted: 126 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> HTTP Request Cookies extracted: 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Post parameters extracted: 122 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> HTTP response Headers extracted: 124 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> HTTP Response Cookies extracted: 1 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Unicode: 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Double unicode: 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Non-ASCII representable: 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Directory traversals: 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Extra slashes ("//"): 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Self-referencing paths ("./"): 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> HTTP Response Gzip packets extracted: 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Gzip Compressed Data Processed: n/a </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Gzip Decompressed Data Processed: n/a </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total packets processed: 2776 </span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">SMTP Preprocessor Statistics</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total sessions : 3</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Max concurrent sessions : 2</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Base64 attachments decoded : 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total Base64 decoded bytes : 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Quoted-Printable attachments decoded : 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total Quoted decoded bytes : 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> UU attachments decoded : 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total UU decoded bytes : 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Non-Encoded MIME attachments extracted : 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total Non-Encoded MIME bytes extracted : 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">dcerpc2 Preprocessor Statistics</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total sessions: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">SSL Preprocessor:</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> SSL packets decoded: 105 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Client Hello: 10 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Server Hello: 10 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Certificate: 6 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Server Done: 24 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Client Key Exchange: 7 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Server Key Exchange: 4 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Change Cipher: 20 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Finished: 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Client Application: 25 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Server Application: 13 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Alert: 2 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Unrecognized records: 35 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Completed handshakes: 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Bad handshakes: 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Sessions ignored: 13 </span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Detection disabled: 0 </span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">SIP Preprocessor Statistics</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total sessions: 11</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total dialogs: 15</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Requests: 33</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> invite: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> cancel: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> ack: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> bye: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> register: 20</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> options: 13</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> refer: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> subscribe: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> update: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> join: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> info: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> message: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> notify: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> prack: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Responses: 13</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 1xx: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 2xx: 13</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 3xx: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 4xx: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 5xx: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 6xx: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 7xx: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 8xx: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> 9xx: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ignore sessions: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Ignore channels: 0</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Reputation Preprocessor Statistics</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Total Memory Allocated: 2257540</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Number of packets blacklisted: 12</span><br><span style="font-size: 10pt; font-family: courier new,courier;"> Number of packets whitelisted: 333</span><br><span style="font-size: 10pt; font-family: courier new,courier;">===============================================================================</span><br><span style="font-size: 10pt; font-family: courier new,courier;">+-----------------------[filtered events]--------------------------------------</span><br><span style="font-size: 10pt; font-family: courier new,courier;">| gen-id=1 sig-id=2002087 type=Threshold tracking=src count=10 seconds=60 filtered=3</span><br><span style="font-size: 10pt; font-family: courier new,courier;">Snort exiting</span><br><span style="font-size: 10pt; font-family: courier new,courier;">[root@...17623... scripts]# ^C</span><br><span style="font-size: 10pt; font-family: courier new,courier;">[root@...17623... scripts]# </span></p><p hasownproperty="function hasOwnProperty() {
    [native code]
}" valueof="function valueOf() {
    [native code]
}" isprototypeof="function isPrototypeOf() {
    [native code]
}" propertyisenumerable="function propertyIsEnumerable() {
    [native code]
}" tolocalestring="function toLocaleString() {
    [native code]
}" tostring="function toString() {
    [native code]
}" constructor="function Object() {
    [native code]
}" style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;"><br></span></p><p hasownproperty="function hasOwnProperty() {
    [native code]
}" valueof="function valueOf() {
    [native code]
}" isprototypeof="function isPrototypeOf() {
    [native code]
}" propertyisenumerable="function propertyIsEnumerable() {
    [native code]
}" tolocalestring="function toLocaleString() {
    [native code]
}" tostring="function toString() {
    [native code]
}" constructor="function Object() {
    [native code]
}" style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: courier new,courier;"><br></span></p><p hasownproperty="function hasOwnProperty() {
    [native code]
}" valueof="function valueOf() {
    [native code]
}" isprototypeof="function isPrototypeOf() {
    [native code]
}" propertyisenumerable="function propertyIsEnumerable() {
    [native code]
}" tolocalestring="function toLocaleString() {
    [native code]
}" tostring="function toString() {
    [native code]
}" constructor="function Object() {
    [native code]
}" style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma,arial,helvetica,sans-serif;"><br></span></p><blockquote style="border-left: 2px solid #325FBA; padding-left: 5px; margin: 0px 5px;"><span style="font-family:tahoma,arial,helvetica,sans-serif; font-size: 10pt;">-----Oorspronkelijk bericht-----<br><span><strong>Afzender:</strong> Hui cao <huica@...589...></span><br><span><strong>Verstuurd:</strong> Dinsdag 2 Augustus 2016 15:08</span><br><span><strong>Aan:</strong> Anton van der Leun <anton@...17625...>; anton van der leun <anton@...17621...>; snort-users@lists.sourceforge.net</span><br><span><strong>Cc:</strong> Alexander van der Leun <alex@...17625...></span><br><span><strong>Onderwerp:</strong> Re: [Snort-users] snort black list issue</span><br><br></span>
  
    
  
  <div class="bodyclass" style="background-color: #FFFFFF; color: #000000; ">
    <p>Hi Anton, <br>
    </p>
    <p>Thanks a lot for the conf file.<br>
    </p>
    <p>Can you show me the snort exit statistics for tcp traffic?</p>
    <p>ICMP is not tracked by session, so they will be called for each
      packet. However, tcp and udp will be tracked and called only for
      the first packet in the session.</p>
    <p>Best,</p>
    <p>Hui.<br>
    </p>
    <div class="moz-cite-prefix">On 08/01/2016 03:46 PM, Anton van der
      Leun wrote:<br>
    </div>
    <blockquote cite="mid:zarafa.579fa72e.3b71.63bbb5765a0e79f5@...17628..." type="cite">
      
      
      <style><--

@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}

p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.E-mailStijl18
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.E-mailStijl19
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style>
      <div class="WordSection1">
        <p class="MsoNormal"><span lang="EN-US">Hi Hui,</span></p>
        <p class="MsoNormal"><span lang="EN-US">Thanks for response,</span></p>
        <p class="MsoNormal"><span lang="EN-US">I am using stream5
            preprocessor, see my preprocessor config below</span></p>
        <p class="MsoNormal"><span lang="EN-US"> </span></p>
        <p class="MsoNormal"><span lang="EN-US">Thanks again,</span></p>
        <p class="MsoNormal"><span lang="EN-US">Anton</span></p>
        <p class="MsoNormal"><span lang="EN-US"> </span></p>
        <p class="MsoNormal"><span lang="EN-US"> </span></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0cm 0cm 0cm">
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">###################################################</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># Step #5: Configure
                preprocessors</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># For more information, see the
                Snort Manual, Configuring Snort - Preprocessors</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">###################################################</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># GTP Control Channle
                Preprocessor. For more information, see README.GTP</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># preprocessor gtp: ports { 2123
                3386 2152 }</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># Inline packet normalization.
                For more information, see README.normalize</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># Does nothing in IDS mode</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor normalize_ip4</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor normalize_tcp: ips
                ecn stream</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor normalize_icmp4</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor normalize_ip6</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor normalize_icmp6</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># Target-based IP
                defragmentation.  For more inforation, see README.frag3</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor frag3_global:
                max_frags 65536</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor frag3_engine:
                policy windows detect_anomalies overlap_limit 10
                min_fragment_length 100 timeout 180</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># Target-Based stateful
                inspection/stream reassembly.  For more inforation, see
                README.stream5</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor stream5_global:
                track_tcp yes, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   track_udp yes, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   track_icmp no, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   max_tcp 262144, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   max_udp 131072, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   max_active_responses 2, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   min_response_seconds 5</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor stream5_tcp: policy
                windows, detect_anomalies, require_3whs 180, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   overlap_limit 10,
                small_segments 3 bytes 150, timeout 180, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ports client 21 22 23 25 42
                53 79 109 110 111 113 119 135 136 137 139 143 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">        161 445 513 514 587 593
                691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668
                6669 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">        7000 8181 32770 32771
                32772 32773 32774 32775 32776 32777 32778 32779, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ports both 80 81 311 383 443
                465 563 591 593 636 901 989 992 993 994 995 1220 1414
                1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988
                7907 7000 7001 7144 7145 7510 7802 7777 7779 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">        7801 7900 7901 7902 7903
                7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915
                7916 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">        7917 7918 7919 7920 8000
                8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8243
                8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443
                9999 11371 34443 34444 41080 50002 55555</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor stream5_udp:
                timeout 180</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># performance statistics.  For
                more information, see the Snort Manual, Configuring
                Snort - Preprocessors - Performance Monitor</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># preprocessor perfmonitor: time
                300 file /var/snort/snort.stats pktcnt 10000</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># HTTP normalization and anomaly
                detection.  For more information, see
                README.http_inspect</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor http_inspect:
                global iis_unicode_map unicode.map 1252 compress_depth
                65535 decompress_depth 65535</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor
                http_inspect_server: server default \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    http_methods { GET POST PUT
                SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY
                BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE
                TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND
                PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS
                BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA
                RPC_ECHO_DATA } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    chunk_length 500000 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    server_flow_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    client_flow_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    post_depth 65495 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    oversize_dir_length 500 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    max_header_length 750 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    max_headers 100 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    max_spaces 200 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    small_chunk_length { 10 5 }
                \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ports { 80 81 311 383 591
                593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128
                3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777
                7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123
                8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080
                9090 9091 9443 9999 11371 34443 34444 41080 50002 55555
                } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    non_rfc_char { 0x00 0x01
                0x02 0x03 0x04 0x05 0x06 0x07 } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    enable_cookie \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    extended_response_inspection
                \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    inspect_gzip \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    normalize_utf \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    unlimited_decompress \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    normalize_javascript \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    apache_whitespace no \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ascii no \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    bare_byte no \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    directory no \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    double_decode no \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    iis_backslash no \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    iis_delimiter no \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    iis_unicode no \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    multi_slash no \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    utf_8 no \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    u_encode yes \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    webroot no</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># ONC-RPC normalization and
                anomaly detection.  For more information, see the Snort
                Manual, Configuring Snort - Preprocessors - RPC Decode</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor rpc_decode: 111
                32770 32771 32772 32773 32774 32775 32776 32777 32778
                32779 no_alert_multiple_requests
                no_alert_large_fragments no_alert_incomplete</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># Back Orifice detection.</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor bo</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># FTP / Telnet normalization and
                anomaly detection.  For more information, see
                README.ftptelnet</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor ftp_telnet: global
                inspection_type stateful encrypted_traffic no
                check_encrypted</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor
                ftp_telnet_protocol: telnet \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ayt_attack_thresh 20 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    normalize ports { 23 } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    detect_anomalies</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor
                ftp_telnet_protocol: ftp server default \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    def_max_param_len 100 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ports { 21 2100 3535 } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    telnet_cmds yes \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ignore_telnet_erase_cmds yes
                \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ftp_cmds { ABOR ACCT ADAT
                ALLO APPE AUTH CCC CDUP } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ftp_cmds { CEL CLNT CMD CONF
                CWD DELE ENC EPRT } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ftp_cmds { EPSV ESTA ESTP
                FEAT HELP LANG LIST LPRT } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ftp_cmds { LPSV MACB MAIL
                MDTM MIC MKD MLSD MLST } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ftp_cmds { MODE NLST NOOP
                OPTS PASS PASV PBSZ PORT } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ftp_cmds { PROT PWD QUIT
                REIN REST RETR RMD RNFR } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ftp_cmds { RNTO SDUP SITE
                SIZE SMNT STAT STOR STOU } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ftp_cmds { STRU SYST TEST
                TYPE USER XCUP XCRC XCWD } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ftp_cmds { XMAS XMD5 XMKD
                XPWD XRCP XRMD XRSQ XSEM } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ftp_cmds { XSEN XSHA1
                XSHA256 } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    alt_max_param_len 0 { ABOR
                CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU
                SYST XCUP XPWD } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    alt_max_param_len 200 { ALLO
                APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    alt_max_param_len 256 { CWD
                RNTO } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    alt_max_param_len 400 { PORT
                } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    alt_max_param_len 512 { SIZE
                } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    chk_str_fmt { ACCT ADAT ALLO
                APPE AUTH CEL CLNT CMD } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    chk_str_fmt { CONF CWD DELE
                ENC EPRT EPSV ESTP HELP } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    chk_str_fmt { LANG LIST LPRT
                MACB MAIL MDTM MIC MKD } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    chk_str_fmt { MLSD MLST MODE
                NLST OPTS PASS PBSZ PORT } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    chk_str_fmt { PROT REST RETR
                RMD RNFR RNTO SDUP SITE } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    chk_str_fmt { SIZE SMNT STAT
                STOR STRU TEST TYPE USER } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    chk_str_fmt { XCRC XCWD XMAS
                XMD5 XMKD XRCP XRMD XRSQ } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    chk_str_fmt { XSEM XSEN
                XSHA1 XSHA256 } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    cmd_validity ALLO < int [
                char R int ] > \   </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    cmd_validity EPSV < [ {
                char 12 | char A char L char L } ] > \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    cmd_validity MACB <
                string > \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    cmd_validity MDTM < [
                date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    cmd_validity MODE < char
                ASBCZ > \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    cmd_validity PORT <
                host_port > \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    cmd_validity PROT < char
                CSEP > \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    cmd_validity STRU < char
                FRPO [ string ] > \   </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    cmd_validity TYPE < {
                char AE [ char NTC ] | char I | char L [ number ] } ></span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor
                ftp_telnet_protocol: ftp client default \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    max_resp_len 256 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    bounce yes \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    ignore_telnet_erase_cmds yes
                \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    telnet_cmds yes</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># SMTP normalization and anomaly
                detection.  For more information, see README.SMTP</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor smtp: ports { 25
                465 587 691 } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    inspection_type stateful \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    b64_decode_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    qp_decode_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    bitenc_decode_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    uu_decode_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    log_mailfrom \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    log_rcptto \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    log_filename \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    log_email_hdrs \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    normalize cmds \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    normalize_cmds { ATRN AUTH
                BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN
                EVFY } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    normalize_cmds { EXPN HELO
                HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND
                SOML } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    normalize_cmds { STARTTLS
                TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP
                X-EXCH50 } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    normalize_cmds { X-EXPS
                X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE
                XSTA XTRN XUSR } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    max_command_line_len 512 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    max_header_line_len 1000 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    max_response_line_len 512 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    alt_max_command_line_len 260
                { MAIL } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    alt_max_command_line_len 300
                { RCPT } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    alt_max_command_line_len 500
                { HELP HELO ETRN EHLO } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    alt_max_command_line_len 255
                { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM
                EVFY IDENT NOOP RSET } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    alt_max_command_line_len 246
                { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU
                STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR
                XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    valid_cmds { ATRN AUTH BDAT
                CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY }
                \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    valid_cmds { EXPN HELO HELP
                IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML
                } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    valid_cmds { STARTTLS TICK
                TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50
                } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    valid_cmds { X-EXPS
                X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE
                XSTA XTRN XUSR } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    xlink2state { enabled }</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># Portscan detection.  For more
                information, see README.sfportscan</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># preprocessor sfportscan:
                proto  { all } memcap { 10000000 } sense_level { low }</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># ARP spoof detection.  For more
                information, see the Snort Manual - Configuring Snort -
                Preprocessors - ARP Spoof Preprocessor</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># preprocessor arpspoof</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># preprocessor
                arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># SSH anomaly detection.  For
                more information, see README.ssh</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor ssh: server_ports {
                22 } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">                  autodetect \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">                 
                max_client_bytes 19600 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">                 
                max_encrypted_packets 20 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">                 
                max_server_version_len 100 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">                 
                enable_respoverflow enable_ssh1crc32 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">                 
                enable_srvoverflow enable_protomismatch</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># SMB / DCE-RPC normalization
                and anomaly detection.  For more information, see
                README.dcerpc2</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor dcerpc2: memcap
                102400, events [co ]</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor dcerpc2_server:
                default, policy WinXP, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    detect [smb [139,445], tcp
                135, udp 135, rpc-over-http-server 593], \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    autodetect [tcp 1025:, udp
                1025:, rpc-over-http-server 1025:], \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">    smb_max_chain 3,
                smb_invalid_shares ["C$", "D$", "ADMIN$"]</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># DNS anomaly detection.  For
                more information, see README.dns</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor dns: ports { 53 }
                enable_rdata_overflow</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># SSL anomaly detection and
                traffic bypass.  For more information, see README.ssl</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor ssl: ports { 443
                465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902
                7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913
                7914 7915 7916 7917 7918 7919 7920 }, trustservers,
                noinspect_encrypted</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># SDF sensitive data
                preprocessor.  For more information see
                README.sensitive_data</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor sensitive_data:
                alert_threshold 25</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># SIP Session Initiation
                Protocol preprocessor.  For more information see
                README.sip</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor sip: max_sessions
                40000, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   ports { 5060 5061 5600 }, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   methods { invite \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             cancel \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             ack \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             bye \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             register \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             options \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             refer \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             subscribe \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             update \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             join \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             info \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             message \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             notify \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             benotify \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             do \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             qauth \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             sprack \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             publish \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             service \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             unsubscribe \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">             prack }, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   max_uri_len 512, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   max_call_id_len 80, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   max_requestName_len 20, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   max_from_len 256, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   max_to_len 256, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   </span><span style="font-family:"Courier New"">max_via_len
                1024, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"">   max_contact_len 512, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"">   </span><span style="font-family:"Courier New"" lang="EN-US">max_content_len
                2048</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># IMAP preprocessor.  For more
                information see README.imap</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor imap: \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   ports { 143 } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   b64_decode_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   qp_decode_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   bitenc_decode_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   uu_decode_depth 0</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># POP preprocessor. For more
                information see README.pop</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor pop: \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   ports { 110 } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   b64_decode_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   qp_decode_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   bitenc_decode_depth 0 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   uu_decode_depth 0</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># Modbus preprocessor. For more
                information see README.modbus</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor modbus: ports { 502
                }</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># DNP3 preprocessor. For more
                information see README.dnp3</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor dnp3: ports { 20000
                } \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   memcap 262144 \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   check_crc</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"># Reputation preprocessor. For
                more information see README.reputation</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">preprocessor reputation: \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   memcap 500, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   scan_local, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   priority whitelist, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   nested_ip inner, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   whitelist
                /etc/snort/rules/white_list.rules, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   blacklist
                /etc/snort/rules/black_list.rules, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   blacklist
                /etc/snort/rules/black_list_local.rules, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">   white trust</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US"> </span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">##preprocessor appid :
                app_stats_filename appstats-unified.log,
                app_stats_period 60, app_detector_dir
                /usr/local/lib/openappid</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">##preprocessor appid:
                app_stats_filename appstats-u2.log, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">##   app_stats_period 60, \</span></p>
            <p class="MsoNormal"><span style="font-family:"Courier
                New"" lang="EN-US">##   app_detector_dir
                /usr/local/lib/openappid</span></p>
            <p class="MsoNormal"><b><span style="font-family:"Courier
                  New";mso-fareast-language:NL" lang="EN-US"> </span></b></p>
            <p class="MsoNormal"><b><span style="mso-fareast-language:NL" lang="EN-US"> </span></b></p>
            <p class="MsoNormal"><b><span style="mso-fareast-language:NL">Van:</span></b><span style="mso-fareast-language:NL"> Hui Cao (huica)
                [<a class="moz-txt-link-freetext" href="mailto:huica@...589..." title="This external link will open in a new window" target="_blank">mailto:huica@...589...</a>] <br>
                <b>Verzonden:</b> maandag 1 augustus 2016 21:16<br>
                <b>Aan:</b> anton van der leun
                <a class="moz-txt-link-rfc2396E" href="mailto:anton@...17621..." title="This external link will open in a new window" target="_blank"><anton@...17621...></a>;
                <a class="moz-txt-link-abbreviated" href="mailto:snort-users@lists.sourceforge.net" title="This external link will open in a new window" target="_blank">snort-users@lists.sourceforge.net</a><br>
                <b>CC:</b> Anton van der Leun
                <a class="moz-txt-link-rfc2396E" href="mailto:anton@...17625..." title="This external link will open in a new window" target="_blank"><anton@...17625...></a>; Alexander van der
                Leun <a class="moz-txt-link-rfc2396E" href="mailto:alex@...17625..." title="This external link will open in a new window" target="_blank"><alex@...17625...></a><br>
                <b>Onderwerp:</b> Re: [Snort-users] snort black list
                issue</span></p>
          </div>
        </div>
        <p class="MsoNormal"> </p>
        <div>
          <p class="MsoNormal"><span style="font-size:10.5pt;color:black">Have you enabled
              session preprocessor?</span><span style="font-size:10.5pt;color:black;mso-fareast-language:NL"></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size:10.5pt;color:black"> </span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size:10.5pt;color:black">Reputation
              preprocessor has been moved after session preprocessor. It
              is called once per session.</span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size:10.5pt;color:black"> </span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size:10.5pt;color:black">Best,</span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size:10.5pt;color:black">Hui.</span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size:10.5pt;color:black"> </span></p>
        </div>
        <div style="border:none;border-top:solid #B5C4DF
          1.0pt;padding:3.0pt 0cm 0cm 0cm">
          <p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black">anton van der leun <<a moz-do-not-send="true" href="mailto:anton@...17621..." title="This external link will open in a new window" target="_blank">anton@...17621...</a>><br>
              <b>Date: </b>Monday, August 1, 2016 at 6:08 AM<br>
              <b>To: </b>"<a moz-do-not-send="true" href="mailto:snort-users@lists.sourceforge.net" title="This external link will open in a new window" target="_blank">snort-users@lists.sourceforge.net</a>"
              <<a moz-do-not-send="true" href="mailto:snort-users@lists.sourceforge.net" title="This external link will open in a new window" target="_blank">snort-users@lists.sourceforge.net</a>><br>
              <b>Cc: </b>"<a moz-do-not-send="true" href="mailto:anton@...17625..." title="This external link will open in a new window" target="_blank">anton@...17625...</a>"
              <<a moz-do-not-send="true" href="mailto:anton@...17625..." title="This external link will open in a new window" target="_blank">anton@...17625...</a>>,
              "<a moz-do-not-send="true" href="mailto:alex@...17625..." title="This external link will open in a new window" target="_blank">alex@...17625...</a>"
              <<a moz-do-not-send="true" href="mailto:alex@...17625..." title="This external link will open in a new window" target="_blank">alex@...17625...</a>><br>
              <b>Subject: </b>[Snort-users] snort black list issue</span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size:10.5pt;color:black"> </span></p>
        </div>
        <div>
          <div>
            <p class="MsoNormal"><span style="color:black">Hello snort
                community</span></p>
            <p class="MsoNormal"><span style="color:black"> </span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">I
                ran into this issue while debugging a certain attack
                this weekend and noticed the following I don’t
                understand:</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Conditions
                : snort blacklist has certain ip address</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Results: 
                after adding this address and a warm reload of snort :
                ICMP messages are blocked, however tcp sessions are NOT.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Example
                (ip address is not yet added to black list)</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">root@...17622...:~#
                ping 5.157.87.137</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">PING
                5.157.87.137 (5.157.87.137) 56(84) bytes of data.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">64
                bytes from 5.157.87.137: icmp_req=1 ttl=54 time=21.7 ms</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">64
                bytes from 5.157.87.137: icmp_req=2 ttl=54 time=11.1 ms</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black">^C</span></p>
            <p class="MsoNormal"><span style="color:black"> </span></p>
            <p class="MsoNormal"><span style="color:black">root@...17622...:~#
                telnet 5.157.87.137 80</span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Trying
                5.157.87.137...</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Connected
                to 5.157.87.137.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Escape
                character is '^]'.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">^]</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">telnet>
                quit</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Connection
                closed.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">root@...17622...:~#
                ##snort blacklist added 5.157.87.137   and snort is
                reloaded</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">root@...17622...:~#
                ping 5.157.87.137      </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">PING
                5.157.87.137 (5.157.87.137) 56(84) bytes of data.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">^C</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">---
                5.157.87.137 ping statistics ---</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">5
                packets transmitted, 0 received, 100% packet loss, time
                4030ms</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">root@...17622...:~#
                telnet 5.157.87.137 80 </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Trying
                5.157.87.137...</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Connected
                to 5.157.87.137.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Escape
                character is '^]'.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">^]</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">telnet>
                quit</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Connection
                closed.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">root@...17622...:~#
              </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">The
                screenshot of my monitoring tool is included to show
                that the icmp message was indeed blocked</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">However
                a tcp sessiob to port 80 is still not blocked !</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">Here
                some config and version info:</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">[root@...17623...
                scripts]# /usr/local/bin/snort -V</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">  
                ,,_     -*> Snort! <*-</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> 
                o"  )~   Version 2.9.8.3 GRE (Build 383) </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">   ''''   
                By Martin Roesch & The Snort Team: <a moz-do-not-send="true" href="http://www.snort.org/contact#team" title="This external link will open in a new window" target="_blank">http://www.snort.org/contact#team</a></span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">  
                        Copyright (C) 2014-2015 Cisco and/or its
                affiliates. All rights reserved.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">          
                Copyright (C) 1998-2013 Sourcefire, Inc., et al.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">          
                Using libpcap version 1.6.2</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">          
                Using PCRE version: 8.32 2012-11-30</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">          
                Using ZLIB version: 1.2.7</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">#
                Reputation preprocessor. For more information see
                README.reputation</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">preprocessor
                reputation: \</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">  
                memcap 500, \</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">  
                scan_local, \</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">  
                priority whitelist, \</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">  
                nested_ip inner, \</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">  
                whitelist /etc/snort/rules/white_list.rules, \</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">  
                blacklist /etc/snort/rules/black_list.rules, \</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">  
                blacklist /etc/snort/rules/black_list_local.rules, \</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">  
                white trust</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">In
                my opninion the reputation processor has absolute
                priority and all messages should be blocked.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US">I
                hope somebody can direct me in the right direction.</span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black" lang="EN-US"> </span><span style="color:black"></span></p>
            <p class="MsoNormal"><span style="color:black">Thanks in
                advance,</span></p>
            <p class="MsoNormal"><span style="color:black">Anton van der
                Leun</span></p>
            <p class="MsoNormal"><span style="color:black"> </span></p>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </div>


</blockquote>
</div>

<!-- end sanitized html -->
</body>
</html>