[Snort-devel] Snort not detecting some rules

From: Ian S. Nelson <ian(at)stillsecure.com>
Date: Thu Mar 18 2004 - 12:22:41 EST

I've been kicking this around with snort 2.1. I've got streams of data spooling but snort 2.1 isn't detecting everything, notably the porn rules.

Here is my snort.conf, it's stock snort 2.1.1

thanks,
Ian  

# Config section
#
 

# Variable section
#

var HTTP_SERVERS [0/0]
var DNS_SERVERS [0/0]
var HOME_NET [0/0]
var SMTP_SERVERS [0/0]
var SQL_SERVERS [0/0]
var EXTERNAL_NET [0/0]
var ORACLE_PORTS 1521
var SHELLCODE_PORTS !80
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var AIM_SERVERS [64.12.24.0/16,205.188.5.0/16]    

#
# Preprocessor section
#

preprocessor frag2
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor flow: stats_interval 0 hash 2 preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 }
preprocessor flow-portscan: talker-sliding-scale-factor 0.50 talker-fixed-threshold 30 talker-sliding-threshold 30 talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker

30000 server-watchnet [$HOME_NET] server-ignore-limit 200 server-rows 
65535 server-learning-time 14400 server-scanner-limit 4 
scanner-sliding-window 20 scanner-sliding-scale-factor 0.50 

scanner-fixed-threshold 15 scanner-sliding-threshold 40 scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net [$HOME_NET] dst-ignore-net [$EXTERNAL_NET] alert-mode once output-mode msg tcp-penalties on
preprocessor perfmonitor: console flow events time 3600 preprocessor rpc_decode: 111 32771  

#
# Output section
#

output xml: alert, protocol=tcp host=127.0.0.1 port=1973  

#
# Include section
#

include /home/ian/myrules/rules/classification.config
include /home/ian/myrules/rules/telnet.rules
include /home/ian/myrules/rules/bad-traffic.rules
include /home/ian/myrules/rules/exploit.rules
include /home/ian/myrules/rules/scan.rules
include /home/ian/myrules/rules/finger.rules
include /home/ian/myrules/rules/ftp.rules
include /home/ian/myrules/rules/smtp.rules
include /home/ian/myrules/rules/rpc.rules
include /home/ian/myrules/rules/rservices.rules
include /home/ian/myrules/rules/dos.rules
include /home/ian/myrules/rules/ddos.rules
include /home/ian/myrules/rules/dns.rules
include /home/ian/myrules/rules/tftp.rules
include /home/ian/myrules/rules/web-cgi.rules
include /home/ian/myrules/rules/web-coldfusion.rules
include /home/ian/myrules/rules/web-iis.rules
include /home/ian/myrules/rules/web-frontpage.rules
include /home/ian/myrules/rules/web-misc.rules
include /home/ian/myrules/rules/web-attacks.rules
include /home/ian/myrules/rules/sql.rules
include /home/ian/myrules/rules/x11.rules
include /home/ian/myrules/rules/icmp.rules
include /home/ian/myrules/rules/netbios.rules
include /home/ian/myrules/rules/misc.rules
include /home/ian/myrules/rules/attack-responses.rules
include /home/ian/myrules/rules/backdoor.rules
include /home/ian/myrules/rules/policy.rules
include /home/ian/myrules/rules/porn.rules
include /home/ian/myrules/rules/info.rules
include /home/ian/myrules/rules/icmp-info.rules
include /home/ian/myrules/rules/virus.rules
include /home/ian/myrules/rules/local.rules
include /home/ian/myrules/rules/mysql.rules
include /home/ian/myrules/rules/multimedia.rules
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
include /home/ian/myrules/rules/imap.rules
include /home/ian/myrules/rules/chat.rules
include /home/ian/myrules/rules/nntp.rules
include /home/ian/myrules/rules/oracle.rules
include /home/ian/myrules/rules/other-ids.rules
include /home/ian/myrules/rules/p2p.rules
include /home/ian/myrules/rules/pop3.rules
include /home/ian/myrules/rules/snmp.rules
include /home/ian/myrules/rules/web-client.rules
include /home/ian/myrules/rules/web-php.rules

-- 

. . .
*Ian S. Nelson
Senior Software Engineer*
*StillSecure*

303-381-3813 Direct
303-381-3881 Fax

www.stillsecure.com <
http://www.stillsecure.com>
/Reducing your risk has never been this easy./
. . .
/The information transmitted is intended only for the person
to which it is addressed and may contain confidential material.
Review or other use of this information by persons other than
the intended recipient is prohibited. If you've received
this in error, please contact the sender and delete
from any computer. /

 

------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-devel mailing list Snort-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-devel

Received on Fri Mar 19 10:29:13 2004