Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort rules not being read--NOW READ :)

From: "Donnie Green" <d_greenjr () hotmail com>
Date: Thu, 05 Sep 2002 22:01:00 -0400
Thanks everyone for their help...I replaced my rules with the stable ones and everything works like a charm! Thanks! 



From: "Tim" <twr () bellsouth net>
To: "Donnie Green" <d_greenjr () hotmail com>
Subject: Re: [Snort-users] snort rules not being read
Date: Thu, 5 Sep 2002 09:44:34 -0700

Donnie,
I had this same problem earlier when I too was pulling my hair attempting to 
configure snort.....one of the guys on the list mentioned that I had the
experimental rule set. Verify this. If you loaded a rule set that said
current then you have the experimental rule set. As soon as I changed the
ruleset I had for the stable ruleset everything worked just fine. The snort
site has the correct rules posted as long as the rules set does not contain
the word current on the filename you are good to go.

Tim--Mia/Fla


----- Original Message -----
From: "Donnie Green" <d_greenjr () hotmail com>
To: <snort-users () lists sourceforge net>
Sent: Thursday, September 05, 2002 4:26 AM
Subject: RE: [Snort-users] snort rules not being read


> I made the recommended changes and it looks like the rules are being
> read--although I had to make a link "ln -s /etc/conf/snort.conf
> /etc/snort.conf".  Now it seems as though I have a faulty
> rule(bad-traffic.rules).  Just to see, I commented out the rule in
> /etc/conf/snort.conf and I received an error in the next rule. It appears > as if the rules aren't using the correct syntax?? Following is the output 
> of the command "snort".
>
> <prompt> snort
> Log directory = /var/log/snort
>
> Initializing Network Interface eth0
> using config file /etc/snort.conf
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file /etc/snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
> Stream4 config:
>     Stateful inspection: ACTIVE
> [root@/etc]=> snort
> Log directory = /var/log/snort
>
> Initializing Network Interface eth0
> using config file /etc/snort.conf
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file /etc/snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
> No arguments to stream4_reassemble, setting defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111 513
>      Reassembly alerts: ACTIVE
>      Reassembly method: FAVOR_OLD
> ERROR /etc/snort/bad-traffic.rules(20) => Bad protocol name ">134"
> Fatal Error, Quitting..
>
>
> >From: Bill Gercken <bgercken () providentanalysis com>
> >Reply-To: bgercken () providentanalysis com
> >To: Donnie Green <d_greenjr () hotmail com>,
snort-users () lists sourceforge net
> >Subject: RE: [Snort-users] snort rules not being read
> >Date: Wed, 04 Sep 2002 23:47:19 -0400
> >
> >Donnie,
> >
> >Unless your rules happen to be in the current directory that you are
> >attempting
> >to run snort from, you will need to modify the RULES_PATH in your
> >snort.conf
> >
> >Change:
> >
> >var RULE_PATH ./
> >
> >To:
> >
> >var RULE_PATH /full/path/to/rules
> >
> >as in:
> >
> >var RULE_PATH /usr/local/etc/snort/
> >
> >or something.
> >
> >--
> >
> >Also the classification.config file must be available.
> >
> >include $RULE_PATH/classification.config
> >
> >should work.
> >--
> >
> >In your startup script you will need to change:
> >
> >daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D -c /etc/snort
> >
> >to:
> >
> >daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D -c
> >/etc/snort/snort.conf
> >
> >Regards,
> >-bill
> >
> >
> >-----Original Message-----
> >From: snort-users-admin () lists sourceforge net
> >[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Donnie
> >Green
> >Sent: Wednesday, September 04, 2002 11:13 PM
> >To: snort-users () lists sourceforge net
> >Subject: RE: [Snort-users] snort rules not being read
> >
> >
> >The following is a copy of my files /etc/rc.d/init.d/snortd and
> >/etc/snort/snort.conf:
> >
> >/etc/rc.d/init.d/snortd:
> >#!/bin/sh
> >#
> ># snortd         Start/Stop the snort IDS daemon.
