Question

Trouble logging with snort

Asked by: dissolved

Doing a :
 ./snort -d -l /var/log/snort  -h 172.16.1.0/24 -c /root/snort-2.8.4.1/etc


then I open up a separate terminal window and do a tail -f /var/log/snort/alert and nothing shows up. I've portscanned the snort machine and still nothing.  Any ideas?

[root@cpk snort]# ls -al
total 24
drwx------  2 root root 4096 Apr 30 09:14 .
drwxr-xr-x 17 root root 4096 Apr 30 06:37 ..
-rwx------  1 root root    0 Apr 30 09:04 alert
-rwx------  1 root root    0 Apr 30 09:04 alerts
[root@cpk snort]#

                                  
1:
2:
3:
4:
5:
6:
7:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-05-01 at 06:48:42ID24372378
Topics

Linux Network Security

,

Linux

,

Miscellaneous Networking

,

Linux Networking

Participating Experts
2
Points
500
Comments
26

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. snort
    can anyone teach me how to use snort pls
  2. Block KaZaA using Snort
    I need a rule to block KaZaA using Snort.
  3. snort
    i have setup snort on linux with mysql and acid everything seems to work great except when i log into acid i dont see any alerts even when i run a port scan i still dont see any alerts im new to snort and linux any ideas where to start troubleshooting?
  4. Snort on Ubuntu Linux with webmin
    I want to install Snort on my ubuntu linux systems Ubuntu 6.06 LTS. I usualy do a lot of the system administration with Webmin. I will like to keep it that way. The main thing is to install snort and I am having a dificult time following the instructions that are in the manua...
  5. Snort Installation
    Please let us know the installation of snort recent version. And I am installing in Redhat Linux. And also i need Snort tuning. I need to reinstall Snort.
  6. snort on ubuntu 8.04
    I am following this guide on how to install snort on ubuntu and i am on the mysql part, it tells me to issue this command: mysql> grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password'; everytime i do i get this error: ERROR 1290 (HY000): The...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: KeremEPosted on 2009-05-04 at 16:14:06ID: 24300245

Hi,

It seems that your file permissions and ownership is wrong. The alert file should look like this:
-rw-r--r--  1 snort snort    23959 2009-05-05 00:52 alert

so what you can do is changing the ownership of the file first with a command similar to this:

# chown snort.snort alert
# chmod 644 alert

In any case no log file should ever have executable attribute set.

A command like that generally shows you user and group setting of your snort:
# ps -aef | grep snort

such as:
snort      381     1  0 Mar31 ?        00:13:57 /usr/sbin/snort -c /etc/snort/snort.conf -D -u snort -g snort -d -e -o -p -b -A fast -m 022 -i eth2

at least you can try to locate your snort.conf and verify user and group info there (in my example it is located in /etc/snort

I hope this helps.

Cheers,
K.

 

by: KeremEPosted on 2009-05-04 at 16:17:28ID: 24300270

it also seems that your /var/log/snort directory is owned by root too. Please go to the upper directory and issue this  command:

cd ..  (assuming that your current directory thet you show in your initial posting is /something like
          /var/log/snort and you are currently changing to this directory)
chown -R snort.snort snort

So instead of my previous chmod command use this one with -R in the uppr directory whre it holds snort logs directory.

 

by: harbor235Posted on 2009-05-05 at 05:28:53ID: 24303890



I assume traffic is being forwarded to the the system running snort and on the proper interface?

Try this:
snort -dvl /var/log/snort  -h 172.16.1.0/24 -c /root/snort-2.8.4.1/etc

harbor235 ;}

 

by: dissolvedPosted on 2009-05-05 at 18:38:03ID: 24310710

thanks guys. I tried all that and port scanned the box again and still no logs. I don't get it?

 

by: KeremEPosted on 2009-05-05 at 18:41:01ID: 24310727

Will you post your snort.conf ?

also the output for:

ps -aef | grep snort

 

by: KeremEPosted on 2009-05-05 at 18:42:14ID: 24310734

Also the output for

ls -al /var/log/snort

 

by: harbor235Posted on 2009-05-05 at 18:49:01ID: 24310767



Hopefully you have the traffic that you want to inspect directed to the interface;

i assume you are spanning a network port or something similar, can you confirm?

harbor235 ;}

 

by: dissolvedPosted on 2009-05-05 at 18:50:56ID: 24310775


[root@cpk ~]# ls -al /var/log/snort
total 250904
drwx------  2 root root      4096 May  5 17:18 .
drwxr-xr-x 17 root root      4096 May  3 04:02 ..
-rw-r--r--  1 root root         0 Apr 30 09:04 alert
-rw-r--r--  1 root root         0 Apr 30 09:04 alerts
-rw-------  1 root root         0 May  1 14:01 snort.log.1241200899
-rw-------  1 root root  15278562 May  4 21:44 snort.log.1241480636
-rw-------  1 root root 134216215 May  5 12:11 snort.log.1241487867
-rw-------  1 root root 107115962 May  5 21:47 snort.log.1241539890
[root@cpk ~]#



var/log/snort -c /root/snort-2.8.4.1
root      9753     1  0 May04 ?        00:01:53 ./snort -de -l /var/log/snort
root     12526 12491  0 17:07 pts/4    00:00:00 tail -f /var/log/snort/alerts
root     13039 13007  0 21:47 pts/5    00:00:00 grep snort
[root@cpk ~]#


####################################################################
# Step #4: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.  General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments.  Win32 can also optionally
# specify a particular hostname/port.  Under Win32, the default hostname is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
 
# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log
 
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
 
# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging and generating
# alerts from Snort, the "unified" format.  The unified format is a straight
# binary format for logging data out of Snort that is designed to be fast and
# efficient.  Used with barnyard (the new alert/log processor), most of the
# overhead for logging and alerting to various slow storage mechanisms such as
# databases or the network can now be avoided.
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
 
 
# prelude: log to the Prelude Hybrid IDS system
# ---------------------------------------------
#
# profile = Name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info   = 4
# low    = 3
# medium = 2
# high   = anything below medium
#
# output alert_prelude
# output alert_prelude: profile=snort-profile-name
 
 
# You can optionally define new rule types and associate one or more output
# plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
#
# This example will create a rule type that will log to syslog and a mysql
# database:
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
#   (msg:"Someone is being LEET"; flags:A+;)
 
#
# Include classification & priority settings
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\classification.config
#
 
include classification.config
 
#
# Include reference systems
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\reference.config
#
 
include reference.config
 
####################################################################
# Step #5: Configure snort with config statements
#
# See the snort manual for a full set of configuration references
#
# config flowbits_size: 64
#
# New global ignore_ports config option from Andy Mullican
#
# config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53
 
 
####################################################################
# Step #6: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own custom snort
# rules.
 
