snort on windows 2003 server can not view the sensor

[Randy Ariyus <ariyus_ham () yahoo com>]

i was install snort step-by-step on windows 2003
server, using the sunil articel. but i have the
problem with the sensor. sensor can not view with base
interface...this my config snort file...and help me
what the wrong this.... 

#--------------------------------------------------
#   http://www.snort.org     Snort 2.4.0 config file
#     Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# $Id: snort.conf,v 1.144.2.9.2.15 2005/09/16 21:06:34
roesch Exp $
#
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your own
custom configuration:
#
#  1) Set the variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Add any runtime config directives
#  5) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
your local network. The
# variable is currently setup for an RFC 1918 address
space.
#
# You can specify it explicitly as: 
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS
which will be always
# initialized to IP address and netmask of the network
interface which you run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
#
$(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET 10.10.1.0.24,192.168.1.0/24

# Set up the external network addresses as well.  A
good start may be "any"
var EXTERNAL_NET any

# Configure your server lists.  This allows snort to
only look for attacks to
# systems that have a service up.  Why look for HTTP
attacks if you are not
# running a web server?  This allows quick filtering
based on IP addresses
# These configurations MUST follow the same
configuration scheme as defined
# above for $HOME_NET.  

# List of DNS servers on your network 
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET

# Configure your service ports.  This allows snort to
look for attacks destined
# to a specific application only on the ports that
application runs on.  For
# example, if you run a web server on port 8081, set
your HTTP_PORTS variable
# like this:
#
# var HTTP_PORTS 8081
#
# Port lists must either be continuous [eg 80:8080],
or a single port [eg 80].
# We will adding support for a real list of ports in
the future.

# Ports you run web servers on
#
# Please note:  [80,8080] does not work.
# If you wish to define multiple HTTP ports,
# 
## var HTTP_PORTS 80 
## include somefile.rules 
## var HTTP_PORTS 8080
## include somefile.rules 
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
# 
# AIM servers.  AOL has a habit of adding new AIM
servers, so instead of
# modifying the signatures when they do, we add them
to this list of servers.
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Path to your rules files (this can be a relative
path)
# Note for Windows users:  You are advised to make
this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH d:\snort\rules

# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as
header
# truncation or options of unusual length or
infrequently used tcp options
#
#
# Stop generic decode events:
#
config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a
TCP option is detected
# that shows T/TCP being actively used on the network.
 If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts

# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a
machine with very limited
# resources:
#
# config detection: search-method lowmem

# Configure Inline Resets
# ========================
# 
# If running an iptables firewall with snort in
InlineMode() we can now
# perform resets via a physical device. We grab the
indev from iptables
# and use this for the interface on which to send
resets. This config
# option takes an argument for the src mac address you
want to use in the
# reset packet.  This way the bridge can remain
stealthy. If the src mac
# option is not set we use the mac address of the
indev device. If we
# don't set this option we will default to sending
resets via raw socket,
# which needs an ipaddress to be assigned to the int.
#
# config layer2resets: 00:06:76:DD:5F:E3

###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>:
<configuration_options>

# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying
the state keeping
# mechanisms of snort into a single place. Right now,
only a portscan detector
# is implemented but in the long term,  many of the
stateful subsystems of
# snort will be migrated over to becoming flow
plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 0 hash 2

# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation.  This
plugin will also detect
# people launching fragmentation attacks (usually DoS)
against hosts.  No
# arguments loads the default configuration of the
preprocessor, which is a 60
# second timeout and a 4MB fragment buffer. 