> >#
> ># chkconfig: 2345 40 60
> ># description:  snort is a lightweight network intrusion detection tool
> >that
> >#               currently detects more than 1100 host and network
> >#               vulnerabilities, portscans, backdoors, and more.
> >#
> ># June 10, 2000 -- Dave Wreski <dave () linuxsecurity com>
> >#   - initial version
> >#
> ># July 08, 2000 Dave Wreski <dave () guardiandigital com>
> >#   - added snort user/group
> >#   - support for 1.6.2
> >
> ># Source function library.
> >. /etc/rc.d/init.d/functions
> >
> ># Specify your network interface here
> >INTERFACE=eth0
> >
> ># See how we were called.
> >case "$1" in
> >   start)
> >         echo -n "Starting snort: "
> >         ifconfig eth0 up
> >daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D -c /etc/snort
> >         touch /var/lock/subsys/snort
> >         echo
> >         ;;
> >   stop)
> >         echo -n "Stopping snort: "
> >         killproc snort
> >         rm -f /var/lock/subsys/snort
> >         echo
> >         ;;
> >   restart)
> >         $0 stop
> >         $0 start
> >         ;;
> >   status)
> >         status snort
> >         ;;
> >   *)
> >         echo "Usage: $0 {start|stop|restart|status}"
> >         exit 1
> >esac
> >
> >exit 0
>
>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
> >+
> >/etc/snort/snort.conf:
> >#--------------------------------------------------
> >#   http://www.snort.org     Snort 1.8.6 Ruleset
> >#     Contact: snort-sigs () lists sourceforge net
> >#--------------------------------------------------
> ># NOTE:This ruleset only works for 1.8.0 and later
> >#--------------------------------------------------
> ># $Id: snort.conf,v 1.77.2.19 2002/06/29 13:32:48 chrisgreen Exp $
> >#
> >###################################################
> ># This file contains a sample snort configuration.
> ># You can take the following steps to create your
> ># own custom configuration:
> >#
> >#  1) Set the network variables for your network
> >#  2) Configure preprocessors
> >#  3) Configure output plugins
> >#  4) Customize your rule set
> >#
> >###################################################
> ># Step #1: Set the network variables:
> >#
> ># You must change the following variables to reflect
> ># your local network. The variable is currently
> ># setup for an RFC 1918 address space.
> >#
> ># You can specify it explicitly as:
> >#
> ># var HOME_NET 10.1.1.0/24
> >#
> ># or use global variable $<interfacename>_ADDRESS
> ># which will be always initialized to IP address and
> ># netmask of the network interface which you run
> ># snort at.
> >#
> ># var HOME_NET $eth0_ADDRESS
> >#
> ># You can specify lists of IP addresses for HOME_NET
> ># by separating the IPs with commas like this:
> >#
> ># var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> >#
> ># MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> >#
> ># or you can specify the variable to be any IP address
> ># like this:
> >
> >var HOME_NET any
> >
> ># Set up the external network addresses as well.
> ># A good start may be "any"
> >
> >var EXTERNAL_NET $HOME_NET
> >
> ># Set up your SMTP servers, or simply configure them
> ># to HOME_NET
> >
> >var SMTP $HOME_NET
> >
> ># Set up your web servers, or simply configure them
> ># to HOME_NET
> >
> >var HTTP_SERVERS $HOME_NET
> >
> ># Set up your sql servers, or simply configure them
> ># to HOME_NET
> >
> >var SQL_SERVERS $HOME_NET
> >
> ># Define the addresses of DNS servers and other hosts
> >
> >var DNS_SERVERS $HOME_NET
> >
> >var RULE_PATH ./
> >
> ># Ports you want to look for SHELLCODE on.  (By default, not port 80)
> >var SHELLCODE_PORTS !80
> >
> ># Ports you run web servers on.  (By default, port 80)
> >var HTTP_PORTS 80
> >
> ># Ports you do oracle type stuff on.  (Can be 80, as well as all of the
> ># standard oracle ports.  (By default, port 1521)
> >var ORACLE_PORTS 1521
> >
> >
> >###################################################
> ># Step #2: Configure preprocessors
> >#
> ># General configuration for preprocessors is of
> ># the form
> ># preprocessor <name_of_processor>: <configuration_options>
> >
> ># frag2: IP defragmentation support
> ># -------------------------------
> ># This preprocessor performs IP defragmentation.  This plugin will also
> >detect
> ># people launching fragmentation attacks (usually DoS) against hosts. No > ># arguments loads the default configuration of the preprocessor, which is 
a
> ># 60 second timeout and a 4MB fragment buffer.