#=========================================
# Include all relevant rulesets here
#
# The following rulesets are disabled by default:
#
#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
#   chat, multimedia, and p2p
#
# These rules are either site policy specific or require tuning in order to not
# generate false positive alerts in most enviornments.
#
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================
 
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
 
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
 
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
 
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
 
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/spyware-put.rules
# include $RULE_PATH/specific-threats.rules
include $RULE_PATH/experimental.rules
 
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
 
# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them.
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\threshold.conf
# Uncomment if needed.
# include threshold.conf
[root@cpk ~]#
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:

Select allOpen in new window

 

by: KeremEPosted on 2009-05-05 at 19:03:52ID: 24310824

What do you have in your snort.log files? it seems that there are lots of data in the logged files if not the alert file.

 

by: dissolvedPosted on 2009-05-05 at 19:06:07ID: 24310831

I tried reading of of the files and it just spat out a bunch of garbage. I just did a cat <filename>. Is there another way to read them? Maybe feed them into snort?
Why is it logging to log files and not the alert file?

 

by: KeremEPosted on 2009-05-05 at 19:10:27ID: 24310846

Please run snort such as this:

./snort -c /etc/snort/snort.conf -de -l /var/log/snort

This will make sure you're using the config file. Make sure the path /etc/snort/snort.conf points to your config file. Make modification if your config file is located elsewhere.

 

by: KeremEPosted on 2009-05-05 at 19:13:39ID: 24310853

LOG is not alert! Log files contain the session traffic and alert file contains alerts generated according to the rules indicated in the config file.

I am not sure you are parsing the appropirate .conf file.

BTW log should not have all binary logs in it it should have entries more less like this:
-----------------------------7d9ab670180
Content-Disposition: form-data; name="session"

2
-----------------------------7d9ab670180
Content-Disposition: form-data; name="passed_id"


-----------------------------7d9ab670180
Content-Disposition: form-data; name="send_to"

goksenin@tumer.com
-----------------------------7d9ab670180
Content-Disposition: form-data; name="send_to_cc"


-----------------------------7d9ab670180
Content-Disposition: form-data; name="send_to_bcc"

...

 

by: KeremEPosted on 2009-05-05 at 19:15:53ID: 24310866

BTW the config you've post here is missing Network and port , decoder definitions. Are you sure this is the only contents of your snort.conf file ??

 

by: dissolvedPosted on 2009-05-05 at 19:22:11ID: 24310893

Yes looks like my copy and paste got cut off. I'll try and copy again.
I ran this:

./snort -c /root/snort-2.8.4.1/etc/snort.conf -de -l /var/log/snort


and got this message:

[root@cpk src]# ./snort -c /root/snort-2.8.4.1/etc/snort.conf -de -l /var/log/snort
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /root/snort-2.8.4.1/etc/snort.conf
PortVar 'HTTP_PORTS' defined :  [ 80 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit (not used): 5
    Fragment Problems: 1
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl:  1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      513 client (Footprint)
      514 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      2401 client (Footprint)
      3306 client (Footprint)
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /root/snort-2.8.4.1/etc/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080 8180
      Server Flow Depth: 300
      Client Flow Depth: 300
      Max Chunk Length: 500000
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Normalize HTTP Cookies: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

ERROR: Unable to open rules file: ../rules/local.rules or /root/snort-2.8.4.1/etc/../rules/local.rules
Fatal Error, Quitting..
[root@cpk src]#

 

by: dissolvedPosted on 2009-05-05 at 19:24:07ID: 24310901

I wonder if my installation is corrupt. The rules files are missing/


[root@cpk src]# find / -name local.rules
[root@cpk src]# find / -name *.rules
/root/snort-2.8.4.1/preproc_rules/preprocessor.rules
/root/snort-2.8.4.1/preproc_rules/decoder.rules
/usr/share/X11/config/scoLib.rules
/usr/share/X11/config/OpenBSDLib.rules
/usr/share/X11/config/mingw.rules
/usr/share/X11/config/darwinLib.rules
/usr/share/X11/config/cygwin.rules
/usr/share/X11/config/os2Lib.rules
/usr/share/X11/config/bsdiLib.rules
/usr/share/X11/config/gnuLib.rules
/usr/share/X11/config/oldlib.rules
/usr/share/X11/config/sgiLib.rules
/usr/share/X11/config/sv3Lib.rules
/usr/share/X11/config/xf86.rules
/usr/share/X11/config/bsdLib.rules
/usr/share/X11/config/Win32.rules
/usr/share/X11/config/sunLib.rules
/usr/share/X11/config/nto.rules
/usr/share/X11/config/noop.rules
/usr/share/X11/config/osfLib.rules
/usr/share/X11/config/QNX4.rules
/usr/share/X11/config/X11.rules
/usr/share/X11/config/ibmLib.rules
/usr/share/X11/config/Motif.rules
/usr/share/X11/config/lnxdoc.rules
/usr/share/X11/config/sequentLib.rules
/usr/share/X11/config/hpLib.rules
/usr/share/X11/config/os2.rules
/usr/share/X11/config/sv4Lib.rules
/usr/share/X11/config/cross.rules
/usr/share/X11/config/cde.rules
/usr/share/X11/config/necLib.rules
/usr/share/X11/config/Imake.rules
/usr/share/X11/config/lnxLib.rules
/usr/share/doc/audit-1.6.5/lspp.rules
/usr/share/doc/audit-1.6.5/capp.rules
/usr/share/doc/audit-1.6.5/nispom.rules
/usr/src/kernels/2.6.18-92.el5-i686/arch/um/scripts/Makefile.rules
/etc/udev/rules.d/60-libsane.rules
/etc/udev/rules.d/90-hal.rules
/etc/udev/rules.d/50-udev.rules
/etc/udev/rules.d/60-net.rules
/etc/udev/rules.d/51-hotplug.rules
/etc/udev/rules.d/60-pcmcia.rules
/etc/udev/rules.d/90-dm.rules
/etc/udev/rules.d/60-wacom.rules
/etc/udev/rules.d/61-uinput-stddev.rules
/etc/udev/rules.d/60-raw.rules
/etc/udev/rules.d/95-pam-console.rules
/etc/udev/rules.d/40-multipath.rules
/etc/udev/rules.d/05-udev-early.rules
/etc/udev/rules.d/bluetooth.rules
/etc/udev/rules.d/90-alsa.rules
/etc/udev/rules.d/61-uinput-wacom.rules
/etc/audit/audit.rules
[root@cpk src]#
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:

Select allOpen in new window

 

by: KeremEPosted on 2009-05-05 at 19:30:12ID: 24310924

Yeah it seems that you were finally able to read your config files. As you would notice it tries to find the *.rules files. You see the names of files at the cut-off logfile you've sent me and it seems that the system is trying to locate the files under:
./rules/local.rules
/root/snort-2.8.4.1/etc/../rules/local.rules

(here../ refers to the paret firectory. If you put the files there or you modify your confing file to modify theis value in the very beginning:

var RULE_PATH /etc/snort/rules

and point it to where the rule files reside you'll be able to get your alert file populated.

But it seems that during the initial configuration of snort you did not add  install path and configuration directory such as:

./configure --prefix=/usr/local --sysconfgdir=/etc/snort
make
make install

Once you get your alert file populated try to make clean and rebuilt you source from the scratch.

 

by: KeremEPosted on 2009-05-05 at 19:36:41ID: 24310944

Your installation file is not corrupt. Rules are downloaded separately here:

http://www.snort.org/pub-bin/downloads.cgi

Rules files are not static files. The contents are systematically updated as new vulnerabilities  are discovered. But these files are releases once they are a month old. Also there's a premium fee based service which contains 0-day vulnerabilities covered. This is why the distro does not contain rules.

 

by: KeremEPosted on 2009-05-05 at 19:38:31ID: 24310949

If you still get ereos after you download rules try to locate non existent files and add a Leading # before them and retry.

 

by: KeremEPosted on 2009-05-05 at 19:43:42ID: 24310970

Current Rules for unregistered users coud be downloaded here:

http://www.snort.org/pub-bin/downloads.cgi#PR

 

by: dissolvedPosted on 2009-05-06 at 07:47:17ID: 24315414

Ok i got the rules installed. Please see the code

[root@cpk src]# ./snort -c /root/snort-2.8.4.1/etc/snort.conf -de -l /var/log/snort
Running in IDS mode
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /root/snort-2.8.4.1/etc/snort.conf
PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 8000 8080 8180 8888 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
PortVar 'AUTH_PORTS' defined :  [ 113 ]
PortVar 'DNS_PORTS' defined :  [ 53 ]
PortVar 'FINGER_PORTS' defined :  [ 79 ]
PortVar 'FTP_PORTS' defined :  [ 21 ]
PortVar 'IMAP_PORTS' defined :  [ 143 ]
PortVar 'IRC_PORTS' defined :  [ 6665:6669 7000 ]
PortVar 'MSSQL_PORTS' defined :  [ 1433 ]
PortVar 'NNTP_PORTS' defined :  [ 119 ]
PortVar 'POP2_PORTS' defined :  [ 109 ]
PortVar 'POP3_PORTS' defined :  [ 110 ]
PortVar 'SUNRPC_PORTS' defined :  [ 111 32770:32779 ]
PortVar 'RLOGIN_PORTS' defined :  [ 513 ]
PortVar 'RSH_PORTS' defined :  [ 514 ]
PortVar 'SMB_PORTS' defined :  [ 139 445 ]
PortVar 'SMTP_PORTS' defined :  [ 25 ]
PortVar 'SNMP_PORTS' defined :  [ 161 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'TELNET_PORTS' defined :  [ 23 ]
PortVar 'MAIL_PORTS' defined :  [ 25 143 465 691 ]
PortVar 'SSL_PORTS' defined :  [ 25 443 465 636 993 995 ]
Detection:
   Search-Method = AC-BNFA-Q
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: WINDOWS
    Fragment timeout: 180 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit (not used): 5
    Fragment Problems: 0
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: ACTIVE
    Max UDP sessions: 131072
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
    Reassembly Policy: WINDOWS
    Timeout: 30 seconds
    Min ttl:  1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      465 client (Footprint)
      513 client (Footprint)
      691 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      2100 client (Footprint)
Stream5 UDP Policy config:
    Timeout: 30 seconds
    Options:
        Ignore Any -> Any Rules: YES
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /root/snort-2.8.4.1/etc/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 2301 3128 8000 8080 8180 8888
      Server Flow Depth: 1460
      Client Flow Depth: 300
      Max Chunk Length: 500000
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Normalize HTTP Cookies: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: NO
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: NO
      Base36: OFF
      UTF 8: YES alert: NO
      IIS Unicode: YES alert: NO
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: NO
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... ERROR: Failed to load /usr/local/lib/snort_dynamicengine/libsf_engine.so: /usr/local/lib/snort_dynamicengine/libsf_engine.so: cannot open shared object file: No such file or directory
Fatal Error, Quitting..
[root@cpk src]#
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:

Select allOpen in new window

 

by: KeremEPosted on 2009-05-06 at 08:30:55ID: 24316005

It seems that your dynamic lib is not included  in your library list. To correct this:
- make sure you have a /usr/local/lib/snort_dynamicengine folder and it is populated with some .so files (especially the file in question here called: libsf_engine.so)
- go to /etc/ld.so.conf.d
- add a file named snortdynlib.conf
- add this into the file and save:
/usr/local/lib/snort_dynamicengine
- at the system prompt type:
ldconfig
after it comples restart snort.