# The following (comma delimited) options are
available for frag2
#    timeout [seconds] - sets the number of [seconds]
that an unfinished 
#                        fragment will be kept around
waiting for completion,
#                        if this time expires the
fragment will be flushed
#    memcap [bytes] - limit frag2 memory usage to
[number] bytes
#                      (default:  4194304)
#
#    min_ttl [number] - minimum ttl to accept
# 
#    ttl_limit [number] - difference of ttl to accept
without alerting
#                         will cause false positves
with router flap
# 
# Frag2 uses Generator ID 113 and uses the following
SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Oversized fragment (reassembled frag > 64k
bytes)
#   2       Teardrop-type attack

#preprocessor frag2

# frag3: Target-based IP defragmentation 
# --------------------------------------
#
# Frag3 is a brand new IP defragmentation preprocessor
that is capable of
# performing "target-based" processing of IP
fragments.  Check out the
# README.frag3 file in the doc directory for more
background and configuration
# information.
# 
# Frag3 configuration is a two step process, a global
initialization phase 
# followed by the definition of a set of
defragmentation engines.  
# 
# Global configuration defines the number of
fragmented packets that Snort can
# track at the same time and gives you options
regarding the memory cap for the
# subsystem or, optionally, allows you to preallocate
all the memory for the 
# entire frag3 system.
#
# frag3_global options:
#   max_frags: Maximum number of frag trackers that
may be active at once.  
#              Default value is 8192.
#   memcap: Maximum amount of memory that frag3 may
access at any given time.
#           Default value is 4MB.
#   prealloc_frags: Maximum number of individual
fragments that may be processed
#                   at once.  This is instead of the
memcap system, uses static 
#                   allocation to increase
performance.  No default value.  Each
#                   preallocated fragment eats ~1550
bytes.
#
# Target-based behavior is attached to an engine as a
"policy" for handling 
# overlaps and retransmissions as enumerated in the
Paxson paper.  There are
# currently five policy types available: "BSD",
"BSD-right", "First", "Linux" 
# and "Last".  Engines can be bound to bound to
standard Snort CIDR blocks or
# IP lists.
#
# frag3_engine options:
#   timeout: Amount of time a fragmented packet may be
active before expiring.
#            Default value is 60 seconds.
#   ttl_limit: Limit of delta allowable for TTLs of
packets in the fragments. 
#              Based on the initial received fragment
TTL.
#   min_ttl: Minimum acceptable TTL for a fragment,
frags with TTLs below this
#            value will be discarded.  Default value
is 0.
#   detect_anomalies: Activates frag3's anomaly
detection mechanisms.
#   policy: Target-based policy to assign to this
engine.  Default is BSD.
#   bind_to: IP address set to bind this engine to. 
Default is all hosts.
#
# Frag3 configuration example:
#preprocessor frag3_global: max_frags 65536
prealloc_frags 262144
#preprocessor frag3_engine: policy linux \
#                           bind_to
[10.1.1.12/32,10.1.1.13/32] \
#                           detect_anomalies
#preprocessor frag3_engine: policy first \
#                           bind_to 10.2.1.0/24 \
#                           detect_anomalies
#preprocessor frag3_engine: policy last \
#                           bind_to 10.3.1.0/24
#preprocessor frag3_engine: policy bsd

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first
detect_anomalies


# stream4: stateful inspection/stream reassembly for
Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line
switch to defeat stick/snot
# against TCP rules.  Also performs full TCP stream
reassembly, stateful
# inspection of TCP streams, etc.  Can statefully
detect various portscan
# types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap
8388608)
# options (options are comma delimited):
#   detect_scans - stream4 will detect stealth
portscans and generate alerts
#                  when it sees them when this option
is set
#   detect_state_problems - detect TCP state problems,
this tends to be very
#                           noisy because there are a
lot of crappy ip stack
#                           implementations out there
#
#   disable_evasion_alerts - turn off the possibly
noisy mitigation of
#                            overlapping sequences.
#
#
#   min_ttl [number]       - set a minium ttl that
snort will accept to
#                            stream reassembly
#
#   ttl_limit [number]     - differential of the
initial ttl on a session versus
#                             the normal that someone
may be playing games.
#                             Routing flap may cause
lots of false positives.
# 
#   keepstats [machine|binary] - keep session
statistics, add "machine" to 
#                         get them in a flat format
for machine reading, add
#                         "binary" to get them in a
unified binary output 
#                         format
#   noinspect - turn off stateful inspection only
#   timeout [number] - set the session timeout counter
to [number] seconds,
#                      default is 30 seconds
#   max_sessions [number] - limit the number of
sessions stream4 keeps
#                         track of
#   memcap [number] - limit stream4 memory usage to
[number] bytes
#   log_flushed_streams - if an event is detected on a
stream this option will
#                         cause all packets that are
stored in the stream4
#                         packet buffers to be flushed
to disk.  This only 
#                         works when logging in pcap
mode!
#   server_inspect_limit [bytes] - Byte limit on
server side inspection.
#
# Stream4 uses Generator ID 111 and uses the following
SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Stealth activity
#   2       Evasive RST packet
#   3       Evasive TCP packet retransmission
#   4       TCP Window violation
#   5       Data on SYN packet
#   6       Stealth scan: full XMAS
#   7       Stealth scan: SYN-ACK-PSH-URG
#   8       Stealth scan: FIN scan
#   9       Stealth scan: NULL scan
#   10      Stealth scan: NMAP XMAS scan
#   11      Stealth scan: Vecna scan
#   12      Stealth scan: NMAP fingerprint scan
stateful detect
#   13      Stealth scan: SYN-FIN scan
#   14      TCP forward overlap

preprocessor stream4: disable_evasion_alerts

# tcp stream reassembly directive
# no arguments loads the default configuration 
#   Only reassemble the client,
#   Only reassemble the default list of ports (See
below),  
#   Give alerts for "bad" streams
#
# Available options (comma delimited):
#   clientonly - reassemble traffic for the client
side of a connection only
#   serveronly - reassemble traffic for the server
side of a connection only
#   both - reassemble both sides of a session
#   noalerts - turn off alerts from the stream
reassembly stage of stream4
#   ports [list] - use the space separated list of
ports in [list], "all" 
#                  will turn on reassembly for all
ports, "default" will turn
#                  on reassembly for ports 21, 23, 25,
42, 53, 80, 110,
#                  111, 135, 136, 137, 139, 143, 445,
513, 1433, 1521,
#                  and 3306
#   favor_old - favor an old segment (based on
sequence number) over a new one.
#               This is the default.
#   favor_new - favor an new segment (based on
sequence number) over an old one.
#   flush_behavior [mode] -
#           default      - use old static flushpoints
(default)
#           large_window - use new larger static
flushpoints
#           random       - use random flushpoints
defined by flush_base, 
#                          flush_seed and flush_range
#   flush_base [number] - lowest allowed random
flushpoint (512 by default)
#   flush_range [number] - number is the space within
which random flushpoints
#                          are generated (default
1213)
#   flush_seed [number] - seed for the random number
generator, defaults to 
#                         Snort PID + time
#
# Using the default random flushpoints, the smallest
flushpoint is 512,
# and the largest is 1725 bytes.
preprocessor stream4_reassemble

# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort
Manual.  You should read it.
# It is included in the release distribution as
doc/snort_manual.pdf
# 
# preprocessor perfmonitor: time 300 file
/var/snort/snort.stats pktcnt 10000

# http_inspect: normalize and detect HTTP traffic and
protocol anomalies
#
# lots of options available here. See
doc/README.http_inspect.
# unicode.map should be wherever your snort.conf
lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252 

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 }
oversize_dir_length 500

#
#  Example unique server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
#    ports { 80 3128 8080 } \
#    flow_depth 0 \
#    ascii no \
#    double_decode yes \
#    non_rfc_char { 0x00 } \
#    chunk_length 500000 \
#    non_strict \
#    oversize_dir_length 300 \
#    no_alerts


# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the
usual 4-byte encoding
# that is used by default. This plugin takes the port
numbers that RPC
# services are running on as arguments - it is assumed
that the given ports
# are actually running this type of service. If not,
change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP
data
# no_alert_multiple_requests - don't alert when >1 rpc
query is in a packet
# no_alert_large_fragments - don't alert when the
fragmented
#                            sizes exceed the current
packet size
# no_alert_incomplete - don't alert when a single
segment
#                       exceeds the current packet
size