> >
> ># The following (comma delimited) options are available for frag2
> ># timeout [seconds] - sets the number of [seconds] than an unfinished 
> >#                        fragment will be kept around waiting for
> >completion,
> >#                        if this time expires the fragment will be
flushed
> >#    memcap [bytes] - limit frag2 memory usage to [number] bytes
> >#                      (default:  4194304)
> >
> >preprocessor frag2
> >
> ># stream4: stateful inspection/stream reassembly for Snort
> >#----------------------------------------------------------------------
> ># Use in concert with the -z [all|est] command line switch to defeat
> ># stick/snot against TCP rules.  Also performs full TCP stream
> ># reassembly, stateful inspection of TCP streams, etc.  Can statefully
> ># detect various portscan types, fingerprinting, ECN, etc.
> >
> ># stateful inspection directive
> ># no arguments loads the defaults (timeout 30, memcap 8388608)
> ># options (options are comma delimited):
> >#   detect_scans - stream4 will detect stealth portscans and generate
> >alerts
> >#                  when it sees them when this option is set
> >#   detect_state_problems - detect TCP state problems, this tends to be
> >very
> >#                           noisy because there are a lot of crappy ip
> >stack
> >#                           implementations out there
> >#
> >#   disable_evasion_alerts - disable fragroute alerting.  Useful for
> >#                             machines with odd retransmission patterns
> >#
> >#   keepstats [machine|binary] - keep session statistics, add "machine"
to
> ># get them in a flat format for machine reading, 
> >add
> ># "binary" to get them in a unified binary output 
> >#                         format
> >#   noinspect - turn off stateful inspection only
> >#   timeout [number] - set the session timeout counter to [number]
seconds,
> >#                      default is 30 seconds
> >#   memcap [number] - limit stream4 memory usage to [number] bytes
> ># log_flushed_streams - if an event is detected on a stream this option 
> >will
> >#                         cause all packets that are stored in the
stream4
> >#                         packet buffers to be flushed to disk.  This
only
> >#                         works when logging in pcap mode!
> >#
> >#
> >
> >preprocessor stream4: detect_scans, disable_evasion_alerts
> >
> ># tcp stream reassembly directive
> ># no arguments loads the default configuration
> >#   Only reassemble the client,
> >#   Only reassemble the default list of ports (See below),
> >#   Give alerts for "bad" streams
> >#
> ># Available options (comma delimited):
> >#   clientonly - reassemble traffic for the client side of a connection
> >only
> >#   serveronly - reassemble traffic for the server side of a connection
> >only
> >#   both - reassemble both sides of a session
> >#   noalerts - turn off alerts from the stream reassembly stage of
stream4
> ># ports [list] - use the space separated list of ports in [list], "all" > ># will turn on reassembly for all ports, "default" will 
> >turn
> ># on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 
> >111
> >#                  and 513
> >
> >preprocessor stream4_reassemble
> >
> ># http_decode: normalize HTTP requests
> ># ------------------------------------
> ># http_decode normalizes HTTP requests from remote
> ># machines by converting any %XX character
> ># substitutions to their ASCII equivalent. This is
> ># very useful for doing things like defeating hostile
> ># attackers trying to stealth themselves from IDSs by
> ># mixing these substitutions in with the request.
> ># Specify the port numbers you want it to analyze as arguments.
> ># You may also specify -unicode to turn off detection of
> ># UNICODE directory traversal, etc attacks.  Use -cginull to
> ># turn off detection of CGI NULL code attacks.