 

by: dissolvedPosted on 2009-05-06 at 08:44:17ID: 24316179

Thanks, I do not even have that file on my system. I downloaded snort again and could not find it in there either

 

by: KeremEPosted on 2009-05-06 at 09:06:57ID: 24316485

Ok then edit your snort.conf and locate this:

dynamicengine /usr/lib/snort/dynamicengine/libsf_engine.so

Then Change it to:

dynamicengine /usr/lib/snort/dynamicengine

Restart!

 

by: dissolvedPosted on 2009-05-06 at 11:36:31ID: 24318108

did that and still getting errors. Here is my entire snort.conf

[root@cpk src]# ./snort -c /root/snort-2.8.4.1/etc/snort.conf -de -l /var/log/snort
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /root/snort-2.8.4.1/etc/snort.conf
PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 8000 8080 8180 8888 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
PortVar 'AUTH_PORTS' defined :  [ 113 ]
PortVar 'DNS_PORTS' defined :  [ 53 ]
PortVar 'FINGER_PORTS' defined :  [ 79 ]
PortVar 'FTP_PORTS' defined :  [ 21 ]
PortVar 'IMAP_PORTS' defined :  [ 143 ]
PortVar 'IRC_PORTS' defined :  [ 6665:6669 7000 ]
PortVar 'MSSQL_PORTS' defined :  [ 1433 ]
PortVar 'NNTP_PORTS' defined :  [ 119 ]
PortVar 'POP2_PORTS' defined :  [ 109 ]
PortVar 'POP3_PORTS' defined :  [ 110 ]
PortVar 'SUNRPC_PORTS' defined :  [ 111 32770:32779 ]
PortVar 'RLOGIN_PORTS' defined :  [ 513 ]
PortVar 'RSH_PORTS' defined :  [ 514 ]
PortVar 'SMB_PORTS' defined :  [ 139 445 ]
PortVar 'SMTP_PORTS' defined :  [ 25 ]
PortVar 'SNMP_PORTS' defined :  [ 161 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'TELNET_PORTS' defined :  [ 23 ]
PortVar 'MAIL_PORTS' defined :  [ 25 143 465 691 ]
PortVar 'SSL_PORTS' defined :  [ 25 443 465 636 993 995 ]
Detection:
   Search-Method = AC-BNFA-Q
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: WINDOWS
    Fragment timeout: 180 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit (not used): 5
    Fragment Problems: 0
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: ACTIVE
    Max UDP sessions: 131072
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
    Reassembly Policy: WINDOWS
    Timeout: 30 seconds
    Min ttl:  1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      465 client (Footprint)
      513 client (Footprint)
      691 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      2100 client (Footprint)
Stream5 UDP Policy config:
    Timeout: 30 seconds
    Options:
        Ignore Any -> Any Rules: YES
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /root/snort-2.8.4.1/etc/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 2301 3128 8000 8080 8180 8888
      Server Flow Depth: 1460
      Client Flow Depth: 300
      Max Chunk Length: 500000
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Normalize HTTP Cookies: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: NO
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: NO
      Base36: OFF
      UTF 8: YES alert: NO
      IIS Unicode: YES alert: NO
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: NO
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Tagged Packet Limit: 256
/root/snort-2.8.4.1/etc/snort.conf(545) unknown dynamic preprocessor "ftp_telnet"
/root/snort-2.8.4.1/etc/snort.conf(551) unknown dynamic preprocessor "ftp_telnet_protocol"
/root/snort-2.8.4.1/etc/snort.conf(582) unknown dynamic preprocessor "ftp_telnet_protocol"
/root/snort-2.8.4.1/etc/snort.conf(588) unknown dynamic preprocessor "ftp_telnet_protocol"
/root/snort-2.8.4.1/etc/snort.conf(621) unknown dynamic preprocessor "SMTP"
/root/snort-2.8.4.1/etc/snort.conf(778) unknown dynamic preprocessor "dcerpc"
/root/snort-2.8.4.1/etc/snort.conf(794) unknown dynamic preprocessor "dns"
ERROR: Misconfigured dynamic preprocessor(s)
Fatal Error, Quitting..
[root@cpk src]#

#--------------------------------------------------
#   http://www.snort.org     Snort current Ruleset
#     Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id: snort.conf,v 1.183.4.4 2007/10/22 21:33:23 mwatchinski Exp $
#
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your own custom configuration:
#
#  1) Set the variables for your network
#  2) Configure dynamic loaded libraries
#  3) Configure preprocessors
#  4) Configure output plugins
#  5) Add any runtime config directives
#  6) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network. The
# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as: 
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
 
# Set up network addresses you are protecting.  A simple start might be RFC1918
var HOME_NET any
 
# Set up the external network addresses as well.  A good start may be "any"
var EXTERNAL_NET any
 
# Configure your server lists.  This allows snort to only look for attacks to
# systems that have a service up.  Why look for HTTP attacks if you are not
# running a web server?  This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.  
 
# List of DNS servers on your network 
var DNS_SERVERS $HOME_NET
 
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
 
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
 
# List of sql servers on your network 
var SQL_SERVERS $HOME_NET
 
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
 
# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET
 
# List of ftp servers on your network
var FTP_SERVERS $HOME_NET
 
# List of ssh servers on your network
var SSH_SERVERS $HOME_NET
 
# List of pop2/3 servers on your network
var POP_SERVERS $HOME_NET
 
# List of imap servers on your network
var IMAP_SERVERS $HOME_NET
 
# List of SunRPC servers on your network
var RPC_SERVERS $HOME_NET
 
# List of web servers on your network
var WWW_SERVERS $HOME_NET
 
# AIM servers.  AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of servers.
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
 
 
# Configure your service ports.  This allows snort to look for attacks destined
# to a specific application only on the ports that application runs on.  For
# example, if you run a web server on port 8081, set your HTTP_PORTS variable
# like this:
#
# var HTTP_PORTS 8081
#
# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
# We will adding support for a real list of ports in the future.
 