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  Takes
no arguments in 2.0.
# 
# The Back Orifice detector uses Generator ID 105 and
uses the 
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation
strings from telnet and ftp
# traffic.  It works in much the same way as the
http_decode preprocessor,
# searching for traffic that breaks up the normal data
stream of a protocol and
# replacing it with a normalized representation of
that traffic so that the
# "content" pattern matching keyword can work without
requiring modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate
any SID currently.

preprocessor telnet_decode

# sfPortscan
# ----------
# Portscan detection module.  Detects various types of
portscans and
# portsweeps.  For more information on detection
philosophy, alert types,
# and detailed portscan information, please refer to
the README.sfportscan.
#
# -configuration options-
#     proto { tcp udp icmp ip all }
#       The arguments to the proto option are the
types of protocol scans that
#       the user wants to detect.  Arguments should be
separated by spaces and
#       not commas.
#     scan_type { portscan portsweep decoy_portscan
distributed_portscan all }
#       The arguments to the scan_type option are the
scan types that the
#       user wants to detect.  Arguments should be
separated by spaces and not
#       commas.
#     sense_level { low|medium|high }
#       There is only one argument to this option and
it is the level of
#       sensitivity in which to detect portscans.  The
'low' sensitivity
#       detects scans by the common method of looking
for response errors, such
#       as TCP RSTs or ICMP unreachables.  This level
requires the least
#       tuning.  The 'medium' sensitivity level
detects portscans and 
#       filtered portscans (portscans that receive no
response).  This
#       sensitivity level usually requires tuning out
scan events from NATed
#       IPs, DNS cache servers, etc.  The 'high'
sensitivity level has
#       lower thresholds for portscan detection and a
longer time window than
#       the 'medium' sensitivity level.  Requires more
tuning and may be noisy
#       on very active networks.  However, this
sensitivity levels catches the
#       most scans.
#     memcap { positive integer }
#       The maximum number of bytes to allocate for
portscan detection.  The
#       higher this number the more nodes that can be
tracked.
#     logfile { filename }
#       This option specifies the file to log portscan
and detailed portscan
#       values to.  If there is not a leading /, then
snort logs to the
#       configured log directory.  Refer to
README.sfportscan for details on
#       the logged values in the logfile.
#     watch_ip { Snort IP List }
#     ignore_scanners { Snort IP List }
#     ignore_scanned { Snort IP List }
#       These options take a snort IP list as the
argument.  The 'watch_ip'
#       option specifies the IP(s) to watch for
portscan.  The 
#       'ignore_scanners' option specifies the IP(s)
to ignore as scanners.
#       Note that these hosts are still watched as
scanned hosts.  The
#       'ignore_scanners' option is used to tune
alerts from very active
#       hosts such as NAT, nessus hosts, etc.  The
'ignore_scanned' option 
#       specifies the IP(s) to ignore as scanned
hosts.  Note that these hosts
#       are still watched as scanner hosts.  The
'ignore_scanned' option is
#       used to tune alerts from very active hosts
such as syslog servers, etc.
#
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low }

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan,
detects ARP attacks,
# unicast ARP requests, and specific ARP mapping
monitoring.  To make use of
# this preprocessor you must specify the IP and
hardware address of hosts on
# the same layer 2 segment as you.  Specify one host
IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast
ARP request detection. 
# Arpspoof uses Generator ID 112 and uses the
following SIDS for that GID:

#  SID     Event description
# -----   -------------------
#   1       Unicast ARP request
#   2       Etherframe ARP mismatch (src)
#   3       Etherframe ARP mismatch (dst)
#   4       ARP cache overwrite attack

#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1
f0:0f:00:f0:0f:00

# X-Link2State mini-preprocessor
# ------------------------------
# This preprocessor will catch the X-Link2State
vulnerability
#
(www.microsoft.com/technet/security/bulletin/MS05-021.mspx).
#
# Format:
# preprocessor xlink2state: ports { <port> [<port>
<...>] } [drop]
#
# "drop" will drop the attack if in Inline-mode.

#  SID     Event description
# -----   -------------------
#   1      X-Link2State length greater than 1024

preprocessor xlink2state: ports { 25 691 }

####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you
decide to use.  General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments. 
Win32 can also optionally
# specify a particular hostname/port.  Under Win32,
the default hostname is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
output alert_syslog: host=hostname:port, LOG_AUTH
LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
output alert.fast: alert.ids

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information
about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test
dbname=db host=localhost
# output database: alert, postgresql, user=snort
dbname=snort
# output database: log, odbc, user=snort dbname=snort
output database: alert, mssql, user=snortuser
password=Dony Ariyus dbname=IDSDB host='127.0.0.1'
port=1433 sensor_name=hostname
# output database: log, oracle, dbname=snort
user=snort password=test

# unified: Snort unified binary format alerting and
logging
#
-------------------------------------------------------------
# The unified output plugin provides two new formats
for logging and generating
# alerts from Snort, the "unified" format.  The
unified format is a straight
# binary format for logging data out of Snort that is
designed to be fast and
# efficient.  Used with barnyard (the new alert/log
processor), most of the
# overhead for logging and alerting to various slow
storage mechanisms such as
# databases or the network can now be avoided.  
#
# Check out the spo_unified.h file for the data
formats.
#
# Two arguments are supported.
#    filename - base filename to write to (current
time_t is appended)
#    limit    - maximum size of spool file in MB
(default: 128)
#
# output alert_unified: filename snort.alert, limit
128
# output log_unified: filename snort.log, limit 128


# prelude: log to the Prelude Hybrid IDS system
# ---------------------------------------------
#
# profile = Name of the Prelude profile to use
(default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from
classification.config:
# info   = 4
# low    = 3
# medium = 2
# high   = anything below medium
#
# output alert_prelude
output alert_prelude: profile=snort-profile-name


# You can optionally define new rule types and
associate one or more output
# plugins specifically to that type.
#
# This example will create a type that will log to
just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667
(msg:"Internal IRC Server";)
#
# This example will create a rule type that will log
to syslog and a mysql
# database:
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort
dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
#   (msg:"Someone is being LEET"; flags:A+;)

#
# Include classification & priority settings
# Note for Windows users:  You are advised to make
this an absolute path,
# such as:  c:\snort\etc\classification.config
#

include d:\snort\etc\classification.config

#
# Include reference systems
# Note for Windows users:  You are advised to make
this an absolute path,
# such as:  c:\snort\etc\reference.config
#

include d:\snort\etc\reference.config

####################################################################
# Step #4: Configure snort with config statements
#
# See the snort manual for a full set of configuration
references
#
# config flowbits_size: 64
#
# New global ignore_ports config option from Andy
Mullican
#
# config ignore_ports: <tcp|udp> <list of ports
separated by whitespace>
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53


####################################################################
# Step #5: Customize your rule set
#
# Up to date snort rules are available at
http://www.snort.org
#
# The snort web site has documentation about how to
write your own custom snort
# rules.

#=========================================
# Include all relevant rulesets here 
# 
# The following rulesets are disabled by default:
#
#   web-attacks, backdoor, shellcode, policy, porn,
info, icmp-info, virus,
#   chat, multimedia, and p2p
#            
# These rules are either site policy specific or
require tuning in order to not
# generate false positive alerts in most enviornments.
# 
# Please read the specific include file for more
information and
# README.alert_order for how rule ordering affects how
alerts are triggered.
#=========================================

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
 include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules

# Include any thresholding or suppression commands.
See threshold.conf in the
# <snort src>/etc directory for details. Commands
don't necessarily need to be
# contained in this conf, but a separate conf makes it
easier to maintain them. 
# Note for Windows users:  You are advised to make
this an absolute path,
# such as:  c:\snort\etc\threshold.conf
# Uncomment if needed.
include d:\snort\etc\threshold.conf





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users