> >
> >preprocessor http_decode: 80 -unicode -cginull
> >
> ># rpc_decode: normalize RPC traffic
> ># ---------------------------------
> ># RPC may be sent in alternate encodings besides the usual
> ># 4-byte encoding that is used by default.  This preprocessor
> ># normalized RPC traffic in much the same way as the http_decode
> ># preprocessor.  This plugin takes the ports numbers that RPC
> ># services are running on as arguments.
> >
> >preprocessor rpc_decode: 111 32771
> >
> ># bo: Back Orifice detector
> ># -------------------------
> ># Detects Back Orifice traffic on the network.  This preprocessor
> ># uses the Back Orifice "encryption" algorithm to search for
> ># traffic conforming to the Back Orifice protocol (not BO2K).
> ># This preprocessor can take two arguments.  The first is "-nobrute"
> ># which turns off the plugin's brute forcing routine (brute forces
> ># the key space of the protocol to find BO traffic).  The second
> ># argument that can be passed to the routine is a number to use
> ># as the default key when trying to decrypt the traffic.  The
> ># default value is 31337 (just like BO).  Be aware that turning on
> ># the brute forcing option runs the risk of impacting the overall
> ># performance of Snort, you've been warned...
> >
> >preprocessor bo
> >
> ># telnet_decode: Telnet negotiation string normalizer
> ># ---------------------------------------------------
> ># This preprocessor "normalizes" telnet negotiation strings from
> ># telnet and ftp traffic.  It works in much the same way as the
> ># http_decode preprocessor, searching for traffic that breaks up
> ># the normal data stream of a protocol and replacing it with
> ># a normalized representation of that traffic so that the "content"
> ># pattern matching keyword can work without requiring modifications.
> ># This preprocessor requires no arguments.
> >
> >preprocessor telnet_decode
> >
> ># portscan: detect a variety of portscans
> ># ---------------------------------------
> ># portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net>
> ># This preprocessor detects UDP packets or TCP SYN packets going to
> ># four different ports in less than three seconds. "Stealth" TCP
> ># packets are always detected, regardless of these settings.
> >
> ># preprocessor portscan: $HOME_NET 4 3 portscan.log
> >
> ># Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
> ># specific networks or hosts to reduce false alerts. It is typical
> ># to see many false alerts from DNS servers so you may want to
> ># add your DNS servers here. You can all multiple hosts/networks
> ># in a whitespace-delimited list.
> >#
> >#preprocessor portscan-ignorehosts: 0.0.0.0
> >
> ># Spade: the Statistical Packet Anomaly Detection Engine
> >#-------------------------------------------------------
> ># READ the README.Spade file before using this plugin!
> >#
> ># preprocessor spade: <anom-report-thresh> <state-file>
> ># <log-file> <prob-mode> <checkpoint-freq>  [-corrscore]
> >#
> ># set this to a directory Spade can read and write to
> ># store its files
> >#
> ># var SPADEDIR .
> >#
> ># preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> >#
> ># put a list of the networks you are interested in Spade observing
packets
> ># going to here; separate these by spaces
> >#
> ># preprocessor spade-homenet: 0.0.0.0/0
> >#
> ># this causes Spade to adjust the reporting threshold automatically
> ># the first argument is the target rate of alerts for normal
circumstances
> ># (0.01 = 1% or you can give it an hourly rate) after the first hour (or 
> ># however long the period is set to in the second argument), the
reporting
> ># threshold given above is ignored you can comment this out to have the
> ># threshold be static, or try one of the other adapt methods below
> ># preprocessor spade-adapt3: 0.01 60 168
> >#
> ># other possible Spade config lines:
> ># adapt method #1
> >#preprocessor spade-adapt: 20 2 0.5
> ># adapt method #2
> >#preprocessor spade-adapt2: 0.01 15 4 24 7
> ># offline threshold learning
> >#preprocessor spade-threshlearn: 200 24
> ># periodically report on the anom scores and count of packets seen
> >#preprocessor spade-survey:  $SPADEDIR/survey.txt 60
> ># print out known stats about packet feature
> >#preprocessor spade-stats: entropy uncondprob condprob
> >
> ># arpspoof
> >#----------------------------------------
> ># Experimental ARP detection code from Jeff Nathan, detects ARP attacks, > ># unicast ARP requests, and specific ARP mapping monitoring. To make use 
> ># of this preprocessor you must specify the IP and hardware address of
> >hosts
> >on # the same layer 2 segment as you. Specify one host IP MAC combo per 
> >line.
