Snort mailing list archives
Re: Fwd: Re: Suppress alerts
From: Peter Rodger <prodger2008 () yahoo com>
Date: Tue, 18 Oct 2005 09:03:26 -0700 (PDT)
Thanks for your reply. The attached is the output after I ran snort -c snort.conf. Please let me know anything wrong with that. Thanks, Peter --- João Mota <joao () 3gnt net> wrote:
Peter Rodger wrote:Can anyone point out what's wrong with my config?Thealerts are still not suppressed.If you run snort from the comand line (like 'snort -c snort.conf') you get a lot of info (including thresholding info). Please send the output generated.
-------------------------------------------------------
This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
D:\win-ids\Snort\bin>snort -c d:\win-ids\snort\etc\snort.conf Running in IDS mode Initializing Network Interface \Device\NPF_{068F010E-6C94-4163-9C52-15551BFD66A9 } --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{068F010E-6C94-4163-9C52-15551BFD66A9 } Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file d:\win-ids\snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: d:\win-ids\snort\etc\unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 database: SQL Server message 5701, state 2, severity 0: Changed database context to 'snort'. Server 'TESTIDS', database: SQL Server message 5701, state 1, severity 0: Changed database context to 'snort'. Server 'TESTIDS', Line 1 database: inconsistent cid information for sid=1 Recovering by rolling forward the cid=36697 database: SQL Server message 5701, state 2, severity 0: Changed database context to 'snort'. Server 'TESTIDS', database: SQL Server message 5701, state 1, severity 0: Changed database context to 'snort'. Server 'TESTIDS', Line 1 2111 Snort rules read... 2111 Option Chains linked into 191 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++
Current thread:
- RE: Suppress alerts, (continued)
- RE: Suppress alerts Briggs, Bruce (Oct 14)
- RE: Suppress alerts Briggs, Bruce (Oct 17)
- RE: RE: Suppress alerts Peter Rodger (Oct 17)
- Re: Suppress alerts Joel Esler (Oct 17)
- Re: Suppress alerts Peter Rodger (Oct 17)
- Re: Suppress alerts Joel Esler (Oct 17)
- Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
- Re: Suppress alerts Joel Esler (Oct 18)
- Re: Suppress alerts Peter Rodger (Oct 18)
- Re: Suppress alerts Frank Knobbe (Oct 18)
- Re: Suppress alerts Joel Esler (Oct 18)
- Re: Fwd: Re: Suppress alerts João Mota (Oct 18)
- Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
- RE: Fwd: Re: Suppress alerts Patrick Harper (Oct 18)
- RE: Fwd: Re: Suppress alerts Peter Rodger (Oct 18)
- Re: Fwd: Re: Suppress alerts João Mota (Oct 19)
- Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 19)
- Re: Fwd: Re: Suppress alerts Peter Rodger (Oct 19)
- Re: Fwd: Re: Suppress alerts João Mota (Oct 20)