Re: [Snort-inline-users] Snort-inline-users Digest, Vol 16, Issue 4

[ChunXin <ch...@os...>]

When I disable stickydrop and stickydrop-timeouts feature , there will
be no problem ,
But I would like to use this sticky function !

How to do that?



Will Metcalf 写道:
> how are you running your nmap scan? I can't seem to reproduce your issue...
>
> Regards,
>
> Will
>
> On 10/15/07, ChunXin <ch...@os...> wrote:
>   
>> I tried this method $B!'(B iptables -A FORWARD -j NFQUEUE  && sonrt_inline -Q -c
>> snort_inline.conf
>>  but  the problem still exists
>>  : (    There are other good suggestions?   Thanks a lot !
>>
>>  ChunXin
>>
>>  sno...@li... $B<LF;(B:
>>  Send Snort-inline-users mailing list submissions to
>>  sno...@li...
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>> or, via email, send a message with subject or body 'help' to
>>  sno...@li...
>>
>> You can reach the person managing the list at
>>  sno...@li...
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-inline-users digest..."
>>
>>
>> Today's Topics:
>>
>>  1. Re: snort_inline-2.6.1.5 problems ?please help me !
>>  (Victor Julien)
>>  2. snort_inline-2.6.1.5 problems
>>  =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?= (ChunXin)
>>  3.
>> =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?=
>>  =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=
>>  (Victor Julien)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 12 Oct 2007 10:16:13 +0200
>> From: Victor Julien <li...@in...>
>> Subject: Re: [Snort-inline-users] snort_inline-2.6.1.5 problems
>>  ?please help me !
>> To: sno...@li...
>> Message-ID: <470...@in...>
>> Content-Type: text/plain; charset=UTF-8
>>
>> Hi
>>
>> I see you are both using ip_queue
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>> QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>
>>
>>
>>  and compiling for nfqueue.
>>
>>
>>
>>  --enable-react --enable-nfnetlink --enable-clamav
>>
>>
>>  I have no idea what the results of this are. So please try removing
>> '--enable-nfnetlink' or use 'iptables -A FORWARD -j NFQUEUE' and try
>> again...
>>
>> Cheers,
>> Victor
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 15 Oct 2007 19:35:43 +0800
>> From: ChunXin <ch...@os...>
>> Subject: [Snort-inline-users] snort_inline-2.6.1.5 problems
>>  =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?=
>> To: sno...@li...,
>>  wil...@gm...
>> Message-ID: <471...@os...>
>> Content-Type: text/plain; charset="gb2312"
>>
>> I am using snort_inline-2.6.1.5??but I encountered many problems
>>
>>  1, my network topological graph as follow :
>>
>>
>>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>  When I use nmap scan web server , The snort_inline always stop and on
>>  the screen showed "Segmentation fault"
>>
>>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>>  showed :
>> --------------------------------------------------------------------------------------------------
>>  gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3,
>> "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>>  I tracked several times ??every time that like this information , and
>>  the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>>  3, my snort_inline-2.6.1.5 configure options as follow :
>>  ./configure --prefix=/usr/local/snort_inline
>> --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>>  --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>>  --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>>  --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> 4 , and i wanna know ,what's the best kernel version for
>> snort_inline-2.6.1.5 ?
>>
>>
>>
>>
>> my snort_inline.conf as follow :
>> -------------------------------------------------------------------
>>
>> ### Network variables
>> var HOME_NET any
>> var HONEYNET any
>> var EXTERNAL_NET any
>> var SMTP_SERVERS any
>> var TELNET_SERVERS any
>> var HTTP_SERVERS any
>> var SQL_SERVERS any
>> var DNS_SERVERS any
>>
>> # Ports you run web servers on
>> ## include somefile.rules
>> var HTTP_PORTS 80
>>
>> # Ports you want to look for SHELLCODE on.
>> var SHELLCODE_PORTS !80
>>
>> # Ports you do oracle attacks on
>> var ORACLE_PORTS 1521
>>
>> #ports you want to look for SSH on
>> var SSH_PORTS 22
>>
>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>> # modifying the signatures when they do, we add them to this list of
>> servers.
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>
>> ### As of snort_inline 2.2.0 we drop
>> ### packets with bad checksums. We can
>> config checksum_mode: all
>>
>> # Path to your rules files (this can be a relative path)
>> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>>
>> #
>> config layer2resets: 00:06:76:DD:5F:E3
>>
>> #
>> # Load all dynamic preprocessors from the install path
>> # (same as command line option --dynamic-preprocessor-lib-dir)
>> #
>> dynamicpreprocessor directory
>> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
>> #
>> # Load a dynamic engine from the install path
>> # (same as command line option --dynamic-engine-lib)
>> #
>> dynamicengine
>> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
>> # dynamicdetection file
>> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
>> #
>>
>> ### Preprocessors
>> #
>> # The third line tells which sources to never drop, it is very, very
>> important to add your home net
>> # and you dns servers to this list.
>> #
>> #example:
>> preprocessor stickydrop: max_entries 3000,log
>> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
>> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
>> 192.168.1.13
>> # and you dns servers to this list.
>> #
>> #example:
>> #preprocessor bait-and-switch: max_entries 200,log,insert_before
>> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>>
>> # Done by IPTables. Iptables assembles fragments when we use connection
>> # tracking; therefore, we don't have to use frag2
>> # preprocessor frag2
>>
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag3_global: max_frags 655360
>> #preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> #
>>
>> #Stream4 with inline support example
>>
>>
>> preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> #preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> , max_sessions 32768, memcap 36700160
>> #
>> #preprocessor stream4: disable_evasion_alerts, \
>> # stream4inline, \
>> # enforce_state drop, \
>> # memcap 134217728, \
>> # timeout 3600, \
>> # truncate, \
>> # window_size 3000
>>
>> #
>> #preprocessor stream4_reassemble: both, favor_new
>> preprocessor stream4_reassemble
>> #
>> # Example:
>> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
>> /usr/local/clamav/share/clamav, dbreload-time 43200
>> #
>> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
>> dbreload-time 43200
>>
>> preprocessor http_inspect: global \
>> iis_unicode_map unicode.map 1252
>>
>> preprocessor http_inspect_server: server default \
>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>
>> # sizes exceed the current packet size
>> # no_alert_incomplete - don't alert when a single segment
>> # exceeds the current packet size
>>
>> preprocessor rpc_decode: 111 32771
>>
>> # SID Event description
>> # ----- -------------------
>> # 1 Back Orifice traffic detected
>>
>> preprocessor bo
>>
>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>
>> preprocessor ftp_telnet: global \
>> encrypted_traffic yes \
>> inspection_type stateful
>>
>> preprocessor ftp_telnet_protocol: telnet \
>> normalize \
>> ayt_attack_thresh 200
>>
>> # Check nDTM commands that set modification time on the file.
>> preprocessor ftp_telnet_protocol: ftp server default \
>> def_max_param_len 100 \
>> alt_max_param_len 200 { CWD } \
>> cmd_validity MODE < char ASBCZ > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>> telnet_cmds yes \
>> data_chan
>>
>> preprocessor ftp_telnet_protocol: ftp client default \
>> max_resp_len 256 \
>> bounce yes \
>> telnet_cmds yes
>>
>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>
>> preprocessor smtp: \
>> ports { 25 } \
>> inspection_type stateful \
>> normalize cmds \
>> normalize_cmds { EXPN VRFY RCPT } \
>> alt_max_command_line_len 260 { MAIL } \
>> alt_max_command_line_len 300 { RCPT } \
>> alt_max_command_line_len 500 { HELP HELO ETRN } \
>> alt_max_command_line_len 255 { EXPN VRFY }
>>
>>
>> #
>> preprocessor sfportscan: proto { all } \
>> memcap { 10000000 } \
>> sense_level { low }
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>
>> preprocessor dcerpc: \
>> autodetect \
>> max_frag_size 3000 \
>> memcap 100000
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>
>> preprocessor dns: \
>> ports { 53 } \
>> enable_rdata_overflow
>>
>>
>> ### Logging alerts of outbound attacks
>> output alert_full: snort_inline-full
>> output alert_fast: snort_inline-fast
>>
>> ### If you want to log the contents of the dropped packets, remove comment
>> #output log_tcpdump: tcpdump.log
>>
>> # Include classification & priority settings
>> include $RULE_PATH/classification.config
>> include $RULE_PATH/reference.config
>>
>> ### The Drop Rules
>> # Enabled
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> #include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/nntp.rules
>> -------------------------------------------------------------------
>>
>> Best Regards
>>
>> ChunXin
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 15 Oct 2007 14:11:44 +0200
>> From: Victor Julien <li...@in...>
>> Subject: [Snort-inline-users]
>> =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?=
>>  =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=
>> To: sno...@li...
>> Message-ID: <471...@in...>
>> Content-Type: text/plain; charset=GB2312
>>
>> Instead of resending your mail, why don't you try my suggestion from a
>> few days ago and report back on it?
>>
>> ChunXin wrote:
>>
>>
>>  I am using snort_inline-2.6.1.5??but I encountered many problems
>>
>>  1, my network topological graph as follow :
>>
>>
>>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>  When I use nmap scan web server , The snort_inline always stop and on
>>  the screen showed "Segmentation fault"
>>
>>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>>  showed :
>> --------------------------------------------------------------------------------------------------
>>  gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3,
>> "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>>  I tracked several times ??every time that like this information , and
>>  the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>>  3, my snort_inline-2.6.1.5 configure options as follow :
>>  ./configure --prefix=/usr/local/snort_inline
>> --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>>  --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>>  --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>>  --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> 4 , and i wanna know ,what's the best kernel version for
>> snort_inline-2.6.1.5 ?
>>
>>
>>
>>
>> my snort_inline.conf as follow :
>> -------------------------------------------------------------------
>>
>> ### Network variables
>> var HOME_NET any
>> var HONEYNET any
>> var EXTERNAL_NET any
>> var SMTP_SERVERS any
>> var TELNET_SERVERS any
>> var HTTP_SERVERS any
>> var SQL_SERVERS any
>> var DNS_SERVERS any
>>
>> # Ports you run web servers on
>> ## include somefile.rules
>> var HTTP_PORTS 80
>>
>> # Ports you want to look for SHELLCODE on.
>> var SHELLCODE_PORTS !80
>>
>> # Ports you do oracle attacks on
>> var ORACLE_PORTS 1521
>>
>> #ports you want to look for SSH on
>> var SSH_PORTS 22
>>
>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>> # modifying the signatures when they do, we add them to this list of
>> servers.
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>
>> ### As of snort_inline 2.2.0 we drop
>> ### packets with bad checksums. We can
>> config checksum_mode: all
>>
>> # Path to your rules files (this can be a relative path)
>> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>>
>> #
>> config layer2resets: 00:06:76:DD:5F:E3
>>
>> #
>> # Load all dynamic preprocessors from the install path
>> # (same as command line option --dynamic-preprocessor-lib-dir)
>> #
>> dynamicpreprocessor directory
>> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
>> #
>> # Load a dynamic engine from the install path
>> # (same as command line option --dynamic-engine-lib)
>> #
>> dynamicengine
>> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
>> # dynamicdetection file
>> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
>> #
>>
>> ### Preprocessors
>> #
>> # The third line tells which sources to never drop, it is very, very
>> important to add your home net
>> # and you dns servers to this list.
>> #
>> #example:
>> preprocessor stickydrop: max_entries 3000,log
>> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
>> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
>> 192.168.1.13
>> # and you dns servers to this list.
>> #
>> #example:
>> #preprocessor bait-and-switch: max_entries 200,log,insert_before
>> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>>
>> # Done by IPTables. Iptables assembles fragments when we use connection
>> # tracking; therefore, we don't have to use frag2
>> # preprocessor frag2
>>
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag3_global: max_frags 655360
>> #preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> #
>>
>> #Stream4 with inline support example
>>
>>
>> preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> #preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> , max_sessions 32768, memcap 36700160
>> #
>> #preprocessor stream4: disable_evasion_alerts, \
>> # stream4inline, \
>> # enforce_state drop, \
>> # memcap 134217728, \
>> # timeout 3600, \
>> # truncate, \
>> # window_size 3000
>>
>> #
>> #preprocessor stream4_reassemble: both, favor_new
>> preprocessor stream4_reassemble
>> #
>> # Example:
>> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
>> /usr/local/clamav/share/clamav, dbreload-time 43200
>> #
>> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
>> dbreload-time 43200
>>
>> preprocessor http_inspect: global \
>> iis_unicode_map unicode.map 1252
>>
>> preprocessor http_inspect_server: server default \
>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>
>> # sizes exceed the current packet size
>> # no_alert_incomplete - don't alert when a single segment
>> # exceeds the current packet size
>>
>> preprocessor rpc_decode: 111 32771
>>
>> # SID Event description
>> # ----- -------------------
>> # 1 Back Orifice traffic detected
>>
>> preprocessor bo
>>
>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>
>> preprocessor ftp_telnet: global \
>> encrypted_traffic yes \
>> inspection_type stateful
>>
>> preprocessor ftp_telnet_protocol: telnet \
>> normalize \
>> ayt_attack_thresh 200
>>
>> # Check nDTM commands that set modification time on the file.
>> preprocessor ftp_telnet_protocol: ftp server default \
>> def_max_param_len 100 \
>> alt_max_param_len 200 { CWD } \
>> cmd_validity MODE < char ASBCZ > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>> telnet_cmds yes \
>> data_chan
>>
>> preprocessor ftp_telnet_protocol: ftp client default \
>> max_resp_len 256 \
>> bounce yes \
>> telnet_cmds yes
>>
>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>
>> preprocessor smtp: \
>> ports { 25 } \
>> inspection_type stateful \
>> normalize cmds \
>> normalize_cmds { EXPN VRFY RCPT } \
>> alt_max_command_line_len 260 { MAIL } \
>> alt_max_command_line_len 300 { RCPT } \
>> alt_max_command_line_len 500 { HELP HELO ETRN } \
>> alt_max_command_line_len 255 { EXPN VRFY }
>>
>>
>> #
>> preprocessor sfportscan: proto { all } \
>> memcap { 10000000 } \
>> sense_level { low }
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>
>> preprocessor dcerpc: \
>> autodetect \
>> max_frag_size 3000 \
>> memcap 100000
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>
>> preprocessor dns: \
>> ports { 53 } \
>> enable_rdata_overflow
>>
>>
>> ### Logging alerts of outbound attacks
>> output alert_full: snort_inline-full
>> output alert_fast: snort_inline-fast
>>
>> ### If you want to log the contents of the dropped packets, remove comment
>> #output log_tcpdump: tcpdump.log
>>
>> # Include classification & priority settings
>> include $RULE_PATH/classification.config
>> include $RULE_PATH/reference.config
>>
>> ### The Drop Rules
>> # Enabled
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> #include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/nntp.rules
>> -------------------------------------------------------------------
>>
>> Best Regards
>>
>> ChunXin
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems? Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> ------------------------------------------------------------------------
>>
>> __