2010:05:06-08:53:26 firewall snort[12201]: Enabling inline operation 2010:05:06-08:53:26 firewall snort[12201]: NFQUEUE ID set to: 0 2010:05:06-08:53:26 firewall snort[12201]: Running in IDS mode 2010:05:06-08:53:26 firewall snort[12201]: 2010:05:06-08:53:26 firewall snort[12201]: --== Initializing Snort ==-- 2010:05:06-08:53:26 firewall snort[12201]: Initializing Output Plugins! 2010:05:06-08:53:26 firewall snort[12201]: Initializing Preprocessors! 2010:05:06-08:53:26 firewall snort[12201]: Initializing Plug-ins! 2010:05:06-08:53:26 firewall snort[12201]: Parsing Rules file "/etc/snort/snort.conf" 2010:05:06-08:53:27 firewall snort[12201]: PortVar 'HTTP_PORTS' defined : 2010:05:06-08:53:27 firewall snort[12201]: [ 80 ] 2010:05:06-08:53:27 firewall snort[12201]: 2010:05:06-08:53:27 firewall snort[12201]: PortVar 'SHELLCODE_PORTS' defined : 2010:05:06-08:53:27 firewall snort[12201]: [ any ] 2010:05:06-08:53:27 firewall snort[12201]: 2010:05:06-08:53:27 firewall snort[12201]: PortVar 'ORACLE_PORTS' defined : 2010:05:06-08:53:27 firewall snort[12201]: [ any ] 2010:05:06-08:53:27 firewall snort[12201]: 2010:05:06-08:53:27 firewall snort[12201]: Detection: 2010:05:06-08:53:27 firewall snort[12201]: Search-Method = AC-BNFA-Q 2010:05:06-08:53:27 firewall snort[12201]: Tagged Packet Limit: 256 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic engine /sbin/libsf_engine.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading all dynamic detection libs from /usr/lib/snort/so_rules/... 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//exploit.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//web-activex.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//multimedia.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//smtp.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//nntp.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//sql.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//bad-traffic.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//web-misc.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//web-client.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//dos.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//chat.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//misc.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//netbios.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//imap.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//icmp.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic detection library /usr/lib/snort/so_rules//web-iis.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Finished Loading all dynamic detection libs from /usr/lib/snort/so_rules/ 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic preprocessor library /usr/lib/snort/libsf_dce2_preproc.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic preprocessor library /usr/lib/snort/libsf_dns_preproc.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic preprocessor library /usr/lib/snort/libsf_ftptelnet_preproc.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic preprocessor library /usr/lib/snort/libsf_smtp_preproc.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic preprocessor library /usr/lib/snort/libsf_ssh_preproc.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Loading dynamic preprocessor library /usr/lib/snort/libsf_ssl_preproc.so... 2010:05:06-08:53:27 firewall snort[12201]: done 2010:05:06-08:53:27 firewall snort[12201]: Log directory = /var/log/snort 2010:05:06-08:53:27 firewall snort[12201]: Frag3 global config: 2010:05:06-08:53:27 firewall snort[12201]: Max frags: 65536 2010:05:06-08:53:27 firewall snort[12201]: Fragment memory cap: 4194304 bytes 2010:05:06-08:53:27 firewall snort[12201]: Frag3 engine config: 2010:05:06-08:53:27 firewall snort[12201]: Target-based policy: WINDOWS 2010:05:06-08:53:27 firewall snort[12201]: Fragment timeout: 180 seconds 2010:05:06-08:53:27 firewall snort[12201]: Fragment min_ttl: 1 2010:05:06-08:53:27 firewall snort[12201]: Fragment Problems: 1 2010:05:06-08:53:27 firewall snort[12201]: Overlap Limit: 0 2010:05:06-08:53:27 firewall snort[12201]: Min fragment Length: 0 2010:05:06-08:53:27 firewall snort[12201]: Stream5 global config: 2010:05:06-08:53:27 firewall snort[12201]: Track TCP sessions: ACTIVE 2010:05:06-08:53:27 firewall snort[12201]: Max TCP sessions: 8192 2010:05:06-08:53:27 firewall snort[12201]: Memcap (for reassembly packet storage): 8388608 2010:05:06-08:53:27 firewall snort[12201]: Track UDP sessions: ACTIVE 2010:05:06-08:53:27 firewall snort[12201]: Max UDP sessions: 131072 2010:05:06-08:53:27 firewall snort[12201]: Track ICMP sessions: INACTIVE 2010:05:06-08:53:27 firewall snort[12201]: Log info if session memory consumption exceeds 1048576 2010:05:06-08:53:27 firewall snort[12201]: Stream5 TCP Policy config: 2010:05:06-08:53:27 firewall snort[12201]: Reassembly Policy: WINDOWS 2010:05:06-08:53:27 firewall snort[12201]: Timeout: 180 seconds 2010:05:06-08:53:27 firewall snort[12201]: Min ttl: 1 2010:05:06-08:53:27 firewall snort[12201]: Maximum number of bytes to queue per session: 1048576 2010:05:06-08:53:27 firewall snort[12201]: Maximum number of segs to queue per session: 2621 2010:05:06-08:53:27 firewall snort[12201]: Options: 2010:05:06-08:53:27 firewall snort[12201]: Static Flushpoint Sizes: YES 2010:05:06-08:53:27 firewall snort[12201]: Check for TCP Session Hijacking: YES 2010:05:06-08:53:27 firewall snort[12201]: Reassembly Ports: 2010:05:06-08:53:27 firewall snort[12201]: 21 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 23 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 25 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 42 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 53 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 80 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 110 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 111 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 135 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 136 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 137 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 139 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 143 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 445 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 465 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 513 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 691 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 1433 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 1521 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: 1900 client (Footprint) 2010:05:06-08:53:27 firewall snort[12201]: Stream5 UDP Policy config: 2010:05:06-08:53:27 firewall snort[12201]: Timeout: 30 seconds 2010:05:06-08:53:27 firewall snort[12201]: Options: 2010:05:06-08:53:27 firewall snort[12201]: Ignore Any -> Any Rules: YES 2010:05:06-08:53:27 firewall snort[12201]: HttpInspect Config: 2010:05:06-08:53:27 firewall snort[12201]: GLOBAL CONFIG 2010:05:06-08:53:27 firewall snort[12201]: Max Pipeline Requests: 0 2010:05:06-08:53:27 firewall snort[12201]: Inspection Type: STATELESS 2010:05:06-08:53:27 firewall snort[12201]: Detect Proxy Usage: NO 2010:05:06-08:53:27 firewall snort[12201]: IIS Unicode Map Filename: /etc/snort/unicode.map 2010:05:06-08:53:27 firewall snort[12201]: IIS Unicode Map Codepage: 1252 2010:05:06-08:53:27 firewall snort[12201]: DEFAULT SERVER CONFIG: 2010:05:06-08:53:27 firewall snort[12201]: Server profile: All 2010:05:06-08:53:27 firewall snort[12201]: Ports: 80 8080 8180 2010:05:06-08:53:27 firewall snort[12201]: Server Flow Depth: 1460 2010:05:06-08:53:27 firewall snort[12201]: Client Flow Depth: 300 2010:05:06-08:53:27 firewall snort[12201]: Max Chunk Length: 500000 2010:05:06-08:53:27 firewall snort[12201]: Max Header Field Length: 0 2010:05:06-08:53:27 firewall snort[12201]: Max Number Header Fields: 0 2010:05:06-08:53:27 firewall snort[12201]: Inspect Pipeline Requests: YES 2010:05:06-08:53:27 firewall snort[12201]: URI Discovery Strict Mode: NO 2010:05:06-08:53:27 firewall snort[12201]: Allow Proxy Usage: NO 2010:05:06-08:53:27 firewall snort[12201]: Disable Alerting: YES 2010:05:06-08:53:27 firewall snort[12201]: Oversize Dir Length: 500 2010:05:06-08:53:27 firewall snort[12201]: Only inspect URI: NO 2010:05:06-08:53:27 firewall snort[12201]: Normalize HTTP Headers: NO 2010:05:06-08:53:27 firewall snort[12201]: Normalize HTTP Cookies: NO 2010:05:06-08:53:27 firewall snort[12201]: Ascii: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: Double Decoding: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: %U Encoding: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: Bare Byte: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: Base36: OFF 2010:05:06-08:53:27 firewall snort[12201]: UTF 8: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: IIS Unicode: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: Multiple Slash: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: IIS Backslash: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: Directory Traversal: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: Web Root Traversal: YES alert: YES 2010:05:06-08:53:27 firewall snort[12201]: Apache WhiteSpace: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: IIS Delimiter: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG 2010:05:06-08:53:27 firewall snort[12201]: Non-RFC Compliant Characters: NONE 2010:05:06-08:53:27 firewall snort[12201]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d 2010:05:06-08:53:27 firewall snort[12201]: rpc_decode arguments: 2010:05:06-08:53:27 firewall snort[12201]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 2010:05:06-08:53:27 firewall snort[12201]: alert_fragments: INACTIVE 2010:05:06-08:53:27 firewall snort[12201]: alert_large_fragments: ACTIVE 2010:05:06-08:53:27 firewall snort[12201]: alert_incomplete: INACTIVE 2010:05:06-08:53:27 firewall snort[12201]: alert_multiple_requests: ACTIVE 2010:05:06-08:53:27 firewall snort[12201]: DCE/RPC 2 Preprocessor Configuration 2010:05:06-08:53:27 firewall snort[12201]: Global Configuration 2010:05:06-08:53:27 firewall snort[12201]: DCE/RPC Defragmentation: Enabled 2010:05:06-08:53:27 firewall snort[12201]: Memcap: 102400 KB 2010:05:06-08:53:27 firewall snort[12201]: Events: smb co cl 2010:05:06-08:53:27 firewall snort[12201]: Server Default Configuration 2010:05:06-08:53:27 firewall snort[12201]: Policy: WinXP 2010:05:06-08:53:27 firewall snort[12201]: Detect ports 2010:05:06-08:53:27 firewall snort[12201]: SMB: 139 445 2010:05:06-08:53:27 firewall snort[12201]: TCP: 135 2010:05:06-08:53:27 firewall snort[12201]: UDP: 135 2010:05:06-08:53:27 firewall snort[12201]: RPC over HTTP server: 593 2010:05:06-08:53:27 firewall snort[12201]: RPC over HTTP proxy: None 2010:05:06-08:53:27 firewall snort[12201]: Autodetect ports 2010:05:06-08:53:27 firewall snort[12201]: SMB: None 2010:05:06-08:53:27 firewall snort[12201]: TCP: 1025-65535 2010:05:06-08:53:27 firewall snort[12201]: UDP: 1025-65535 2010:05:06-08:53:27 firewall snort[12201]: RPC over HTTP server: 1025-65535 2010:05:06-08:53:27 firewall snort[12201]: RPC over HTTP proxy: None 2010:05:06-08:53:27 firewall snort[12201]: Maximum SMB command chaining: 3 commands 2010:05:06-08:53:27 firewall snort[12201]: FTPTelnet Config: 2010:05:06-08:53:27 firewall snort[12201]: GLOBAL CONFIG 2010:05:06-08:53:27 firewall snort[12201]: Inspection Type: stateful 2010:05:06-08:53:27 firewall snort[12201]: Check for Encrypted Traffic: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: Continue to check encrypted data: YES 2010:05:06-08:53:27 firewall snort[12201]: TELNET CONFIG: 2010:05:06-08:53:27 firewall snort[12201]: Ports: 23 2010:05:06-08:53:27 firewall snort[12201]: Are You There Threshold: 20 2010:05:06-08:53:27 firewall snort[12201]: Normalize: YES 2010:05:06-08:53:27 firewall snort[12201]: Detect Anomalies: YES 2010:05:06-08:53:27 firewall snort[12201]: FTP CONFIG: 2010:05:06-08:53:27 firewall snort[12201]: FTP Server: default 2010:05:06-08:53:27 firewall snort[12201]: Ports: 21 2100 2010:05:06-08:53:27 firewall snort[12201]: Check for Telnet Cmds: OFF 2010:05:06-08:53:27 firewall snort[12201]: Ignore Telnet Cmd Operations: OFF 2010:05:06-08:53:27 firewall snort[12201]: Identify open data channels: NO 2010:05:06-08:53:27 firewall snort[12201]: FTP Client: default 2010:05:06-08:53:27 firewall snort[12201]: Check for Bounce Attacks: YES alert: YES 2010:05:06-08:53:27 firewall snort[12201]: Check for Telnet Cmds: YES alert: NO 2010:05:06-08:53:27 firewall snort[12201]: Ignore Telnet Cmd Operations: OFF 2010:05:06-08:53:27 firewall snort[12201]: Max Response Length: 200 2010:05:06-08:53:27 firewall snort[12201]: SMTP Config: 2010:05:06-08:53:27 firewall snort[12201]: Ports: 25 465 691 2010:05:06-08:53:27 firewall snort[12201]: Inspection Type: Stateful 2010:05:06-08:53:27 firewall snort[12201]: Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XSTA XTRN XUSR PIPELINING CHUNKING DSN XQUEU 2010:05:06-08:53:27 firewall snort[12201]: Ignore Data: No 2010:05:06-08:53:27 firewall snort[12201]: Ignore TLS Data: No 2010:05:06-08:53:27 firewall snort[12201]: Ignore SMTP Alerts: No 2010:05:06-08:53:27 firewall snort[12201]: Max Command Line Length: Unlimited 2010:05:06-08:53:27 firewall snort[12201]: Max Specific Command Line Length: 2010:05:06-08:53:27 firewall snort[12201]: ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255 2010:05:06-08:53:27 firewall snort[12201]: EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255 2010:05:06-08:53:27 firewall snort[12201]: ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500 2010:05:06-08:53:27 firewall snort[12201]: IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246 2010:05:06-08:53:27 firewall snort[12201]: QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246 2010:05:06-08:53:27 firewall snort[12201]: SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246 2010:05:06-08:53:27 firewall snort[12201]: TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246 2010:05:06-08:53:27 firewall snort[12201]: XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246 2010:05:06-08:53:27 firewall snort[12201]: XLICENSE:246 X-LINK2STATE:246 XSTA:246 XTRN:246 XUSR:246 2010:05:06-08:53:27 firewall snort[12201]: PIPELINING:246 CHUNKING:246 DSN:246 XQUEU:246 2010:05:06-08:53:27 firewall snort[12201]: Max Header Line Length: 1000 2010:05:06-08:53:27 firewall snort[12201]: Max Response Line Length: 512 2010:05:06-08:53:27 firewall snort[12201]: X-Link2State Alert: Yes 2010:05:06-08:53:27 firewall snort[12201]: Drop on X-Link2State Alert: No 2010:05:06-08:53:27 firewall snort[12201]: Alert on commands: None 2010:05:06-08:53:27 firewall snort[12201]: 2010:05:06-08:53:27 firewall snort[12201]: +++++++++++++++++++++++++++++++++++++++++++++++++++ 2010:05:06-08:53:27 firewall snort[12201]: Initializing rule chains... 2010:05:06-08:53:27 firewall snort[12201]: FATAL ERROR: /etc/snort/rules/astaro.rules(678) Unknown rule option: 'ssl_state'.