> ># Also takes a "-unicast" option to turn on unicast ARP request
detection.
> >
> >#preprocessor arpspoof
> >#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
> >
> >
> >####################################################################
> ># Step #3: Configure output plugins
> >#
> ># Uncomment and configure the output plugins you decide to use.
> ># General configuration for output plugins is of the form:
> >#
> ># output <name_of_plugin>: <configuration_options>
> >#
> ># alert_syslog: log alerts to syslog
> ># ----------------------------------
> ># Use one or more syslog facilities as arguments
> >#
> ># output alert_syslog: LOG_AUTH LOG_ALERT
> >
> ># log_tcpdump: log packets in binary tcpdump format
> ># -------------------------------------------------
> ># The only argument is the output file name.
> >#
> ># output log_tcpdump: snort.log
> >
> ># database: log to a variety of databases
> ># ---------------------------------------
> ># See the README.database file for more information about configuring
> ># and using this plugin.
> >#
> ># output database: log, mysql, user=root password=test dbname=db
> >host=localhost
> ># output database: alert, postgresql, user=snort dbname=snort
> ># output database: log, unixodbc, user=snort dbname=snort
> ># output database: log, mssql, dbname=snort user=snort password=test
> >
> ># xml: xml logging
> ># ----------------
> ># See the README.xml file for more information about configuring
> ># and using this plugin.
> >#
> ># output xml: log, file=/var/log/snortxml
> >
> ># unified: Snort unified binary format alerting and logging
> ># -------------------------------------------------------------
> ># The unified output plugin provides two new formats for logging
> ># and generating alerts from Snort, the "unified" format.  The
> ># unified format is a straight binary format for logging data
> ># out of Snort that is designed to be fast and efficient.  Used
> ># with barnyard (the new alert/log processor), most of the overhead
> ># for logging and alerting to various slow storage mechanisms
> ># such as databases or the network can now be avoided.
> >#
> ># Check out the spo_unified.h file for the data formats.
> >#
> ># Two arguments are supported.
> >#    filename - base filename to write to (current time_t is appended)
> >#    limit    - maximum size of spool file in MB (default: 128)
> >#
> ># output alert_unified: filename snort.alert, limit 128
> ># output log_unified: filename snort.log, limit 128
> >
> >
> ># trap_snmp: SNMP alerting for Snort
> ># -------------------------------------------------------------
> ># Read the README-SNMP file for more information on enabling and using
this
> ># plug-in.
> >#
> >#
> ># The SnmpTrapGenerator outputplugin requires several parameters
> ># The parameters depend on the Snmpversion that is used (specified)
> ># For the SNMPv2c case the paremeters will be as follows
> >#  alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber>
> >#         <hostName> <community>
> >#
> ># For SNMPv2c traps
> >#
> >#output trap_snmp: alert, 7, trap -v 2c -p 162  myTrapListener
myCommunity
> >#
> ># For SNMPv2c informs
> >#
> >#output trap_snmp: alert, 7, inform -v 2c -p 162  myTrapListener
> >myCommunity
> >#
> ># For SNMPv3 traps with
> ># security name = snortUser
> ># security level = authentication and privacy
> ># authentication parameters :
> >#           authentication protocol = SHA ,
> >#           authentication pass phrase = SnortAuthPassword
> ># privacy (encryption) parameters
> >#           privacy protocol = DES,
> >#           privacy pass phrase = SnortPrivPassword
> >#
> >#output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv -a 
> >SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
> >#For SNMPv3 informs with authentication and encryption
> >#output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l
authPriv -a
> >SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
> >
> ># You can optionally define new rule types and associate one or
> ># more output plugins specifically to that type.
> >#
> ># This example will create a type that will log to just tcpdump.