# Ports you run web servers on
#
# Please note:  [80,8080] does not work.
# If you wish to define multiple HTTP ports, use the following convention
# when customizing your rule set (as part of Step #6 below).  This should
# not be done here, as the rules files may depend on the classifications
# and/or references, which are included below.
# 
## var HTTP_PORTS 80 
## include somefile.rules 
## var HTTP_PORTS 8080
## include somefile.rules 
 
# HTTP Ports on your network
portvar HTTP_PORTS [80,2301,3128,8000,8080,8180,8888]
 
# Ports you want to look for SHELLCODE on.
portvar SHELLCODE_PORTS !80
 
# Ports you do oracle attacks on
portvar ORACLE_PORTS 1521
 
# Auth / ident 
portvar AUTH_PORTS 113
 
# DNS
portvar DNS_PORTS 53
 
# Finger
portvar FINGER_PORTS 79
 
# Ftp
portvar FTP_PORTS 21
 
# Imap
portvar IMAP_PORTS 143
 
# IRC
portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
 
# MS-SQL
portvar MSSQL_PORTS 1433
 
# NNTP
portvar NNTP_PORTS 119
 
# POP2
portvar POP2_PORTS 109
 
# POP3 
portvar POP3_PORTS 110
 
# PortMapper
portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
 
# rlogin
portvar RLOGIN_PORTS 513
 
# rsh
portvar RSH_PORTS 514
 
# smb
portvar SMB_PORTS [139,445]
 
# smtp
portvar SMTP_PORTS 25
 
# snmp
portvar SNMP_PORTS 161
 
# ssh
portvar SSH_PORTS 22
 
# telnet
portvar TELNET_PORTS 23
 
# mail this for compatability with versions of snort that support port lists
portvar MAIL_PORTS [25,143,465,691]
 
# SSL Ports
portvar SSL_PORTS [25,443,465,636,993,995]
 
# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH ../rules
 
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network.  If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
#
# Alert if value in length field (IP, TCP, UDP) is greater than the
# actual length of the captured portion of the packet that the length
# is supposed to represent:
#
# config enable_decode_oversized_alerts
#
# Same as above, but drop packet if in Inline mode -
# enable_decode_oversized_alerts must be enabled for this to work:
#
# config enable_decode_oversized_drops
#
config checksum_mode: all
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config disable_decode_drops
 
# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
# config detection: search-method lowmem
 
config detection: search-method ac-bnfa
config detection: max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_length
 
# Configure Inline Resets
# ========================
# 
# If running an iptables firewall with snort in InlineMode() we can now
# perform resets via a physical device. We grab the indev from iptables
# and use this for the interface on which to send resets. This config
# option takes an argument for the src mac address you want to use in the
# reset packet.  This way the bridge can remain stealthy. If the src mac
# option is not set we use the mac address of the indev device. If we
# don't set this option we will default to sending resets via raw socket,
# which needs an ipaddress to be assigned to the int.
#
# config layer2resets: 00:06:76:DD:5F:E3
 
###################################################
# Step #2: Configure dynamic loaded libraries
#
# If snort was configured to use dynamically loaded libraries,
# those libraries can be loaded here.
#
# Each of the following configuration options can be done via
# the command line as well.
#
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
#
#dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so
#dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
#dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
#dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
#dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
 
# Comment out above and uncomment this if running OSX
#
#dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.dylib
#dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.dylib
#dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.dylib
#dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.dylib
#dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.dylib
 
#
# Load a specific dynamic preprocessor library from the install path
# (same as command line option --dynamic-preprocessor-lib)
#
# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
#
# Load a dynamic engine from the install path
# (same as command line option --dynamic-engine-lib)
#
#dynamicengine /usr/lib/snort/dynamicengine
#
# Load all dynamic rules libraries from the install path
# (same as command line option --dynamic-detection-lib-dir)
#
# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
#
# Load a specific dynamic rule library from the install path
# (same as command line option --dynamic-detection-lib)
#
# Rule packages from the VRT contain a so_rules directory that contains these rules
# you need to compile them using the makefile in the rules package and place
# them here and add them.
#
 
# Uncomment if you are using the default VRT SO rules and have them in this directory.
# dynamicdetection file /usr/local/lib/snort_dynamicrule/bad-traffic.so
# dynamicdetection file /usr/local/lib/snort_dynamicrule/dos.so
# dynamicdetection file /usr/local/lib/snort_dynamicrule/exploit.so
# dynamicdetection file /usr/local/lib/snort_dynamicrule/misc.so
# dynamicdetection file /usr/local/lib/snort_dynamicrule/netbios.so
# dynamicdetection file /usr/local/lib/snort_dynamicrule/p2p.so
# dynamicdetection file /usr/local/lib/snort_dynamicrule/web-client.so
#
 
###################################################
# Step #3: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>
 
# frag3: Target-based IP defragmentation 
# --------------------------------------
#
# Frag3 is a brand new IP defragmentation preprocessor that is capable of
# performing "target-based" processing of IP fragments.  Check out the
# README.frag3 file in the doc directory for more background and configuration
# information.
# 
# Frag3 configuration is a two step process, a global initialization phase 
# followed by the definition of a set of defragmentation engines.  
# 
# Global configuration defines the number of fragmented packets that Snort can
# track at the same time and gives you options regarding the memory cap for the
# subsystem or, optionally, allows you to preallocate all the memory for the 
# entire frag3 system.
#
# frag3_global options:
#   max_frags: Maximum number of frag trackers that may be active at once.  
#              Default value is 8192.
#   memcap: Maximum amount of memory that frag3 may access at any given time.
#           Default value is 4MB.
#   prealloc_frags: Maximum number of individual fragments that may be processed
#                   at once.  This is instead of the memcap system, uses static 
#                   allocation to increase performance.  No default value.  Each
#                   preallocated fragment eats ~1550 bytes.
#
# Target-based behavior is attached to an engine as a "policy" for handling 
# overlaps and retransmissions as enumerated in the Paxson paper.  There are
# currently five policy types available: "BSD", "BSD-right", "First", "Linux" 
# and "Last".  Engines can be bound to standard Snort CIDR blocks or
# IP lists.
#
# frag3_engine options:
#   timeout: Amount of time a fragmented packet may be active before expiring.
#            Default value is 60 seconds.
#   ttl_limit: Limit of delta allowable for TTLs of packets in the fragments. 
#              Based on the initial received fragment TTL.
#   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this
#            value will be discarded.  Default value is 0.
#   detect_anomalies: Activates frag3's anomaly detection mechanisms.
#   policy: Target-based policy to assign to this engine.  Default is Windows.
#   bind_to: IP address set to bind this engine to.  Default is all hosts.
#
# Frag3 configuration example:
#preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
#preprocessor frag3_engine: policy linux \
#                           bind_to [10.1.1.12/32,10.1.1.13/32] \
#                           detect_anomalies
#preprocessor frag3_engine: policy first \
#                           bind_to 10.2.1.0/24 \
#                           detect_anomalies
#preprocessor frag3_engine: policy last \
#                           bind_to 10.3.1.0/24
#preprocessor frag3_engine: policy bsd
 
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows timeout 180
 
# stream5: Target Based stateful inspection/stream reassembly for Snort
# ---------------------------------------------------------------------
# Stream5 is a target-based stream engine for Snort.  Its functionality
# replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5
# cannot be used simultaneously.  Comment out the stream4 configurations
# above to use Stream5.
# 
# See README.stream5 for details on the configuration options.
#
# Example config (that emulates Stream4 with UDP support compiled in)
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
                             track_udp yes
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \
						  ports client 21 23 25 42 53 80 135 136 137 139 143 110 111 445 465 513 691 1433 1521 2100 2301 3128 3306 8000 8080 8180 8888
preprocessor stream5_udp: ignore_any_rules
 
 
# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual.  You should read it.
# It is included in the release distribution as doc/snort_manual.pdf
# 
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
 
# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 
preprocessor http_inspect_server: \
    server default \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    chunk_length 500000 \
    flow_depth 1460 \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    non_strict \
    oversize_dir_length 500 \
    ports { 80 2301 3128 8000 8080 8180 8888 } \
    u_encode yes \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    webroot no
 
#
#  Example unique server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
#    ports { 80 3128 8080 } \
#    flow_depth 0 \
#    ascii no \
#    double_decode yes \
#    non_rfc_char { 0x00 } \
#    chunk_length 500000 \
#    non_strict \
#    oversize_dir_length 300 \
#    no_alerts
 
 
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
#                            sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
#                       exceeds the current packet size
 
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
 
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.
#
# arguments:  
#   syntax:
#     preprocessor bo: noalert { client | server | general | snort_attack } \
#                      drop    { client | server | general | snort_attack }
#   example:
#     preprocessor bo: noalert { general server } drop { snort_attack }
 
# 
# The Back Orifice detector uses Generator ID 105 and uses the 
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected
#   2       Back Orifice Client Traffic Detected
#   3       Back Orifice Server Traffic Detected
#   4       Back Orifice Snort Buffer Attack
 
preprocessor bo
 
# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
# traffic.  It works in much the same way as the http_decode preprocessor,
# searching for traffic that breaks up the normal data stream of a protocol and
# replacing it with a normalized representation of that traffic so that the
# "content" pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
#
# DEPRECATED in favor of ftp_telnet dynamic preprocessor
#preprocessor telnet_decode
#
# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes telnet negotiation strings from telnet and
# ftp traffic.  It looks for traffic that breaks the normal data stream
# of the protocol, replacing it with a normalized representation of that
# traffic so that the "content" pattern matching keyword can work without
# requiring modifications.
#
# It also performs protocol correctness checks for the FTP command channel,
# and identifies open FTP data transfers.
#
# FTPTelnet has numerous options available, please read
# README.ftptelnet for help configuring the options for the global
# telnet, ftp server, and ftp client sections for the protocol.
 
#####
# Per Step #2, set the following to load the ftptelnet preprocessor
# dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
preprocessor ftp_telnet: \
    global \
    encrypted_traffic yes \
    check_encrypted \
    inspection_type stateful
 
preprocessor ftp_telnet_protocol: \
    telnet \
    ayt_attack_thresh 20 \
    normalize ports { 23 } \
    detect_anomalies
 
preprocessor ftp_telnet_protocol: \
    ftp server default \
    def_max_param_len 100 \
    ports { 21 2100 } \
    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
    ftp_cmds { FEAT OPTS CEL CMD MACB } \
    ftp_cmds { MDTM REST SIZE MLST MLSD } \
    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
    alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
	alt_max_param_len 256 { RNTO CWD } \ 
    alt_max_param_len 400 { PORT } \
	alt_max_param_len 512 { SIZE } \
    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
    chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
    chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
    chk_str_fmt { FEAT OPTS CEL CMD } \
    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity STRU < char FRP > \
    cmd_validity ALLO < int [ char R int ] > \
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity PORT < host_port >
 
preprocessor ftp_telnet_protocol: \
    ftp client default \
    max_resp_len 200 \
    bounce yes \
    telnet_cmds no
 
# smtp: SMTP normalizer, protocol enforcement and buffer overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes SMTP commands by removing extraneous spaces.
# It looks for overly long command lines, response lines, and data header lines.
# It can alert on invalid commands, or specific valid commands.  It can optionally
# ignore mail data, and can ignore TLS encrypted data.
#
# SMTP has numerous options available, please read README.SMTP for help
# configuring options.
 
