RE: [Snort-users] Snort not capturing data

This is a multi-part message in MIME format.

------=_NextPart_000_00F0_01C4AD3A.C5F2D230
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

What's your output line look like in your snort.conf file?

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Ravi Verma
Sent: Friday, October 08, 2004 10:43 AM
To: Shawn Kottke
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Snort not capturing data

Dear Shawn:

I checked the value for EXTERNAL_NET and it is set to ANY. Snort would

not start if EXTERNAL_NET is not defined. Now the entries in snort.conf
look as follows.

var HOME_NET [10.1.0.0/16,10.2.0.0/16,10.4.0.0]

var EXTERNAL_NET !$HOME_NET

Still Snort is not writing any data into mysql.

Regards.

Shawn Kottke wrote:

>Just looking at your snort.conf file it looks like you do not have an
>EXTERNAL_NET variable defined.
>
>Look for this line right below your "var HOME_NET any" line:
># Set up the external network addresses as well. A good start may be
>"any" var EXTERNAL_NET any
>
>Check to make sure that "var EXTERNAL_NET any" is on a line by itself.
>Looking at what you sent it is on the same line as the remarks line.
>
>Once you better define the HOME_NET variable you will most likely want
>to set the EXTERNAL_NET variable to "!$HOME_NET" (not HOME_NET).
>
>This is a place to start.
>
>
>-----Original Message-----
>From: snort-users-admin@lists.sourceforge.net
>[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Ravi
Verma
>Sent: Thursday, October 07, 2004 9:07 PM
>To: snort-users@lists.sourceforge.net
>Subject: [Snort-users] Snort not capturing data
>
>Dear Friends:
>
>I am new to Snort. I have installed Snort on a Linux machine. I
followed
>the Snort Install Manual by (Saint) Patrick Harper and it was fairly
>smooth.
>
>Unfortunately Snort is not capturing any data. When I login into mysql
>as the snort user, there is 0 records in the events table. I have ACID
>running and that shows 0 sensor. Though the output from the sensor
table
>in the snort database has the following output.
>+-----+-------------+-----------+--------+--------+----------+---------
-
>+
>| sid | hostname | interface | filter | detail | encoding | last_cid
>|
>+-----+-------------+-----------+--------+--------+----------+---------
-
>+|
>| 3 | copper:eth0 | eth0 | NULL | 1 | 0 | 0
>|
>+-----+-------------+-----------+--------+--------+----------+---------
-
>+
>
>I have put the output of the command "snort -T -c
/etc/snort/snort.conf
>-i eth0 -g snort" and snort.conf file below.
>
>
>I appreciate your help.
>
>Running in IDS mode
>Log directory = /var/log/snort
>
>Initializing Network Interface eth0
>OpenPcap() device eth0 network lookup:
> eth0: no IPv4 address assigned
>
> --== Initializing Snort ==--
>Initializing Output Plugins!
>Decoding Ethernet on interface eth0
>Initializing Preprocessors!
>Initializing Plug-ins!
>Parsing Rules file /etc/snort/snort.conf
>
>+++++++++++++++++++++++++++++++++++++++++++++++++ ++
>Initializing rule chains...
>,-----------[Flow Config]----------------------
>| Stats Interval: 0
>| Hash Method: 2
>| Memcap: 10485760
>| Rows : 4099
>| Overhead Bytes: 16400(%0.16)
>`----------------------------------------------
>No arguments to frag2 directive, setting defaults to:
> Fragment timeout: 60 seconds
> Fragment memory cap: 4194304 bytes
> Fragment min_ttl: 0
> Fragment ttl_limit: 5
> Fragment Problems: 0
> Self preservation threshold: 500
> Self preservation period: 90
> Suspend threshold: 1000
> Suspend period: 30
>Stream4 config:
> Stateful inspection: ACTIVE
> Session statistics: INACTIVE
> Session timeout: 30 seconds
> Session memory cap: 8388608 bytes
> State alerts: INACTIVE
> Evasion alerts: INACTIVE
> Scan alerts: INACTIVE
> Log Flushed Streams: INACTIVE
> MinTTL: 1
> TTL Limit: 5
> Async Link: 0
> State Protection: 0
> Self preservation threshold: 50
> Self preservation period: 90
> Suspend threshold: 200
> Suspend period: 30
>Stream4_reassemble config:
> Server reassembly: INACTIVE
> Client reassembly: ACTIVE
> Reassembler alerts: ACTIVE
> Zero out flushed packets: INACTIVE
> flush_data_diff_size: 500
> Ports: 21 23 25 53 80 110 111 143 513 1433
> Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
>rpc_decode arguments:
> Ports to decode RPC on: 111 32771
> alert_fragments: INACTIVE
> alert_large_fragments: ACTIVE
> alert_incomplete: ACTIVE
> alert_multiple_requests: ACTIVE
>telnet_decode arguments:
> Ports to decode telnet on: 21 23 25 119
>database: compiled support for ( mysql )
>database: configured to use mysql
>database: user = snort
>database: password is set
>database: database name = snort
>database: host = localhost
>database: sensor name = copper:eth0
>database: sensor id = 3
>database: schema version = 106
>database: using the "log" facility
>1864 Snort rules read...
>1864 Option Chains linked into 173 Chain Headers
>0 Dynamic rules
>+++++++++++++++++++++++++++++++++++++++++++++++++ ++
>
>Warning: flowbits key 'realplayer.playlist' is checked but not ever
set.
>
>+-----------------------[thresholding-config]--------------------------
-
>-------
>| memory-cap : 1048576 bytes
>+-----------------------[thresholding-global]--------------------------
-
>-------
>| none
>+-----------------------[thresholding-local]---------------------------
-
>-------
>| gen-id=1 sig-id=2523 type=Both tracking=dst count=10
>seconds=10
>| gen-id=1 sig-id=2496 type=Both tracking=dst count=20
>seconds=60
>| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5
>seconds=60
>| gen-id=1 sig-id=2495 type=Both tracking=dst count=20
>seconds=60
>| gen-id=1 sig-id=2494 type=Both tracking=dst count=20
>seconds=60
>+-----------------------[suppression]----------------------------------
-
>-------
>-----------------------------------------------------------------------
-
>-------
>Rule application order: ->activation->dynamic->alert->pass->log
>
> --== Initialization Complete ==--
>
>-*> Snort! <*-
>Version 2.2.0 (Build 30)
>By Martin Roesch (roesch@sourcefire.com, www.snort.org)
>
>Snort sucessfully loaded all rules and checked all rule chains!
>Final Flow Statistics
>,----[ FLOWCACHE STATS ]----------
>Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
>Overhead blocks: 1 Could Hold: (0)
>IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s
> finds: 0 reversed: 0(%0.000000)
> find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows:
>0
>Snort exiting
>database: Closing connection to database ""
>
>### snort.conf file ####
>#--------------------------------------------------
>#
># http://www.snort.org Snort 2.1.0 Ruleset
># Contact: snort-sigs@lists.sourceforge.net
>#--------------------------------------------------
># $Id: snort.conf,v 1.142.2.2 2004/08/05 18:55:37 jhewlett Exp $ #
>################################################# ##
># This file contains a sample snort configuration.
># You can take the following steps to create your own custom
>configuration: # # 1) Set the network variables for your network # 2)
>Configure preprocessors # 3) Configure output plugins # 4) Customize
>your rule set # ################################################## #
># Step #1: Set the network variables:
>#
># You must change the following variables to reflect your local
network.
>The # variable is currently setup for an RFC 1918 address space. # #
You
>can specify it explicitly as:
>#
># var HOME_NET 10.1.1.0/24
>#
># or use global variable $<interfacename>_ADDRESS which will be always
#
>initialized to IP address and netmask of the network interface which
you
>run # snort at. Under Windows, this must be specified as #
>$(<interfacename>_ADDRESS), such as: #
>$(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
>#
># var HOME_NET $eth0_ADDRESS
>#
># You can specify lists of IP addresses for HOME_NET
># by separating the IPs with commas like this:
>#
># var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>#
># MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>#
># or you can specify the variable to be any IP address
># like this:
>
>var HOME_NET any
>
># Set up the external network addresses as well. A good start may be
>"any" var EXTERNAL_NET any
>
># Configure your server lists. This allows snort to only look for
>attacks to # systems that have a service up. Why look for HTTP attacks
>if you are not # running a web server? This allows quick filtering
>based on IP addresses # These configurations MUST follow the same
>configuration scheme as defined # above for $HOME_NET.
>
># List of DNS servers on your network
>var DNS_SERVERS $HOME_NET
>
># List of SMTP servers on your network
>var SMTP_SERVERS $HOME_NET
>
># List of web servers on your network
>var HTTP_SERVERS $HOME_NET
>
># List of sql servers on your network
>var SQL_SERVERS $HOME_NET
>
># List of telnet servers on your network
>var TELNET_SERVERS $HOME_NET
>
># List of snmp servers on your network
>var SNMP_SERVERS $HOME_NET
>
># Configure your service ports. This allows snort to look for attacks
>destined # to a specific application only on the ports that application
>runs on. For # example, if you run a web server on port 8081, set your
>HTTP_PORTS variable # like this: # # var HTTP_PORTS 8081 # # Port lists
>must either be continuous [eg 80:8080], or a single port [eg 80]. # We
>will adding support for a real list of ports in the future.
>
># Ports you run web servers on
>#
># Please note: [80,8080] does not work.
># If you wish to define multiple HTTP ports,
>#
>## var HTTP_PORTS 80
>## include somefile.rules
>## var HTTP_PORTS 8080
>## include somefile.rules
>var HTTP_PORTS 80
>
># Ports you want to look for SHELLCODE on.
>var SHELLCODE_PORTS !80
>
># Ports you do oracle attacks on
>var ORACLE_PORTS 1521
>
># other variables
>#
># AIM servers. AOL has a habit of adding new AIM servers, so instead
of
># modifying the signatures when they do, we add them to this list of
>servers. var AIM_SERVERS
>[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24
,
>64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
>
># Path to your rules files (this can be a relative path)
># Note for Windows users: You are advised to make this an absolute
>path, # such as: c:\snort\rules var RULE_PATH /etc/snort
>
># Configure the snort decoder
># ============================
>#
># Snort's decoder will alert on lots of things such as header
># truncation or options of unusual length or infrequently used tcp
>options # # # Stop generic decode events: # # config
>disable_decode_alerts # # Stop Alerts on experimental TCP options # #
>config disable_tcpopt_experimental_alerts
>#
># Stop Alerts on obsolete TCP options
>#
># config disable_tcpopt_obsolete_alerts
>#
># Stop Alerts on T/TCP alerts
>#
># In snort 2.0.1 and above, this only alerts when a TCP option is
>detected # that shows T/TCP being actively used on the network. If
this
>is normal # behavior for your network, disable the next option. # #
>config disable_tcpopt_ttcp_alerts # # Stop Alerts on all other
TCPOption
>type events: # # config disable_tcpopt_alerts # # Stop Alerts on
invalid
>ip options # # config disable_ipopt_alerts
>
># Configure the detection engine
># ===============================
>#
># Use a different pattern matcher in case you have a machine with very
>limited # resources: # # config detection: search-method lowmem
>
>################################################# ##
># Step #2: Configure preprocessors
>#
># General configuration for preprocessors is of
># the form
># preprocessor <name_of_processor>: <configuration_options>
>
># Configure Flow tracking module
># -------------------------------
>#
># The Flow tracking module is meant to start unifying the state keeping
># mechanisms of snort into a single place. Right now, only a portscan
>detector # is implemented but in the long term, many of the stateful
>subsystems of # snort will be migrated over to becoming flow plugins.
>This must be enabled # for flow-portscan to work correctly. # # See
>README.flow for additional information # preprocessor flow:
>stats_interval 0 hash 2
>
># frag2: IP defragmentation support
># -------------------------------
># This preprocessor performs IP defragmentation. This plugin will also
>detect # people launching fragmentation attacks (usually DoS) against
>hosts. No # arguments loads the default configuration of the
>preprocessor, which is a 60 # second timeout and a 4MB fragment buffer.

>
># The following (comma delimited) options are available for frag2
># timeout [seconds] - sets the number of [seconds] that an
unfinished
>
># fragment will be kept around waiting for
>completion,
># if this time expires the fragment will be
>flushed
># memcap [bytes] - limit frag2 memory usage to [number] bytes
># (default: 4194304)
>#
># min_ttl [number] - minimum ttl to accept
>#
># ttl_limit [number] - difference of ttl to accept without alerting
># will cause false positves with router flap
>#
># Frag2 uses Generator ID 113 and uses the following SIDS
># for that GID:
># SID Event description
># ----- -------------------
># 1 Oversized fragment (reassembled frag > 64k bytes)
># 2 Teardrop-type attack
>
>preprocessor frag2
>
># stream4: stateful inspection/stream reassembly for Snort
>#----------------------------------------------------------------------
># Use in concert with the -z [all|est] command line switch to defeat
>stick/snot # against TCP rules. Also performs full TCP stream
>reassembly, stateful # inspection of TCP streams, etc. Can statefully
>detect various portscan # types, fingerprinting, ECN, etc.
>
># stateful inspection directive
># no arguments loads the defaults (timeout 30, memcap 8388608) #
options
>(options are comma delimited):
># detect_scans - stream4 will detect stealth portscans and generate
>alerts
># when it sees them when this option is set
># detect_state_problems - detect TCP state problems, this tends to be
>very
># noisy because there are a lot of crappy ip
>stack
># implementations out there
>#
># disable_evasion_alerts - turn off the possibly noisy mitigation of
># overlapping sequences.
>#
>#
># min_ttl [number] - set a minium ttl that snort will accept to
># stream reassembly
>#
># ttl_limit [number] - differential of the initial ttl on a
>session versus
># the normal that someone may be playing
>games.
># Routing flap may cause lots of false
>positives.
>#
># keepstats [machine|binary] - keep session statistics, add "machine"
>to
># get them in a flat format for machine
reading,
>add
># "binary" to get them in a unified binary
>output
># format
># noinspect - turn off stateful inspection only
># timeout [number] - set the session timeout counter to [number]
>seconds,
># default is 30 seconds
># memcap [number] - limit stream4 memory usage to [number] bytes
># log_flushed_streams - if an event is detected on a stream this
>option will
># cause all packets that are stored in the
>stream4
># packet buffers to be flushed to disk. This
>only
># works when logging in pcap mode!
>#
># Stream4 uses Generator ID 111 and uses the following SIDS
># for that GID:
># SID Event description
># ----- -------------------
># 1 Stealth activity
># 2 Evasive RST packet
># 3 Evasive TCP packet retransmission
># 4 TCP Window violation
># 5 Data on SYN packet
># 6 Stealth scan: full XMAS
># 7 Stealth scan: SYN-ACK-PSH-URG
># 8 Stealth scan: FIN scan
># 9 Stealth scan: NULL scan
># 10 Stealth scan: NMAP XMAS scan
># 11 Stealth scan: Vecna scan
># 12 Stealth scan: NMAP fingerprint scan stateful detect
># 13 Stealth scan: SYN-FIN scan
># 14 TCP forward overlap
>
>preprocessor stream4: disable_evasion_alerts
>
># tcp stream reassembly directive
># no arguments loads the default configuration
># Only reassemble the client,
># Only reassemble the default list of ports (See below),
># Give alerts for "bad" streams
>#
># Available options (comma delimited):
># clientonly - reassemble traffic for the client side of a connection
>only
># serveronly - reassemble traffic for the server side of a connection
>only
># both - reassemble both sides of a session
># noalerts - turn off alerts from the stream reassembly stage of
>stream4
># ports[list] - use the space separated list of ports in[list],
>"all"
># will turn on reassembly for all ports, "default"
will
>turn
># on reassembly for ports 21, 23, 25, 53, 80, 143,
110,
>111
># and 513
>
>preprocessor stream4_reassemble
>
># http_inspect: normalize and detect HTTP traffic and protocol
anomalies
># # lots of options available here. See doc/README.http_inspect. #
>unicode.map should be wherever your snort.conf lives, or given # a full
>path to where snort can find it. # preprocessor http_inspect: global \
># iis_unicode_map unicode.map 1252
>
># preprocessor http_inspect_server: server default \
># profile all ports { 80 8080 8180 } oversize_dir_length 500
>
>#
># Example unqiue server configuration
>#
>#preprocessor http_inspect_server: server 1.1.1.1 \
># ports { 80 3128 8080 } \
># flow_depth 0 \
># ascii no \
># double_decode yes \
># non_rfc_char { 0x00 } \
># chunk_length 500000 \
># non_strict \
># oversize_dir_length 300 \
># no_alerts
>
>
># rpc_decode: normalize RPC traffic
># ---------------------------------
># RPC may be sent in alternate encodings besides the usual 4-byte
>encoding # that is used by default. This plugin takes the port numbers
>that RPC # services are running on as arguments - it is assumed that
the
>given ports # are actually running this type of service. If not, change
>the ports or turn # it off. # The RPC decode preprocessor uses
generator
>ID 106 # # arguments: space separated list # alert_fragments - alert on
>any rpc fragmented TCP data # no_alert_multiple_requests - don't alert
>when >1 rpc query is in a packet # no_alert_large_fragments - don't
>alert when the fragmented
># sizes exceed the current packet size
># no_alert_incomplete - don't alert when a single segment
># exceeds the current packet size
>
>preprocessor rpc_decode: 111 32771
>
># bo: Back Orifice detector
># -------------------------
># Detects Back Orifice traffic on the network. Takes no arguments in
>2.0. #
># The Back Orifice detector uses Generator ID 105 and uses the
># following SIDS for that GID:
># SID Event description
># ----- -------------------
># 1 Back Orifice traffic detected
>
>preprocessor bo
>
># telnet_decode: Telnet negotiation string normalizer
># ---------------------------------------------------
># This preprocessor "normalizes" telnet negotiation strings from telnet
>and ftp # traffic. It works in much the same way as the http_decode
>preprocessor, # searching for traffic that breaks up the normal data
>stream of a protocol and # replacing it with a normalized
representation
>of that traffic so that the # "content" pattern matching keyword can
>work without requiring modifications. # This preprocessor requires no
>arguments. # Portscan uses Generator ID 109 and does not generate any
>SID currently.
>
>preprocessor telnet_decode
>
># Flow-Portscan: detect a variety of portscans
># ---------------------------------------
># Note: The Flow preprocessor (above) must first be enabled for
>Flow-Portscan to # work. # # This module detects portscans based off of
>flow creation in the flow # preprocessors. The goal is to catch
>one->many hosts and one->many # ports scans. # # Flow-Portscan has
>numerous options available, please read # README.flow-portscan for help
>configuring this option.
>
># Flow-Portscan uses Generator ID 121 and uses the following SIDS for
>that GID:
># SID Event description
># ----- -------------------
># 1 flow-portscan: Fixed Scale Scanner Limit Exceeded
># 2 flow-portscan: Sliding Scale Scanner Limit Exceeded
># 3 flow-portscan: Fixed Scale Talker Limit Exceeded
># 4 flow-portscan: Sliding Scale Talker Limit Exceeded
>
># preprocessor flow-portscan: \
># talker-sliding-scale-factor 0.50 \
># talker-fixed-threshold 30 \
># talker-sliding-threshold 30 \
># talker-sliding-window 20 \
># talker-fixed-window 30 \
># scoreboard-rows-talker 30000 \
># server-watchnet [10.2.0.0/30] \
># server-ignore-limit 200 \
># server-rows 65535 \
># server-learning-time 14400 \
># server-scanner-limit 4 \
># scanner-sliding-window 20 \
># scanner-sliding-scale-factor 0.50 \
># scanner-fixed-threshold 15 \
># scanner-sliding-threshold 40 \
># scanner-fixed-window 15 \
># scoreboard-rows-scanner 30000 \
># src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
># dst-ignore-net [10.0.0.0/30] \
># alert-mode once \
># output-mode msg \
># tcp-penalties on
>
># arpspoof
>#----------------------------------------
># Experimental ARP detection code from Jeff Nathan, detects ARP
attacks,
># unicast ARP requests, and specific ARP mapping monitoring. To make
>use of # this preprocessor you must specify the IP and hardware address
>of hosts on # the same layer 2 segment as you. Specify one host IP MAC
>combo per line. # Also takes a "-unicast" option to turn on unicast ARP
>request detection.
># Arpspoof uses Generator ID 112 and uses the following SIDS for that
>GID:
>
># SID Event description
># ----- -------------------
># 1 Unicast ARP request
># 2 Etherframe ARP mismatch (src)
># 3 Etherframe ARP mismatch (dst)
># 4 ARP cache overwrite attack
>
>#preprocessor arpspoof
>#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
>
># Performance Statistics
># ----------------------
># Documentation for this is provided in the Snort Manual. You should
>read it. # It is included in the release distribution as
>doc/snort_manual.pdf #
># preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
>10000
>
>################################################# ###################
># Step #3: Configure output plugins
>#
># Uncomment and configure the output plugins you decide to use.
General
># configuration for output plugins is of the form: # # output
><name_of_plugin>: <configuration_options> # # alert_syslog: log alerts
>to syslog # ----------------------------------
># Use one or more syslog facilities as arguments. Win32 can also
>optionally # specify a particular hostname/port. Under Win32, the
>default hostname is # '127.0.0.1', and the default port is 514. # #
>[Unix flavours should use this format...] # output alert_syslog:
>LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output
>alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname,
>LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH
>LOG_ALERT
>
># log_tcpdump: log packets in binary tcpdump format
># -------------------------------------------------
># The only argument is the output file name.
>#
>output log_tcpdump: tcpdump.log
>
># database: log to a variety of databases
># ---------------------------------------
># See the README.database file for more information about configuring #
>and using this plugin. # output database: log, mysql, user=snort
>password=google dbname=snort host=localhost # output database: alert,
>postgresql, user=snort dbname=snort # output database: log, odbc,
>user=snort dbname=snort # output database: log, mssql, dbname=snort
>user=snort password=test # output database: log, oracle, dbname=snort
>user=snort password=test
>
># unified: Snort unified binary format alerting and logging
># -------------------------------------------------------------
># The unified output plugin provides two new formats for logging and
>generating # alerts from Snort, the "unified" format. The unified
>format is a straight # binary format for logging data out of Snort that
>is designed to be fast and # efficient. Used with barnyard (the new
>alert/log processor), most of the # overhead for logging and alerting
to
>various slow storage mechanisms such as # databases or the network can
>now be avoided.
>#
># Check out the spo_unified.h file for the data formats.
>#
># Two arguments are supported.
># filename - base filename to write to (current time_t is appended)
># limit - maximum size of spool file in MB (default: 128)
>#
># output alert_unified: filename snort.alert, limit 128
># output log_unified: filename snort.log, limit 128
>
># You can optionally define new rule types and associate one or more
>output # plugins specifically to that type. # # This example will
create
>a type that will log to just tcpdump. # ruletype suspicious # {
># type log
># output log_tcpdump: suspicious.log
># }
>#
># EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
># suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
>Server";) # # This example will create a rule type that will log to
>syslog and a mysql # database: # ruletype redalert # {
># type alert
># output alert_syslog: LOG_AUTH LOG_ALERT
># output database: log, mysql, user=snort dbname=snort host=localhost
># }
>#
># EXAMPLE RULE FOR REDALERT RULETYPE:
># redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
># (msg:"Someone is being LEET"; flags:A+;)
>
>#
># Include classification & priority settings
># Note for Windows users: You are advised to make this an absolute
>path, # such as: c:\snort\etc\classification.config
>#
>
>include classification.config
>
>#
># Include reference systems
># Note for Windows users: You are advised to make this an absolute
>path, # such as: c:\snort\etc\reference.config #
>
>include reference.config
>
>################################################# ###################
># Step #4: Customize your rule set
>#
># Up to date snort rules are available at http://www.snort.org # # The
>snort web site has documentation about how to write your own custom
>snort # rules. # # The rules included with this distribution generate
>alerts based on on # suspicious activity. Depending on your network
>environment, your security # policies, and what you consider to be
>suspicious, some of these rules may # either generate false positives
>ore may be detecting activity you consider to # be acceptable;
>therefore, you are encouraged to comment out rules that are # not
>applicable in your environment. # # The following individuals
>contributed many of rules in this distribution. # # Credits:
># Ron Gula <rgula@securitywizards.com> of Network Security Wizards
># Max Vision <vision@whitehats.com>
># Martin Markgraf <martin@mail.du.gtn.com>
># Fyodor Yarochkin <fygrave@tigerteam.net>
># Nick Rogness <nick@rapidnet.com>
># Jim Forster <jforster@rapidnet.com>
># Scott McIntyre <scott@whoi.edu>
># Tom Vandepoel <Tom.Vandepoel@ubizen.com>
># Brian Caswell <bmc@snort.org>
># Zeno <admin@cgisecurity.com>
># Ryan Russell <ryan@securityfocus.com>
>
>
>
>#=========================================
># Include all relevant rulesets here
>#
># The following rulesets are disabled by default:
>#
># web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
>virus,
># chat, multimedia, and p2p
>#
># These rules are either site policy specific or require tuning in
order
>to not # generate false positive alerts in most enviornments. #
># Please read the specific include file for more information and #
>README.alert_order for how rule ordering affects how alerts are
>triggered. #=========================================
>
>include $RULE_PATH/local.rules
>include $RULE_PATH/bad-traffic.rules
>include $RULE_PATH/exploit.rules
>include $RULE_PATH/scan.rules
>include $RULE_PATH/finger.rules
>include $RULE_PATH/ftp.rules
>include $RULE_PATH/telnet.rules
>include $RULE_PATH/rpc.rules
>include $RULE_PATH/rservices.rules
>include $RULE_PATH/dos.rules
>include $RULE_PATH/ddos.rules
>include $RULE_PATH/dns.rules
>include $RULE_PATH/tftp.rules
>
>include $RULE_PATH/web-cgi.rules
>include $RULE_PATH/web-coldfusion.rules
>include $RULE_PATH/web-iis.rules
>include $RULE_PATH/web-frontpage.rules
>include $RULE_PATH/web-misc.rules
>include $RULE_PATH/web-client.rules
>include $RULE_PATH/web-php.rules
>
>include $RULE_PATH/sql.rules
>include $RULE_PATH/x11.rules
>include $RULE_PATH/icmp.rules
>include $RULE_PATH/netbios.rules
>include $RULE_PATH/misc.rules
>include $RULE_PATH/attack-responses.rules
>include $RULE_PATH/oracle.rules
>include $RULE_PATH/mysql.rules
>include $RULE_PATH/snmp.rules
>
>include $RULE_PATH/smtp.rules
>include $RULE_PATH/imap.rules
>include $RULE_PATH/pop2.rules
>include $RULE_PATH/pop3.rules
>
>include $RULE_PATH/nntp.rules
>include $RULE_PATH/other-ids.rules
># include $RULE_PATH/web-attacks.rules
># include $RULE_PATH/backdoor.rules
># include $RULE_PATH/shellcode.rules
># include $RULE_PATH/policy.rules
># include $RULE_PATH/porn.rules
># include $RULE_PATH/info.rules
># include $RULE_PATH/icmp-info.rules
> include $RULE_PATH/virus.rules
># include $RULE_PATH/chat.rules
># include $RULE_PATH/multimedia.rules
># include $RULE_PATH/p2p.rules
>include $RULE_PATH/experimental.rules
>
># Include any thresholding or suppression commands. See threshold.conf
>in the # <snort src>/etc directory for details. Commands don't
>necessarily need to be # contained in this conf, but a separate conf
>makes it easier to maintain them.
># Note for Windows users: You are advised to make this an absolute
>path, # such as: c:\snort\etc\threshold.conf # Uncomment if needed. #
>include threshold.conf
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IT Product Guide on
ITManagersJournal
>Use IT products in your business? Tell us what you think of them. Give
>us
>Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
>more
>http://productguide.itmanagersjourna...uidepromo.tmpl
>_______________________________________________
>Snort-users mailing list
>Snort-users@lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/...fo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.p...st=snort-users
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IT Product Guide on
ITManagersJournal
>Use IT products in your business? Tell us what you think of them. Give
us
>Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
more
>http://productguide.itmanagersjourna...uidepromo.tmpl
>_______________________________________________
>Snort-users mailing list
>Snort-users@lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/...fo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list
>
>
>


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give
us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
more
http://productguide.itmanagersjourna...uidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

------=_NextPart_000_00F0_01C4AD3A.C5F2D230
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCS qGSIb3DQEHAQAAoIIKHzCCAj0w
ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzE XMBUG
A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzID EgUHVibGljIFByaW1hcnkgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWh cNMjgwODAxMjM1OTU5WjBfMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNz A1BgNVBAsTLkNsYXNzIDEgUHVi
bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ 8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiI Llc6igmyRdDR/MZW4MsNBWhBiH
mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEe JORVZpH3gCgNrcR5EpuzbJY1zF
4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQ ECBQADgYEATD+4i8Zo3+5DMw5d
6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix
3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtH uhNbB7Jbq4046rPzidADQAmPPR
cZQwggNiMIICy6ADAgECAhAL2gsXwT+JjqsJdHq0zi4zMA0GCS qGSIb3DQEBAgUAMF8xCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1 UECxMuQ2xhc3MgMSBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OD A1MTIwMDAwMDBaFw0wODA1MTIy
MzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB 0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS 9yZXBvc2l0b3J5L1JQQSBJbmNv
cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ
bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaW RhdGVkMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5 xUv7zodyqdufBou5XZMUFweoFL
uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+Hthzj
zMaajn9qJJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo4GwMIGtMA8GA1UdEwQIMAYBAf8CA QAw
RwYDVR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBw IBFh93d3cudmVyaXNpZ24uY29t
L3JlcG9zaXRvcnkvUlBBMDEGA1UdHwQqMCgwJqAkoCKGIGh0dH A6Ly9jcmwudmVyaXNpZ24uY29t
L3BjYTEuY3JsMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBA MCAQYwDQYJKoZIhvcNAQECBQAD
gYEAAn2eb0VLOKC43ulTZCG85Ewrjx7+kkCs2Ao5aqEyISwHm6 tZ/tJiGn1VOLA3c9z0B2ZjYr3h
U3BSh+eo2FLpWy2q4d7PrDFU1IsZyNgjqO8EKzJ9LBgcyHyJqC 538kTRZQpNdLXu0xuSc3QuiTs1
E3LnQDGa07LEq+dWvovj+xUwggR0MIID3aADAgECAhBljIdb8o DhKyqqOaJMV2VUMA0GCSqGSIb3
DQEBBAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB 0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS 9yZXBvc2l0b3J5L1JQQSBJbmNv
cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ
bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaW RhdGVkMB4XDTA0MDgxMTAwMDAw
MFoXDTA1MDgxMTIzNTk1OVowggEYMRcwFQYDVQQKEw5WZXJpU2 lnbiwgSW5jLjEfMB0GA1UECxMW
VmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3Ln ZlcmlzaWduLmNvbS9yZXBvc2l0
b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5OD EeMBwGA1UECxMVUGVyc29uYSBO
b3QgVmFsaWRhdGVkMTQwMgYDVQQLEytEaWdpdGFsIElEIENsYX NzIDEgLSBNaWNyb3NvZnQgRnVs
bCBTZXJ2aWNlMRMwEQYDVQQDFApMYW5jZSBCb29uMSkwJwYJKo ZIhvcNAQkBFhpsYm9vbkBmaXJz
dHN0YXRlYmFua3N3LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQ AwgYkCgYEAzL0ZrtPgx8D4nHq3
wxyEGnqVEVc3XJDuRoohNnOFS+lGW3srTDjlT85BB9GiFE3F3D jdCmYNx72TQjVWx7B0ACGftJJN
F7qsvYSVV18fjoVDxpbAhwSr1AVfOwDeStKVvRYZmC0jGO0Kye oRuao3ZqolRUd/h5wVmyxh/y+H
ppMCAwEAAaOCAQYwggECMAkGA1UdEwQCMAAwgawGA1UdIASBpD CBoTCBngYLYIZIAYb4RQEHAQEw
gY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLm NvbS9DUFMwYgYIKwYBBQUHAgIw
VjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIE NQUyBpbmNvcnAuIGJ5IHJlZmVy
ZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBEGCWCGSA GG+EIBAQQEAwIHgDAzBgNVHR8E
LDAqMCigJqAkhiJodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9jbG FzczEuY3JsMA0GCSqGSIb3DQEB
BAUAA4GBAGteJGBNoAcAjbYZFYlbUczcj0ZGOc+Pgn6h//3CV6vvwqyXjk6VXOrlGi5QvRp6tase
s5813O06xPUmHb1Sp4W1+1LUsJ7XKVFS1ud6hgcBC0QKw0x0Bb bwbBa74Hna+sEqwxU7qew4Geaz
HtZZwDjTfFMaIQwdz5cBlE6gbSRoMYIEPjCCBDoCAQEwgeEwgc wxFzAVBgNVBAoTDlZlcmlTaWdu
LCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3 JrMUYwRAYDVQQLEz13d3cudmVy
aXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUm VmLixMSUFCLkxURChjKTk4MUgw
RgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YW wgU3Vic2NyaWJlci1QZXJzb25h
IE5vdCBWYWxpZGF0ZWQCEGWMh1vygOErKqo5okxXZVQwCQYFKw 4DAhoFAKCCArIwGAYJKoZIhvcN
AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDQxMD A4MTgyOTAxWjAjBgkqhkiG9w0B
CQQxFgQUNdpRTrdRjoJwQ2/Z3U/z2oauKJkwZwYJKoZIhvcNAQkPMVowWDAKBggqhkiG9w0DBzAO
BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAg cwDQYIKoZIhvcNAwICASgwBwYF
Kw4DAhowCgYIKoZIhvcNAgUwgfIGCSsGAQQBgjcQBDGB5DCB4T CBzDEXMBUGA1UEChMOVmVyaVNp
Z24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldH dvcmsxRjBEBgNVBAsTPXd3dy52
ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeS BSZWYuLExJQUIuTFREKGMpOTgx
SDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZH VhbCBTdWJzY3JpYmVyLVBlcnNv
bmEgTm90IFZhbGlkYXRlZAIQZYyHW/KA4SsqqjmiTFdlVDCB9AYLKoZIhvcNAQkQAgsxgeSggeEw
gcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLEx ZWZXJpU2lnbiBUcnVzdCBOZXR3
b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaX RvcnkvUlBBIEluY29ycC4gQnkg
UmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbi BDbGFzcyAxIENBIEluZGl2aWR1
YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEG WMh1vygOErKqo5okxXZVQwDQYJ
KoZIhvcNAQEBBQAEgYAB2v9rVRqt3SI1kGxgQMIL37j7XRsV+k URzbUHnKEJMu4OK14XZAyiQhUO
0c1s0Gcx1WhrymW+G9lCbJxDMOkSx3m3d8jJ8vMMHJP1i3uj0O Vk5Ww9R6r2ezo9h8ygTbeXjZGG
tMRsdrfEpDdwXBkbrfW2Ec/xSeWIoAeyrw5T3QAAAAAAAA==

------=_NextPart_000_00F0_01C4AD3A.C5F2D230--


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourna...uidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users