> ># ruletype suspicious
> ># {
> >#   type log
> >#   output log_tcpdump: suspicious.log
> ># }
> >#
> ># EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
> ># suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) 
> >#
> ># This example will create a rule type that will log to syslog
> ># and a mysql database.
> ># ruletype redalert
> ># {
> >#   type alert
> >#   output alert_syslog: LOG_AUTH LOG_ALERT
> >#   output database: log, mysql, user=snort dbname=snort host=localhost
> ># }
> >#
> ># EXAMPLE RULE FOR REDALERT RULETYPE
> ># redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being
> >LEET"; \
> >#   flags:A+;)
> >
> >#
> ># Include classification & priority settings
> >#
> >
> >include classification.config
> >
> >
> >####################################################################
> ># Step #4: Customize your rule set
> >#
> ># Up to date snort rules are available at http://www.snort.org
> >#
> ># The snort web site has documentation about how to write your own
> ># custom snort rules.
> >#
> ># The rules included with this distribution generate alerts based on
> ># on suspicious activity. Depending on your network environment, your
> ># security policies, and what you consider to be suspicious, some of
> ># these rules may either generate false positives ore may be detecting
> ># activity you consider to be acceptable; therefore, you are
> ># encouraged to comment out rules that are not applicable in your
> ># environment.
> >#
> ># Note that using all of the rules at the same time may lead to
> ># serious packet loss on slower machines. YMMV, use with caution,
> ># standard disclaimers apply. :)
> >#
> ># The following individuals contributed many of rules in this
> ># distribution.
> >#
> ># Credits:
> >#   Ron Gula <rgula () securitywizards com> of Network Security Wizards
> >#   Max Vision <vision () whitehats com>
> >#   Martin Markgraf <martin () mail du gtn com>
> >#   Fyodor Yarochkin <fygrave () tigerteam net>
> >#   Nick Rogness <nick () rapidnet com>
> >#   Jim Forster <jforster () rapidnet com>
> >#   Scott McIntyre <scott () whoi edu>
> >#   Tom Vandepoel <Tom.Vandepoel () ubizen com>
> >#   Brian Caswell <bmc () snort org>
> >#   Zeno <admin () cgisecurity com>
> >#   Ryan Russell <ryan () securityfocus com>
> >#
> >#=========================================
> ># Include all relevant rulesets here
> >#
> ># shellcode, policy, info, backdoor, and virus rulesets are
> ># disabled by default.  These require tuning and maintance.
> ># Please read the included specific file for more information.
> >#=========================================
> >
> >include $RULE_PATH/bad-traffic.rules
> >include $RULE_PATH/exploit.rules
> >include $RULE_PATH/scan.rules
> >include $RULE_PATH/finger.rules
> >include $RULE_PATH/ftp.rules
> >include $RULE_PATH/telnet.rules
> >include $RULE_PATH/smtp.rules
> >include $RULE_PATH/rpc.rules
> >include $RULE_PATH/rservices.rules
> >include $RULE_PATH/dos.rules
> >include $RULE_PATH/ddos.rules
> >include $RULE_PATH/dns.rules
> >include $RULE_PATH/tftp.rules
> >include $RULE_PATH/web-cgi.rules
> >include $RULE_PATH/web-coldfusion.rules
> >include $RULE_PATH/web-iis.rules
> >include $RULE_PATH/web-frontpage.rules
> >include $RULE_PATH/web-misc.rules
> >include $RULE_PATH/web-attacks.rules
> >include $RULE_PATH/sql.rules
> >include $RULE_PATH/x11.rules
> >include $RULE_PATH/icmp.rules
> >include $RULE_PATH/netbios.rules
> >include $RULE_PATH/misc.rules
> >include $RULE_PATH/attack-responses.rules
> ># include $RULE_PATH/backdoor.rules
> >include $RULE_PATH/shellcode.rules
> ># include $RULE_PATH/policy.rules
> ># include $RULE_PATH/porn.rules
> ># include $RULE_PATH/info.rules
> ># include $RULE_PATH/icmp-info.rules
> ># include $RULE_PATH/virus.rules
> >include $RULE_PATH/local.rules
> >
> >
> >
> >
> >
> > >From: "Michael Steele" <michaels () silicondefense com>
> > >To: "'Donnie Green'" <d_greenjr () hotmail com>
> > >CC: <snort-users () lists sourceforge net>
> > >Subject: RE: [Snort-users] snort rules not being read
> > >Date: Wed, 4 Sep 2002 16:24:32 -0700
> > >
> > >Donnie,
> > >
> > >Try this:
> > >
> > >This should detail any problems with Snort configuration
> > >
> > ># snort -o -a -e -i eth0 -l /var/log/snort -c /etc/snort/snort.conf -T 
> > >
> > >Not sure about the startup as we need more info as to what you have
> > >already done.