#####
# Per Step #2, set the following to load the smtp preprocessor
# dynamicpreprocessor <full path to libsf_smtp_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
 
preprocessor SMTP: \
    ports { 25 465 691 } \
    inspection_type stateful \
    normalize cmds \
    valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
	normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
	max_header_line_len 1000 \ 
    max_response_line_len 512 \
    alt_max_command_line_len 260 { MAIL } \
    alt_max_command_line_len 300 { RCPT } \
    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
    alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
    alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    xlink2state { enable }
 
# sfPortscan
# ----------
# Portscan detection module.  Detects various types of portscans and
# portsweeps.  For more information on detection philosophy, alert types,
# and detailed portscan information, please refer to the README.sfportscan.
#
# -configuration options-
#     proto { tcp udp icmp ip all }
#       The arguments to the proto option are the types of protocol scans that
#       the user wants to detect.  Arguments should be separated by spaces and
#       not commas.
#     scan_type { portscan portsweep decoy_portscan distributed_portscan all }
#       The arguments to the scan_type option are the scan types that the
#       user wants to detect.  Arguments should be separated by spaces and not
#       commas.
#     sense_level { low|medium|high }
#       There is only one argument to this option and it is the level of
#       sensitivity in which to detect portscans.  The 'low' sensitivity
#       detects scans by the common method of looking for response errors, such
#       as TCP RSTs or ICMP unreachables.  This level requires the least
#       tuning.  The 'medium' sensitivity level detects portscans and 
#       filtered portscans (portscans that receive no response).  This
#       sensitivity level usually requires tuning out scan events from NATed
#       IPs, DNS cache servers, etc.  The 'high' sensitivity level has
#       lower thresholds for portscan detection and a longer time window than
#       the 'medium' sensitivity level.  Requires more tuning and may be noisy
#       on very active networks.  However, this sensitivity levels catches the
#       most scans.
#     memcap { positive integer }
#       The maximum number of bytes to allocate for portscan detection.  The
#       higher this number the more nodes that can be tracked.
#     logfile { filename }
#       This option specifies the file to log portscan and detailed portscan
#       values to.  If there is not a leading /, then snort logs to the
#       configured log directory.  Refer to README.sfportscan for details on
#       the logged values in the logfile.
#     watch_ip { Snort IP List }
#     ignore_scanners { Snort IP List }
#     ignore_scanned { Snort IP List }
#       These options take a snort IP list as the argument.  The 'watch_ip'
#       option specifies the IP(s) to watch for portscan.  The 
#       'ignore_scanners' option specifies the IP(s) to ignore as scanners.
#       Note that these hosts are still watched as scanned hosts.  The
#       'ignore_scanners' option is used to tune alerts from very active
#       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned' option 
#       specifies the IP(s) to ignore as scanned hosts.  Note that these hosts
#       are still watched as scanner hosts.  The 'ignore_scanned' option is
#       used to tune alerts from very active hosts such as syslog servers, etc.
#     detect_ack_scans
#       This option will include sessions picked up in midstream by the stream
#       module, which is necessary to detect ACK scans.  However, this can lead to
#       false alerts, especially under heavy load with dropped packets; which is why
#       the option is off by default.
#
# Disabled by default
#
# preprocessor sfportscan: proto  { all } \
#                         memcap { 10000000 } \
#                         sense_level { low }
 
# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring.  To make use of
# this preprocessor you must specify the IP and hardware address of hosts on
# the same layer 2 segment as you.  Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection. 
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
 
#  SID     Event description
# -----   -------------------
#   1       Unicast ARP request
#   2       Etherframe ARP mismatch (src)
#   3       Etherframe ARP mismatch (dst)
#   4       ARP cache overwrite attack
 
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
 
# ssh
#----------------------------------------
# EXPERIMENTAL CODE!!!
#
# THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
# USE AT YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS.
# YOU HAVE BEEN WARNED.
#
# The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
# Secure CRT, and the Protocol Mismatch exploit.
#
# Both Gobbles and CRC 32 attacks occur after the key exchange, and are
# therefore encrypted.  Both attacks involve sending a large payload
# (20kb+) to the server immediately after the authentication challenge.
# To detect the attacks, the SSH preprocessor counts the number of bytes
# transmitted to the server.  If those bytes exceed a pre-defined limit
# within a pre-define number of packets, an alert is generated.  Since
# Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
# version string exchange is used to distinguish the attacks.
#
# The Secure CRT and protocol mismatch exploits are observable before
# the key exchange.
#
# SSH has numerous options available, please read README.ssh for help
# configuring options.
 
#####
# Per Step #2, set the following to load the ssh preprocessor
# dynamicpreprocessor <full path to libsf_ssh_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
#
#preprocessor ssh: server_ports { 22 } \
#                  max_client_bytes 19600 \
#                  max_encrypted_packets 20
 
# DCE/RPC
#----------------------------------------
#
# The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
# It is primarily interested in DCE/RPC data, and only decodes SMB
# to get at the DCE/RPC data carried by the SMB layer.
# 
# Currently, the preprocessor only handles reassembly of fragmentation
# at both the SMB and DCE/RPC layer.  Snort rules can be evaded by
# using both types of fragmentation; with the preprocessor enabled
# the rules are given a buffer with a reassembled SMB or DCE/RPC
# packet to examine.
# 
# At the SMB layer, only fragmentation using WriteAndX is currently
# reassembled.  Other methods will be handled in future versions of
# the preprocessor.
# 
# Autodetection of SMB is done by looking for "\xFFSMB" at the start of
# the SMB data, as well as checking the NetBIOS header (which is always
# present for SMB) for the type "SMB Session".
# 
# Autodetection of DCE/RPC is not as reliable.  Currently, two bytes are
# checked in the packet.  Assuming that the data is a DCE/RPC header,
# one byte is checked for DCE/RPC version (5) and another for the type
# "DCE/RPC Request".  If both match, the preprocessor proceeds with that
# assumption that it is looking at DCE/RPC data.  If subsequent checks
# are nonsensical, it ends processing.
#
# DCERPC has numerous options available, please read README.dcerpc for help
# configuring options.
 
#####
# Per Step #2, set the following to load the dcerpc preprocessor
# dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
 
preprocessor dcerpc: \
    autodetect \
    max_frag_size 3000 \
    memcap 100000
 
# DNS
#----------------------------------------
# The dns preprocessor (currently) decodes DNS Response traffic
# and detects a few vulnerabilities.
#
# DNS has a few options available, please read README.dns for
# help configuring options.
 
#####
# Per Step #2, set the following to load the dns preprocessor
# dynamicpreprocessor <full path to libsf_dns_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
 
preprocessor dns: ports { 53 } enable_rdata_overflow
 
####################################################################
# Step #4: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.  General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments.  Win32 can also optionally
# specify a particular hostname/port.  Under Win32, the default hostname is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
 
# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log
 
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
 
# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging and generating
# alerts from Snort, the "unified" format.  The unified format is a straight
# binary format for logging data out of Snort that is designed to be fast and
# efficient.  Used with barnyard (the new alert/log processor), most of the
# overhead for logging and alerting to various slow storage mechanisms such as
# databases or the network can now be avoided.  
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
 
 
# prelude: log to the Prelude Hybrid IDS system
# ---------------------------------------------
#
# profile = Name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info   = 4
# low    = 3
# medium = 2
# high   = anything below medium
#
# output alert_prelude
# output alert_prelude: profile=snort-profile-name
 
 
#
# Include classification & priority settings
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\classification.config
#
 
include classification.config
 
#
# Include reference systems
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\reference.config
#
 
include reference.config
 
####################################################################
# Step #5: Configure snort with config statements
#
# See the snort manual for a full set of configuration references
#
# config flowbits_size: 64
#
# New global ignore_ports config option from Andy Mullican
#
# config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53
 
 
####################################################################
# Step #6: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own custom snort
# rules.
 
#=========================================
# Include all relevant rulesets here 
# 
# The following rulesets are disabled by default:
#
#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
#   chat, multimedia, and p2p
#            
# These rules are either site policy specific or require tuning in order to not
# generate false positive alerts in most enviornments.
# 
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================
 
include $RULE_PATH/local.rules
# include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
# include $RULE_PATH/scan.rules
# include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
# include $RULE_PATH/tftp.rules
 
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
 
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
# include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
# include $RULE_PATH/snmp.rules
 
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
 
include $RULE_PATH/nntp.rules
# include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/specific-threats.rules
# include $RULE_PATH/experimental.rules
# include $RULE_PATH/content-replace.rules
include $RULE_PATH/voip.rules
 
# If your using the so rules you need to do something like the following
# cd into the so_rules directory where you built the so rules
# cat *.rules >> so-rules.rules
# cp to $RULE_PATH/so-rules.rules
# uncomment this line
# include $RULE_PATH/so-rules.rules
 
# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them. 
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\threshold.conf
# Uncomment if needed.
# include threshold.conf
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:
494:
495:
496:
497:
498:
499:
500:
501:
502:
503:
504:
505:
506:
507:
508:
509:
510:
511:
512:
513:
514:
515:
516:
517:
518:
519:
520:
521:
522:
523:
524:
525:
526:
527:
528:
529:
530:
531:
532:
533:
534:
535:
536:
537:
538:
539:
540:
541:
542:
543:
544:
545:
546:
547:
548:
549:
550:
551:
552:
553:
554:
555:
556:
557:
558:
559:
560:
561:
562:
563:
564:
565:
566:
567:
568:
569:
570:
571:
572:
573:
574:
575:
576:
577:
578:
579:
580:
581:
582:
583:
584:
585:
586:
587:
588:
589:
590:
591:
592:
593:
594:
595:
596:
597:
598:
599:
600:
601:
602:
603:
604:
605:
606:
607:
608:
609:
610:
611:
612:
613:
614:
615:
616:
617:
618:
619:
620:
621:
622:
623:
624:
625:
626:
627:
628:
629:
630:
631:
632:
633:
634:
635:
636:
637:
638:
639:
640:
641:
642:
643:
644:
645:
646:
647:
648:
649:
650:
651:
652:
653:
654:
655:
656:
657:
658:
659:
660:
661:
662:
663:
664:
665:
666:
667:
668:
669:
670:
671:
672:
673:
674:
675:
676:
677:
678:
679:
680:
681:
682:
683:
684:
685:
686:
687:
688:
689:
690:
691:
692:
693:
694:
695:
696:
697:
698:
699:
700:
701:
702:
703:
704:
705:
706:
707:
708:
709:
710:
711:
712:
713:
714:
715:
716:
717:
718:
719:
720:
721:
722:
723:
724:
725:
726:
727:
728:
729:
730:
731:
732:
733:
734:
735:
736:
737:
738:
739:
740:
741:
742:
743:
744:
745:
746:
747:
748:
749:
750:
751:
752:
753:
754:
755:
756:
757:
758:
759:
760:
761:
762:
763:
764:
765:
766:
767:
768:
769:
770:
771:
772:
773:
774:
775:
776:
777:
778:
779:
780:
781:
782:
783:
784:
785:
786:
787:
788:
789:
790:
791:
792:
793:
794:
795:
796:
797:
798:
799:
800:
801:
802:
803:
804:
805:
806:
807:
808:
809:
810:
811:
812:
813:
814:
815:
816:
817:
818:
819:
820:
821:
822:
823:
824:
825:
826:
827:
828:
829:
830:
831:
832:
833:
834:
835:
836:
837:
838:
839:
840:
841:
842:
843:
844:
845:
846:
847:
848:
849:
850:
851:
852:
853:
854:
855:
856:
857:
858:
859:
860:
861:
862:
863:
864:
865:
866:
867:
868:
869:
870:
871:
872:
873:
874:
875:
876:
877:
878:
879:
880:
881:
882:
883:
884:
885:
886:
887:
888:
889:
890:
891:
892:
893:
894:
895:
896:
897:
898:
899:
900:
901:
902:
903:
904:
905:
906:
907:
908:
909:
910:
911:
912:
913:
914:
915:
916:
917:
918:
919:
920:
921:
922:
923:
924:
925:
926:
927:
928:
929:
930:
931:
932:
933:
934:
935:
936:
937:
938:
939:
940:
941:
942:
943:
944:
945:
946:
947:
948:
949:
950:
951:
952:
953:
954:
955:
956:
957:
958:
959:
960:
961:
962:
963:
964:
965:
966:
967:
968:
969:
970:
971:
972:
973:
974:
975:
976:
977:
978:
979:
980:
981:
982:
983:
984:
985:
986:
987:
988:
989:
990:
991:
992:
993:
994:

Select allOpen in new window

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...