> > >
> > >-Michael
> > >--
> > >  Michael Steele | System Engineer / Support Technician
> > >  mailto:michaels () silicondefense com
> > >  Silicon Defense: IDS solutions - http://www.silicondefense.com
> > >  Snort: Open Source Network IDS - http://www.snort.org
> > >
> > >
> > >-----Original Message-----
> > >From: snort-users-admin () lists sourceforge net
> > >[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Donnie
> > >Green
> > >Sent: Tuesday, September 03, 2002 7:40 PM
> > >To: snort-users () lists sourceforge net
> > >Subject: [Snort-users] snort rules not being read
> > >
> > >I'm running RH7.3, snort-1.8.7, logging to /var/log/snort.
> > >
> > >I have two problems: (1)When I boot Linux, snort does not start up and 
> > >(2) I
> > >cannot get snort to read in the rules even if I use the command "snort 
> > >-i
> > >eth0 -c /etc/snort" after booting. Below is a portion of the output of 
> > >preceeding command.  Does anyone have a configuration that works??
> > >
> > >
> > >hostname#  snort -i eth0 -c /etc/snort
> > >Log directory = /var/log/snort
> > >
> > >Initializing Network Interface eth0
> > >
> > >         --== Initializing Snort ==--
> > >Decoding Ethernet on interface eth0
> > >Initializing Preprocessors!
> > >Initializing Plug-ins!
> > >Initializating Output Plugins!
> > >Parsing Rules file /etc/snort
> > >
> > >+++++++++++++++++++++++++++++++++++++++++++++++++++
> > >Initializing rule chains...
> > >0 Snort rules read...
> > >0 Option Chains linked into 0 Chain Headers
> > >0 Dynamic rules
> > >+++++++++++++++++++++++++++++++++++++++++++++++++++
> > >
> > >Rule application order: ->activation->dynamic->alert->pass->log
> > >
> > >         --== Initialization Complete ==--
> > >
> > >-*> Snort! <*-
> > >Version 1.8.7 (Build 128)
> > >
> > >_________________________________________________________________
> > >MSN Photos is the easiest way to share and print your photos:
> > >http://photos.msn.com/support/worldwide.aspx
> > >
> > >
> > >
> > >-------------------------------------------------------
> > >This sf.net email is sponsored by: OSDN - Tired of that same old
> > >cell phone?  Get a new here for FREE!
> > >https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > >_______________________________________________
> > >Snort-users mailing list
> > >Snort-users () lists sourceforge net
> > >Go to this URL to change user options or unsubscribe:
> > >https://lists.sourceforge.net/lists/listinfo/snort-users
> > >Snort-users list archive:
> > >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > >
> > >
> > >-------------------------------------------------------
> > >This sf.net email is sponsored by: OSDN - Tired of that same old
> > >cell phone?  Get a new here for FREE!
> > >https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > >_______________________________________________
> > >Snort-users mailing list
> > >Snort-users () lists sourceforge net
> > >Go to this URL to change user options or unsubscribe:
> > >https://lists.sourceforge.net/lists/listinfo/snort-users
> > >Snort-users list archive:
> > >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >_________________________________________________________________
> >Join the world's largest e-mail service with MSN Hotmail.
> >http://www.hotmail.com
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by: OSDN - Tired of that same old
> >cell phone?  Get a new here for FREE!
> >https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users () lists sourceforge net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx 



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: