Michael B | 26 Apr 15:00 2015
Picon

FTP rules, different port

Hello,

I have enabled the 'protocol-ftp' rules in PulledPork, however several FTP attacks are not reported. I went to check for the rules, and they almost all have port '21' hardcoded as a port, instead of the more general '$FTP_PORTS' variable..

My FTP server is running on another port, and is thus not protected by most of the 21 rules.. Do I have to copy paste them in my custom ruleset, or is there something that I'm missing?

 
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Michael B | 26 Apr 12:51 2015
Picon

Pulledpork: preprocessors, ips_policy and snort.conf

Hello


How does the pulledpork ips_policy works in conjunction with the snort.conf?
In more detail, does it still make sense to activate preprocessors in my snort.conf, or are they ignored by pulledpork?


For example, if I activate the arpspoof preprocessor in snort.conf, and then run Pulledpork in 'security' mode, the arpspoof rules are all commented.  Surely, I can activate them through the 'enablesid.conf', but then it would mean that the snort.conf options are ignored?


Regards
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 25 Apr 14:58 2015
Picon

Odp: Re: Snort inline with Squid

Dnia Piątek, 24 Kwietnia 2015 17:53 James Lay <jlay <at> slave-tothe-box.net> napisał(a)

On 2015-04-24 07:06 AM, Robert Lasota wrote:

> Dnia Piątek, 24 Kwietnia 2015 13:58 James Lay

> <jlay <at> slave-tothe-box.net> napisał(a)

>

>> On Fri, 2015-04-24 at 09:33 +0200, Robert Lasota wrote:

>>

>>> Hi,

>>>

>>> Well, I have problem with running this both apps together on

>>> router. Snort (as IPS) inline gets traffic from iptables (QUEUE

>>> option), and Squid transparent also (from PREROUTING), and it

>>> turned out there is problem to rinning both in that case. I tried

>>> these combinations of iptables:

>>>

>>> # for Snort

>>>

>>> $iptables -I FORWARD -p tcp --dport 80 -j QUEUE

>>>

>>> # for Squid

>>> $iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT

>>> --to-port 3128

>>>

>>> $iptables -I FORWARD -p tcp --dport 80 -j QUEUE

>>> $iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT

>>> --to-port 3128

>>>

>>> $iptables -I OUTPUT -p tcp --dport 80 -j QUEUE

>>> $iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT

>>> --to-port 3128

>>>

>>> .. and nothing. In all cases or Squid doesn't work or Snort.

>>>

>>> Does somebody have any idea how to solve this difficult case ? I

>>> would be appreciated.

>>>

>>> Robert

>> Two interfaces? One internal net, one external net?

>>

>> James

>

> Yes, there are 2 nics, one for internet and one for LAN.

>

> Robert

So my setup is I have transparent proxy that's listening on eth0

(192.168.bleh) that forwards out ppp0 (external IP).  This takes

internal clients and transparently proxies them.  If that's your setup,

here's how I would do it.

Start snort:

sudo snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1 -c

snort.conf

Snort iptables first:

$iptables -t mangle -I FORWARD -i eth0 -p tcp --dport 80 -j NFQUEUE

--queue-num 1

$iptables -t mangle -I OUTPUT -i eth0 -p tcp --dport 80 -j NFQUEUE

--queue-num 1

Now for Squid

$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT

--to-port 3128

This should get you what you need, however keep in mind that snort will

need to be started first, and because you're sending ONLY port 80 to the

NFQUEUE, that's all snort will see as that's all that's going to the

queue.  Lastly, you'll need to modify your rules that you want do drop

traffic to reflect drop instead of alert...you'll get an alert in your

unified (if you're doing that) or fast file (if you're doing that as

well) either way with drop or alert, but drop will actively drop the

connection.  Check the link below for more info:

http://www.iptables.info/en/structure-of-iptables.html#MANGLETABLE <

scroll up to get a nifty diagram.

Hope that helps.

James

 

Hi,

I did as you said and don't work. Squid is blocking but Snort not working, I mean instead of display alert page it shows some Squid error page "url cannot be retrivered".

 

My commands was:

snort -Q -D --daq nfq --daq-var device=eth1 --daq-var queue=1 -c /opt/etc/snort/snort.conf

iptables -t mangle -I FORWARD -i eth1 -p tcp --dport 80 -j NFQUEUE  --queue-num 1
iptables -t mangle -I OUTPUT -o eth1 -p tcp --dport 80 -j NFQUEUE --queue-num 1

 

eth1 - LAN interface

What is interesting , in above case no packets got in rules in mangle table.. zero:

Chain FORWARD (policy ACCEPT 893 packets, 403K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NFQUEUE    tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
Chain OUTPUT (policy ACCEPT 5009 packets, 3240K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NFQUEUE    tcp  --  *      eth1    0.0.0.0/0            0.0.0.0/0            tcp dpt:80 NFQUEUE num 1

 

I tried add to mangle rules without interface:

iptables -t mangle -I FORWARD -p tcp --dport 80 -j NFQUEUE  --queue-num 1
iptables -t mangle -I OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1
and now packets got only to OUTPUT chain:


Chain FORWARD (policy ACCEPT 12 packets, 989 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
Chain OUTPUT (policy ACCEPT 1855 packets, 645K bytes)
 pkts bytes target     prot opt in     out     source               destination
   23  5563 NFQUEUE    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
..but still is an error "url cannot be retrivered"

 

Robert


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
James Lay | 24 Apr 20:52 2015
Picon

Quantum Insert detection for Snort

Pimpy:

http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/
https://github.com/fox-it/quantuminsert/tree/master/detection/snort

James

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Robert Lasota | 24 Apr 15:06 2015
Picon

Odp: Re: Snort inline with Squid

Dnia Piątek, 24 Kwietnia 2015 13:58 James Lay <jlay <at> slave-tothe-box.net> napisał(a)

On Fri, 2015-04-24 at 09:33 +0200, Robert Lasota wrote:
Hi,

 

Well, I have problem with running this both apps together on router. Snort (as IPS) inline gets traffic from iptables (QUEUE option), and Squid transparent also (from PREROUTING), and it turned out there is problem to rinning both in that case. I tried these combinations of iptables:

 

# for Snort

$iptables -I FORWARD -p tcp --dport 80 -j QUEUE

# for Squid
$iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

 

$iptables -I FORWARD -p tcp --dport 80 -j QUEUE
$iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128

 

$iptables -I OUTPUT -p tcp --dport 80 -j QUEUE
$iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

 

.. and nothing. In all cases or Squid doesn't work or Snort.

 

Does somebody have any idea how to solve this difficult case ? I would be appreciated.

Robert

 

 

Two interfaces?  One internal net, one external net?

James



Yes, there are 2 nics, one for internet and one for LAN.

 

Robert


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 24 Apr 09:33 2015
Picon

Snort inline with Squid

Hi,

 

Well, I have problem with running this both apps together on router. Snort (as IPS) inline gets traffic from iptables (QUEUE option), and Squid transparent also (from PREROUTING), and it turned out there is problem to rinning both in that case. I tried these combinations of iptables:

 

# for Snort

$iptables -I FORWARD -p tcp --dport 80 -j QUEUE

# for Squid
$iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

 

$iptables -I FORWARD -p tcp --dport 80 -j QUEUE
$iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128

 

$iptables -I OUTPUT -p tcp --dport 80 -j QUEUE
$iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

 

.. and nothing. In all cases or Squid doesn't work or Snort.

 

Does somebody have any idea how to solve this difficult case ? I would be appreciated.

Robert

 

 


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Shirkdog | 23 Apr 17:54 2015
Picon

Ensuring all pulledpork issues are documented (migration from google-code)

I have migrated the issues from google-code over to the github repo.

Take a look an ensure that your open issues with the tool have been
included so we can prioritize the fixes.

https://github.com/shirkdog/pulledpork/issues

---
Michael Shirk

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Michael B | 23 Apr 17:01 2015
Picon

ARPspoof preprocessor, barnyard, & BASE

My Snort is up & running and loads of events are being logged. After weeding out some false positives, I wanted to test the arpspoof preprocessor. 

So I enabled:

preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.1.1 58:6d:8f:a0:40:7f preprocessor arpspoof_detect_host: 192.168.1.3 d4:3d:7e:38:37:4d

And ran a arp attack using ettercap. The problem is that these events do not show up in my winids (and neither in mysql database). It seems to be a similar problem to this: http://seclists.org/snort/2012/q1/99

Now, Ive checked my barnyard output window, and the ettercap events DO show up there, they are just not shown in the BASE UI. My feeling is thus that it is a formatting issue: the arpspoof preprocessor outputs the events in a format which barnyard cannot log to mysql OR which are incompatible with the BASE interface. What I dont know is how I can solve this. 

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

c0c0n 2015 | The cy0ps c0n - Call For Papers & Call For Workshops

c0c0n 2015 | The cy0ps c0n - Call For Papers & Call For Workshops
==================================================================

August 20-22, 2015 - Cochin, India

Buenos Dias from the God's Own Country!

We are extremely delighted to announce the Call for Papers and Call for
Workshops for c0c0n 2015 <http://www.is-ra.org/c0c0n/>, a 3-day Security and
Hacking Conference (2 day conference and 1 day pre-conference workshop), full of
interesting presentations, talks and of course filled with fun!

The conference topics are divided into four domains as follows:

>> Info Sec - Technical
>> Info Sec - Management
>> Digital Forensics and Investigations
>> Cyber Laws and Governance.

We are expecting conference and workshop submissions on the following topics,
but are not limited to:

>> Cloud Security
>> Browser Security
>> Honey-pots/Honey-nets
>> Offensive forensics
>> Software Testing/Fuzzing
>> Network and Router Hacking
>> WLAN and Bluetooth Security
>> Hacking virtualized environment
>> Lockpicking & physical security
>> National Security & Cyber Warfare
>> Open Source Security&Hacking Tools
>> Web Application Security & Hacking
>> Exploiting Layer 8/Social Engineering
>> Malware analysis & Reverse Engineering
>> New Vulnerabilities and Exploits/0-days
>> Advanced Penetration testing techniques
>> Antivirus/Firewall/UTM Evasion Techniques
>> IT Auditing/Risk management and IS Management
>> Cyber Forensics, Cyber Crime & Law Enforcement
>> Mobile Application Security-Threats and Exploits
>> Critical Infrastructure & SCADA networks Security


Presentations/topics that haven't been presented before will be preferred.


#####################
Submission Guidelines:
#####################

Email your submission to: cfp [at] is-ra [dot]org
Email subject should be: CFP c0c0n 2015 - <Paper Title>
Email Body:

Personal Information:
=====================

Speaker Name:
Job Role/Handle:
Company/Organization:
Country:
Email ID:
Contact Number:
Speaker Profile: (max 1000 words)

If there is additional speaker please mention it here following the above
format.

Presentation Details:
=====================
Name/Title of the presentation:
Paper Abstract: (max 3000 words)
Presentation Time Required (20, 30, 50 Minutes)
Is there any demonstration? Yes or No
Are you releasing any new tool? Yes or No
Are you releasing any new exploit? Yes or No
Have you presented the paper before on any other security / technology
conference(s)? Yes or No

Other Needs & Requirements:
===========================

Do you need any special equipment?
We will be providing 1 LCD projector feed, 2 screens, microphones, wired
and/or wireless Internet.
If you have any other requirement, Please mention it here and the reason.

#####################
Remember these Dates!
#####################

CFP Opens: 12 Apr 2015
CFP Closing Date: 31 May 2015
Conference Dates: 20 - 21 Aug 2015
Workshop Dates: 22 Aug 2015

*NOTE:* We do not promote vendor/product oriented submissions hence it will
be rejected.

##################
Speaker Benefits:
##################

>> Complimentary Conference registration.
>> Complementary Accommodation for 2 nights.
>> Invitation to Day 1 Networking Dinner / Party.
>> Travel Reimbursement (maximum upto below mentioned amount)
# International Speaker (outside India) (USD $1000)
# Speakers from India (INR Rs.6000)
>> Only one speaker will be eligible for the benefits in case there are two or
more speakers for a talk.

Thanks and Regards,

- c0c0n 2015 Team -

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
N0de | 19 Apr 22:56 2015
Picon

Super slow inline performance of snort 2.9.6.0

Hi all,

I'm running the attached configuration file with an up to date connectivity policy ruleset selected through pulledpork. (around 840 rules total)

The result of this configuration when ran inline was of about 600 alerts from the ppm preprocessor, configured to fastpath any packet taking too long to process (1 second).

What i cannot make sense with is that the server was 96% idle in average during that test run, no other alert raised but gid 134, and ppm reported that the average delay was of 20usec at snort exit. Basically: Snort wasn't able to analyse in time the packets while the server was completely idle. :|

Snort.stats is telling us that the maximum observed bandwidth was of 14mbits/s.

Do you see anything weird in the following configuration file? Anything conflictual? Thank you for any input that you may have.

Snort: 2.9.6.0

Snort was run this way:

/usr/bin/snort --dynamic-engine-lib /usr/lib/snort_dynamicengine/libsf_engine.so --dynamic-preprocessor-lib-dir /usr/lib/snort_dynamicpreprocessor/ --dynamic-detection-lib-dir /usr/lib/snort_dynamicrules/ -i eth2:eth3 -c snort.conf -l /var/log --perfmon-file snort.stats --enable-inline-test -M


Here is the timestamps of when PPM alerts raised:

1 x Sat Apr 11 09:12:50 EDT 2015

1 x Sat Apr 11 09:59:44 EDT 2015

2 x Sat Apr 11 10:00:10 EDT 2015

2 x Sat Apr 11 10:02:12 EDT 2015

2 x Sat Apr 11 10:04:51 EDT 2015

1 x Sat Apr 11 10:06:14 EDT 2015

13 x Sat Apr 11 10:06:22 EDT 2015

13 x Sat Apr 11 10:06:38 EDT 2015

13 x Sat Apr 11 10:07:01 EDT 2015

14 x Sat Apr 11 10:07:14 EDT 2015

13 x Sat Apr 11 10:08:13 EDT 2015

3 x Sat Apr 11 10:09:16 EDT 2015

1 x Sat Apr 11 10:12:19 EDT 2015

16 x Sat Apr 11 10:12:20 EDT 2015

1 x Sat Apr 11 10:12:21 EDT 2015

27 x Sat Apr 11 10:12:22 EDT 2015

1 x Sat Apr 11 10:12:23 EDT 2015

1 x Sat Apr 11 10:12:26 EDT 2015

1 x Sat Apr 11 10:12:27 EDT 2015

2 x Sat Apr 11 10:12:28 EDT 2015

1 x Sat Apr 11 10:12:29 EDT 2015

31 x Sat Apr 11 10:13:22 EDT 2015

11 x Sat Apr 11 10:13:23 EDT 2015

14 x Sat Apr 11 10:13:25 EDT 2015

3 x Sat Apr 11 10:14:22 EDT 2015

2 x Sat Apr 11 10:16:23 EDT 2015

1 x Sat Apr 11 10:19:25 EDT 2015

2 x Sat Apr 11 10:20:26 EDT 2015

3 x Sat Apr 11 10:22:28 EDT 2015

1 x Sat Apr 11 10:25:30 EDT 2015

1 x Sat Apr 11 10:28:32 EDT 2015

1 x Sat Apr 11 10:28:33 EDT 2015

39 x Sat Apr 11 10:28:35 EDT 2015

5 x Sat Apr 11 10:28:36 EDT 2015

1 x Sat Apr 11 10:28:42 EDT 2015

17 x Sat Apr 11 10:28:44 EDT 2015

1 x Sat Apr 11 10:28:52 EDT 2015

1 x Sat Apr 11 10:29:25 EDT 2015

1 x Sat Apr 11 10:30:34 EDT 2015

1 x Sat Apr 11 10:31:35 EDT 2015

2 x Sat Apr 11 10:32:37 EDT 2015

1 x Sat Apr 11 10:33:38 EDT 2015

2 x Sat Apr 11 10:34:39 EDT 2015

1 x Sat Apr 11 10:38:42 EDT 2015

1 x Sat Apr 11 10:41:45 EDT 2015

1 x Sat Apr 11 10:42:21 EDT 2015

2 x Sat Apr 11 10:42:22 EDT 2015

2 x Sat Apr 11 10:43:46 EDT 2015

1 x Sat Apr 11 10:45:47 EDT 2015

1 x Sat Apr 11 10:47:49 EDT 2015

1 x Sat Apr 11 10:49:50 EDT 2015

2 x Sat Apr 11 10:51:51 EDT 2015

1 x Sat Apr 11 10:52:52 EDT 2015

3 x Sat Apr 11 10:53:53 EDT 2015

1 x Sat Apr 11 10:54:54 EDT 2015

2 x Sat Apr 11 10:55:55 EDT 2015

1 x Sat Apr 11 10:58:31 EDT 2015

2 x Sat Apr 11 10:58:32 EDT 2015

2 x Sat Apr 11 10:59:58 EDT 2015

2 x Sat Apr 11 11:01:59 EDT 2015

1 x Sat Apr 11 11:02:00 EDT 2015

13 x Sat Apr 11 11:03:28 EDT 2015

1 x Sat Apr 11 11:04:00 EDT 2015

1 x Sat Apr 11 11:08:03 EDT 2015

2 x Sat Apr 11 11:09:04 EDT 2015

3 x Sat Apr 11 11:11:05 EDT 2015

1 x Sat Apr 11 11:13:57 EDT 2015

2 x Sat Apr 11 11:13:58 EDT 2015

10 x Sat Apr 11 11:16:01 EDT 2015

2 x Sat Apr 11 11:16:02 EDT 2015

1 x Sat Apr 11 12:53:05 EDT 2015

2 x Sat Apr 11 12:55:06 EDT 2015

2 x Sat Apr 11 12:58:07 EDT 2015

1 x Sat Apr 11 13:00:01 EDT 2015

2 x Sat Apr 11 13:02:10 EDT 2015

2 x Sat Apr 11 13:03:11 EDT 2015

8 x Sat Apr 11 13:04:44 EDT 2015

1 x Sat Apr 11 13:05:13 EDT 2015

2 x Sat Apr 11 13:07:14 EDT 2015

39 x Sat Apr 11 13:08:47 EDT 2015

23 x Sat Apr 11 13:08:48 EDT 2015

2 x Sat Apr 11 13:09:15 EDT 2015

2 x Sat Apr 11 13:11:16 EDT 2015

2 x Sat Apr 11 13:14:18 EDT 2015

1 x Sat Apr 11 13:16:19 EDT 2015

2 x Sat Apr 11 13:19:21 EDT 2015

2 x Sat Apr 11 13:20:22 EDT 2015

13 x Sat Apr 11 13:22:02 EDT 2015

23 x Sat Apr 11 13:22:03 EDT 2015

10 x Sat Apr 11 13:22:04 EDT 2015

12 x Sat Apr 11 13:22:05 EDT 2015

13 x Sat Apr 11 13:22:06 EDT 2015

13 x Sat Apr 11 13:22:52 EDT 2015

1 x Sat Apr 11 13:24:25 EDT 2015

13 x Sat Apr 11 13:24:58 EDT 2015

13 x Sat Apr 11 13:25:37 EDT 2015

13 x Sat Apr 11 13:26:09 EDT 2015

13 x Sat Apr 11 13:26:12 EDT 2015

26 x Sat Apr 11 13:26:34 EDT 2015

1 x Sat Apr 11 13:27:26 EDT 2015

1 x Sat Apr 11 13:28:27 EDT 2015

13 x Sat Apr 11 13:29:20 EDT 2015

13 x Sat Apr 11 13:29:21 EDT 2015

2 x Sat Apr 11 13:29:22 EDT 2015

13 x Sat Apr 11 13:29:24 EDT 2015

13 x Sat Apr 11 13:29:48 EDT 2015

41 x Sat Apr 11 13:29:49 EDT 2015

9 x Sat Apr 11 13:29:51 EDT 2015

2 x Sat Apr 11 13:30:28 EDT 2015

20 x Sat Apr 11 13:31:02 EDT 2015

13 x Sat Apr 11 13:31:03 EDT 2015

15 x Sat Apr 11 13:31:04 EDT 2015

2 x Sat Apr 11 13:31:05 EDT 2015

16 x Sat Apr 11 13:31:08 EDT 2015

13 x Sat Apr 11 13:31:20 EDT 2015

10 x Sat Apr 11 13:31:21 EDT 2015

1 x Sat Apr 11 13:32:30 EDT 2015

13 x Sat Apr 11 13:32:53 EDT 2015

2 x Sat Apr 11 13:34:31 EDT 2015

2 x Sat Apr 11 13:36:32 EDT 2015

1 x Sat Apr 11 13:37:33 EDT 2015

2 x Sat Apr 11 13:41:59 EDT 2015

2 x Sat Apr 11 13:44:00 EDT 2015

1 x Sat Apr 11 13:46:01 EDT 2015

1 x Sat Apr 11 13:47:02 EDT 2015

1 x Sat Apr 11 13:48:03 EDT 2015

2 x Sat Apr 11 13:50:05 EDT 2015

1 x Sat Apr 11 13:54:06 EDT 2015

13 x Sat Apr 11 13:54:14 EDT 2015

13 x Sat Apr 11 13:54:28 EDT 2015

9 x Sat Apr 11 13:55:52 EDT 2015

2 x Sat Apr 11 13:56:08 EDT 2015

1 x Sat Apr 11 13:58:09 EDT 2015

2 x Sat Apr 11 14:01:11 EDT 2015

1 x Sat Apr 11 14:03:12 EDT 2015

1 x Sat Apr 11 14:05:14 EDT 2015

2 x Sat Apr 11 14:06:18 EDT 2015

1 x Sat Apr 11 14:07:15 EDT 2015

1 x Sat Apr 11 16:03:05 EDT 2015

1 x Sat Apr 11 16:05:19 EDT 2015

26 x Sat Apr 11 16:10:06 EDT 2015

15 x Sat Apr 11 16:10:07 EDT 2015

2 x Sat Apr 11 16:10:08 EDT 2015

2 x Sat Apr 11 16:10:09 EDT 2015

3 x Sat Apr 11 16:10:17 EDT 2015

2 x Sat Apr 11 16:10:18 EDT 2015

13 x Sat Apr 11 16:10:20 EDT 2015

28 x Sat Apr 11 16:10:21 EDT 2015

3 x Sat Apr 11 16:10:22 EDT 2015

2 x Sat Apr 11 16:10:23 EDT 2015

3 x Sat Apr 11 16:10:46 EDT 2015

2 x Sat Apr 11 16:17:08 EDT 2015

1 x Sat Apr 11 16:17:09 EDT 2015

1 x Sat Apr 11 16:17:17 EDT 2015

92 x Sat Apr 11 16:36:36 EDT 2015

52 x Sat Apr 11 16:36:38 EDT 2015

74 x Sat Apr 11 16:36:40 EDT 2015

87 x Sat Apr 11 16:36:41 EDT 2015

8 x Sat Apr 11 16:36:42 EDT 2015

13 x Sat Apr 11 16:40:05 EDT 2015

13 x Sat Apr 11 16:40:06 EDT 2015

2 x Sat Apr 11 16:40:24 EDT 2015

1 x Sat Apr 11 16:40:25 EDT 2015

1 x Sat Apr 11 21:16:47 EDT 2015

5 x Sat Apr 11 21:37:34 EDT 2015

17 x Sat Apr 11 21:37:35 EDT 2015

2 x Sat Apr 11 22:08:31 EDT 2015

1 x Sat Apr 11 22:53:09 EDT 2015

11 x Sat Apr 11 22:53:10 EDT 2015

1 x Sun Apr 12 00:16:27 EDT 2015

1 x Sun Apr 12 00:56:20 EDT 2015

6 x Sun Apr 12 00:56:21 EDT 2015

5 x Sun Apr 12 00:56:22 EDT 2015

10 x Sun Apr 12 07:24:52 EDT 2015

14 x Sun Apr 12 07:25:21 EDT 2015

26 x Sun Apr 12 07:26:08 EDT 2015

1 x Sun Apr 12 07:27:34 EDT 2015

1 x Sun Apr 12 07:27:35 EDT 2015

14 x Sun Apr 12 07:27:58 EDT 2015

2 x Sun Apr 12 07:28:09 EDT 2015

3 x Sun Apr 12 14:56:02 EDT 2015

1 x Sun Apr 12 18:13:43 EDT 2015

15 x Sun Apr 12 18:14:05 EDT 2015

3 x Sun Apr 12 18:14:08 EDT 2015

12 x Sun Apr 12 18:14:09 EDT 2015

3 x Sun Apr 12 18:14:19 EDT 2015

12 x Sun Apr 12 18:14:20 EDT 2015

15 x Sun Apr 12 18:16:07 EDT 2015

15 x Sun Apr 12 18:16:09 EDT 2015

1 x Sun Apr 12 18:27:23 EDT 2015

2 x Sun Apr 12 18:44:25 EDT 2015

1 x Sun Apr 12 19:14:05 EDT 2015

15 x Sun Apr 12 19:36:52 EDT 2015

16 x Sun Apr 12 19:36:53 EDT 2015

15 x Sun Apr 12 19:37:39 EDT 2015

2 x Sun Apr 12 19:37:42 EDT 2015

42 x Sun Apr 12 19:37:44 EDT 2015

20 x Sun Apr 12 19:37:45 EDT 2015

15 x Sun Apr 12 19:37:49 EDT 2015

16 x Sun Apr 12 19:38:20 EDT 2015

1 x Sun Apr 12 20:02:34 EDT 2015

24 x Sun Apr 12 20:06:06 EDT 2015

107 x Sun Apr 12 20:06:07 EDT 2015

15 x Sun Apr 12 20:06:08 EDT 2015

31 x Sun Apr 12 20:06:09 EDT 2015

32 x Sun Apr 12 20:06:11 EDT 2015

1 x Sun Apr 12 20:06:13 EDT 2015

62 x Sun Apr 12 20:06:14 EDT 2015

15 x Sun Apr 12 20:06:16 EDT 2015

16 x Sun Apr 12 20:06:17 EDT 2015

1 x Sun Apr 12 20:06:18 EDT 2015

1 x Sun Apr 12 20:06:23 EDT 2015

1 x Sun Apr 12 20:07:40 EDT 2015

39 x Sun Apr 12 20:12:47 EDT 2015

100 x Sun Apr 12 20:12:49 EDT 2015

53 x Sun Apr 12 20:12:51 EDT 2015

84 x Sun Apr 12 20:12:53 EDT 2015

17 x Sun Apr 12 20:12:54 EDT 2015

1 x Sun Apr 12 20:15:04 EDT 2015

2 x Sun Apr 12 20:15:09 EDT 2015

3 x Sun Apr 12 20:15:11 EDT 2015

3 x Sun Apr 12 20:16:47 EDT 2015

1 x Sun Apr 12 20:17:39 EDT 2015

15 x Sun Apr 12 20:17:42 EDT 2015

1 x Sun Apr 12 20:18:16 EDT 2015

1 x Sun Apr 12 20:18:17 EDT 2015

1 x Sun Apr 12 20:20:14 EDT 2015

1 x Sun Apr 12 20:20:16 EDT 2015

2 x Sun Apr 12 20:21:44 EDT 2015

2 x Sun Apr 12 20:21:45 EDT 2015

1 x Sun Apr 12 20:24:29 EDT 2015

1 x Sun Apr 12 20:30:52 EDT 2015

1 x Sun Apr 12 20:33:05 EDT 2015

1 x Sun Apr 12 20:43:45 EDT 2015

1 x Sun Apr 12 20:43:46 EDT 2015

1 x Sun Apr 12 20:47:32 EDT 2015

1 x Sun Apr 12 20:47:33 EDT 2015

2 x Sun Apr 12 20:57:23 EDT 2015

4 x Sun Apr 12 20:58:31 EDT 2015

16 x Sun Apr 12 21:00:12 EDT 2015

3 x Sun Apr 12 21:04:46 EDT 2015

1 x Sun Apr 12 21:07:44 EDT 2015

10 x Mon Apr 13 06:53:30 EDT 2015

5 x Mon Apr 13 06:53:31 EDT 2015

16 x Mon Apr 13 06:53:32 EDT 2015

14 x Mon Apr 13 06:53:36 EDT 2015

11 x Mon Apr 13 06:54:43 EDT 2015

17 x Mon Apr 13 06:54:50 EDT 2015

1 x Mon Apr 13 06:55:13 EDT 2015

15 x Mon Apr 13 06:55:14 EDT 2015

1 x Mon Apr 13 06:55:15 EDT 2015

11 x Mon Apr 13 06:55:23 EDT 2015

1 x Mon Apr 13 06:55:26 EDT 2015

8 x Mon Apr 13 06:55:43 EDT 2015

3 x Mon Apr 13 06:55:44 EDT 2015

14 x Mon Apr 13 06:55:50 EDT 2015

26 x Mon Apr 13 06:55:59 EDT 2015

13 x Mon Apr 13 06:56:05 EDT 2015

1 x Mon Apr 13 06:56:35 EDT 2015

1 x Mon Apr 13 06:56:55 EDT 2015

1 x Mon Apr 13 06:57:00 EDT 2015

12 x Mon Apr 13 06:57:17 EDT 2015

2 x Mon Apr 13 06:57:18 EDT 2015

13 x Mon Apr 13 06:57:31 EDT 2015

13 x Mon Apr 13 06:59:29 EDT 2015

15 x Mon Apr 13 06:59:48 EDT 2015

1 x Mon Apr 13 06:59:49 EDT 2015

1 x Mon Apr 13 06:59:51 EDT 2015




timestamp: 1428698209
Rule Profile Statistics (worst 20 rules)
==========================================================
No rules were profiled

timestamp: 1428698218
Rule Profile Statistics (worst 20 rules)
==========================================================
No rules were profiled

timestamp: 1428714039
Rule Profile Statistics (worst 20 rules)
==========================================================
No rules were profiled

timestamp: 1428800713
Rule Profile Statistics (worst 20 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs  Avg/Check  Avg/Match Avg/Nonmatch   Disabled
   ===      === === ===     ======   =======    ======           =========  =========  ========= ============   ========
     1    20560   1   7          6         0         0                 251       41.9        0.0         41.9          0
     2    24037   1   5        299         0         0                8856       29.6        0.0         29.6          0
     3    32544   1   1         76         0         0                1969       25.9        0.0         25.9          0
     4    32460   1   1         10         0         0                 255       25.6        0.0         25.6          0
     5    25515   1   2         31         2         0                 722       23.3        1.2         24.8          0
     6    23134   1   3         53         0         0                1132       21.4        0.0         21.4          0
     7    31749   1   1        242         0         0                3691       15.3        0.0          9.5          0
     8    23870   1   6         27         0         0                 362       13.4        0.0         13.4          0
     9    15013   1  12          4         4         0                  39       10.0       10.0          0.0          0
    10    19211   1  12        264       264         0                2508        9.5        9.5          0.0          0
    11    31276   1   1       1390         0         0               12077        8.7        0.0          8.7          0
    12    31279   1   1       1390         0         0               11965        8.6        0.0          8.6          0
    13    28895   1   2         76         0         0                 618        8.1        0.0          8.1          0
    14    21625   1   6         76         0         0                 618        8.1        0.0          8.1          0
    15    32720   1   1          9         0         0                  70        7.8        0.0          7.8          0
    16    16425   1  15          1         0         0                   7        7.5        0.0          7.5          0
    17    24808   1   3       1325         0         0                8006        6.0        0.0          6.0          0
    18    15483   1  13         14        14         0                  81        5.8        5.8          0.0          0
    19    25513   1   3       1026         2         0                5762        5.6        5.2          5.6          0
    20    21623   1   6          8         0         0                  40        5.1        0.0          5.1          0

timestamp: 1428940048
Rule Profile Statistics (worst 20 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs  Avg/Check  Avg/Match Avg/Nonmatch   Disabled
   ===      === === ===     ======   =======    ======           =========  =========  ========= ============   ========
     1    32460   1   1         12         0         0                 401       33.5        0.0         33.5          0
     2    20560   1   7          9         0         0                 283       31.5        0.0         31.5          0
     3    24037   1   5        694         0         0               17456       25.2        0.0         25.2          0
     4    25515   1   2        181         1         0                3807       21.0        1.9         21.1          0
     5    23134   1   3         69         0         0                1360       19.7        0.0         19.7          0
     6    31749   1   1        354         0         0                5690       16.1        0.0          8.9          0
     7    23870   1   6         12         0         0                 176       14.7        0.0         14.7          0
     8    15237   1  10          1         0         0                  13       14.0        0.0         14.0          0
     9    15865   1  13          2         2         0                  23       11.8       11.8          0.0          0
    10    32544   1   1        268         0         0                2854       10.7        0.0         10.7          0
    11    19211   1  12        724       723         0                6931        9.6        9.6          5.3          0
    12    21623   1   6         20         0         0                 175        8.8        0.0          8.8          0
    13    28896   1   2         20         0         0                 175        8.8        0.0          8.8          0
    14    27598   1   1          3         0         0                  21        7.0        0.0          7.0          0
    15    25513   1   3       2691         0         0               17642        6.6        0.0          6.6          0
    16    15483   1  13         49        49         0                 302        6.2        6.2          0.0          0
    17    24808   1   3       1466         0         0                8932        6.1        0.0          6.1          0
    18    32720   1   1         10         0         0                  57        5.7        0.0          5.7          0
    19    31276   1   1        322         0         0                1839        5.7        0.0          5.7          0
    20    31279   1   1        322         0         0                1710        5.3        0.0          5.3          0
Attachment (snort.stats): application/octet-stream, 298 KiB

timestamp: 1428698209
Preprocessor Profile Statistics (worst 20)
==========================================================
No Preprocessors were profiled

timestamp: 1428698218
Preprocessor Profile Statistics (worst 20)
==========================================================
No Preprocessors were profiled

timestamp: 1428714039
Preprocessor Profile Statistics (worst 20)
==========================================================
No Preprocessors were profiled

timestamp: 1428800713
Preprocessor Profile Statistics (worst 20)
==========================================================
 Num            Preprocessor Layer     Checks      Exits           Microsecs  Avg/Check Pct of Caller Pct of Total
 ===            ============ =====     ======      =====           =========  ========= ============= ============
  1                    frag3     0         40         40                 385       9.63          0.00         0.00
   1             frag3insert     1         23         23                  35       1.56          9.31         0.00
   2            frag3rebuild     1         17         17                  16       0.96          4.24         0.00
  2                   detect     0    7684924    7684924            68923119       8.97         47.14        47.14
   1                    mpse     1    5545628    5545628            68037431      12.27         98.71        46.53
   2               rule eval     1    5164918    5164918             1260865       0.24          1.83         0.86
    1               rtn eval     2        459        459                 371       0.81          0.03         0.00
    2         rule tree eval     2    5164918    5164918             1085754       0.21         86.11         0.74
     1                  pcre     3       1598       1598               14856       9.30          1.37         0.01
     2               content     3      48618      48618               65541       1.35          6.04         0.04
     3             byte_test     3        599        599                 479       0.80          0.04         0.00
     4            uricontent     3          1          1                   0       0.56          0.00         0.00
     5             byte_jump     3          4          4                   1       0.44          0.00         0.00
     6  preproc_rule_options     3      98632      98632               23560       0.24          2.17         0.02
     7          urilen_check     3         13         13                   1       0.15          0.00         0.00
     8             file_data     3      54787      54787                1240       0.02          0.11         0.00
     9                  flow     3    4315769    4315769               84262       0.02          7.76         0.06
    10              flowbits     3    2849766    2849766               53382       0.02          4.92         0.04
  3                       s5     0    7446525    7446525            61955727       8.32         42.37        42.37
   1                   s5tcp     1    6953068    6953068            56430269       8.12         91.08        38.59
    1             s5TcpState     2    6940090    6940090            52366743       7.55         92.80        35.81
     1            s5TcpFlush     3     581802     581802             1357666       2.33          2.59         0.93
      1  s5TcpProcessRebuilt     4     581816     581816            40863060      70.23       3009.80        27.95
      2     s5TcpBuildPacket     4     581816     581816              674924       1.16         49.71         0.46
     2             s5TcpData     3    4035914    4035914             3944591       0.98          7.53         2.70
      1       s5TcpPktInsert     4    3034872    3034872             3026144       1.00         76.72         2.07
     3              s5TcpPAF     3    4261148    4261148              699773       0.16          1.34         0.48
    2           s5TcpNewSess     2      51598      51598              104922       2.03          0.19         0.07
   2                   s5udp     1     493457     493457              598120       1.21          0.97         0.41
  4               DceRpcMain     0    3951134    3951134            22102796       5.59         15.12        15.12
   1            DceRpcDetect     1     406316     406316            19242291      47.36         87.06        13.16
   2           DceRpcCoReass     1      34454      34454              252394       7.33          1.14         0.17
   3             DceRpcCoSeg     1          1          1                   1       1.43          0.00         0.00
   4            DceRpcCoFrag     1     352010     352010              241325       0.69          1.09         0.17
   5      DceRpcSmbNegotiate     1        539        539                 347       0.65          0.00         0.00
   6           DceRpcSession     1    3951134    3951682             1290833       0.33          5.84         0.88
    1       DceRpcNewSession     2    1814321    1814321              524483       0.29         40.63         0.36
    2     DceRpcSessionState     2     406865     406865               30920       0.08          2.40         0.02
   7            DceRpcSmbReq     1       1626       1626                 386       0.24          0.00         0.00
   8            DceRpcSmbFid     1        548        548                  78       0.14          0.00         0.00
   9             DceRpcCoCtx     1     433848     433848               60375       0.14          0.27         0.04
  10               DceRpcLog     1     475772     475772               57855       0.12          0.26         0.04
  5                      ssl     0     135023     135023              746230       5.53          0.51         0.51
  6              httpinspect     0    3656470    3656470             8389253       2.29          5.74         5.74
  7            ftptelnet_ftp     0        334        334                 632       1.89          0.00         0.00
  8                   decode     0    7697914    7697914             9822374       1.28          6.72         6.72
  9               sfportscan     0    7439929    7439929             3294390       0.44          2.25         2.25
 10                  perfmon     0    8270269    8270269             2564024       0.31          1.75         1.75
 11                     dnp3     0     494535     494535              134210       0.27          0.09         0.09
 12                      sip     0     675089     675089              153716       0.23          0.11         0.11
 13                     smtp     0    3133640    3133640              663215       0.21          0.45         0.45
 14               reputation     0    7527572    7527572             1152611       0.15          0.79         0.79
 15                      dns     0      59163      59163                8890       0.15          0.01         0.01
 16                   eventq     0   15960639   15960639             1683147       0.11          1.15         1.15
 17                   modbus     0    3131051    3131051              319937       0.10          0.22         0.22
 18                      ssh     0    3131051    3131051              301924       0.10          0.21         0.21
 total                 total     0    7689403    7689403           146222707      19.02          0.00         0.00

timestamp: 1428940048
Preprocessor Profile Statistics (worst 20)
==========================================================
 Num            Preprocessor Layer     Checks      Exits           Microsecs  Avg/Check Pct of Caller Pct of Total
 ===            ============ =====     ======      =====           =========  ========= ============= ============
  1                    frag3     0        599        599                5665       9.46          0.00         0.00
   1             frag3insert     1        302        302                 339       1.12          6.00         0.00
   2            frag3rebuild     1        297        297                 255       0.86          4.50         0.00
  2                   detect     0   18882958   18882958           154157544       8.16         43.96        43.96
   1                    mpse     1   13579495   13579495           142394746      10.49         92.37        40.61
   2               rule eval     1    7621378    7621378             2380766       0.31          1.54         0.68
    1               rtn eval     2       1137       1137                 915       0.81          0.04         0.00
    2         rule tree eval     2    7621378    7621378             2022970       0.27         84.97         0.58
     1                  pcre     3       3835       3835               33434       8.72          1.65         0.01
     2            uricontent     3          5          5                   9       1.93          0.00         0.00
     3               content     3      92741      92741              101562       1.10          5.02         0.03
     4             byte_test     3       1427       1427                1226       0.86          0.06         0.00
     5             byte_jump     3          4          4                   1       0.48          0.00         0.00
     6  preproc_rule_options     3     258235     258235               58111       0.23          2.87         0.02
     7              isdataat     3          2          2                   0       0.18          0.00         0.00
     8          urilen_check     3         51         51                   6       0.14          0.00         0.00
     9             file_data     3      17056      17056                 679       0.04          0.03         0.00
    10                  flow     3    6787978    6787978              175649       0.03          8.68         0.05
    11              flowbits     3    2517563    2517563               57140       0.02          2.82         0.02
  3                       s5     0   18674874   18674874           130341125       6.98         37.17        37.17
   1                   s5tcp     1   16439136   16439136           113705106       6.92         87.24        32.42
    1             s5TcpState     2   16434191   16434191           104067409       6.33         91.52        29.68
     1            s5TcpFlush     3    1359152    1359152             2790831       2.05          2.68         0.80
      1  s5TcpProcessRebuilt     4    1359171    1359171            79166251      58.25       2836.65        22.58
      2     s5TcpBuildPacket     4    1359171    1359171             1308550       0.96         46.89         0.37
     2             s5TcpData     3    9953165    9953165             7644370       0.77          7.35         2.18
      1       s5TcpPktInsert     4    6146388    6146388             5476132       0.89         71.64         1.56
     3              s5TcpPAF     3   10451411   10451411             1575618       0.15          1.51         0.45
    2           s5TcpNewSess     2      92917      92917              182355       1.96          0.16         0.05
   2                   s5udp     1    2235738    2235738             2878024       1.29          2.21         0.82
  4                      ssl     0     207944     207944             1244064       5.98          0.35         0.35
  5               DceRpcMain     0   11789317   11789317            62760638       5.32         17.90        17.90
   1            DceRpcDetect     1    1108158    1108158            53855013      48.60         85.81        15.36
   2           DceRpcCoReass     1      96319      96319              714368       7.42          1.14         0.20
   3            DceRpcCoFrag     1     988079     988079              652801       0.66          1.04         0.19
   4      DceRpcSmbNegotiate     1       1697       1697                1085       0.64          0.00         0.00
   5           DceRpcSession     1   11789317   11791039             4492159       0.38          7.16         1.28
    1       DceRpcNewSession     2    5794629    5794629             2023486       0.35         45.04         0.58
    2     DceRpcSessionState     2    1109880    1109880               82462       0.07          1.84         0.02
   6            DceRpcSmbReq     1       5116       5116                1272       0.25          0.00         0.00
   7            DceRpcSmbFid     1       1722       1722                 262       0.15          0.00         0.00
   8             DceRpcCoCtx     1    1200643    1200643              152222       0.13          0.24         0.04
   9               DceRpcLog     1    1302518    1302518              147165       0.11          0.23         0.04
  6            ftptelnet_ftp     0       1103       1103                2110       1.91          0.00         0.00
  7                   decode     0   19024618   19024618            25240228       1.33          7.20         7.20
  8              httpinspect     0    9917192    9917192            11205946       1.13          3.20         3.20
  9               sfportscan     0   18628919   18628919            11173468       0.60          3.19         3.19
 10                  perfmon     0   20365934   20365934             6409812       0.31          1.83         1.83
 11                     dnp3     0    2238800    2238800              573925       0.26          0.16         0.16
 12                      sip     0    4832721    4832721             1131755       0.23          0.32         0.32
 13                     smtp     0    8639541    8639541             2004228       0.23          0.57         0.57
 14                      ssh     0    8638697    8638697             1782666       0.21          0.51         0.51
 15               reputation     0   18742989   18742989             3070248       0.16          0.88         0.88
 16                      dns     0     119856     119856               16207       0.14          0.00         0.00
 17                   eventq     0   39376316   39376316             4465001       0.11          1.27         1.27
 18                   modbus     0    8638697    8638697              903829       0.10          0.26         0.26
 total                 total     0   19008424   19008424           350673636      18.45          0.00         0.00
config ppm:max-pkt-time 1000, fastpath-expensive-packets, pkt-log alert
config detection:search-method ac-nq search-optimize max-pattern-len 20
config flowbits_size:576
config event_queue:max_queue 8 log 3 order_events content_length
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config checksum_mode:all
config pcre_match_limit:3500
config pcre_match_limit_recursion:1500
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
config profile_preprocs:print 20, sort avg_ticks, filename preproc.stats.log append
config profile_rules:print 20, sort avg_ticks, filename rules.stats.log append
config daq_mode:inline
config daq_dir:/usr/lib64/daq
config daq:afpacket
config daq_var:buffer_size_mb=1024
config enable_decode_drops
var HOME_NET [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var FTP_SERVERS $HOME_NET
var SSH_SERVERS $HOME_NET
var POP_SERVERS $HOME_NET
var IMAP_SERVERS $HOME_NET
var RPC_SERVERS $HOME_NET
var WWW_SERVERS $HOME_NET
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,4000,4343,4848,5117,5250,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8888,8899,9000,9060,9080,9090,9091,9111,9443,9999,10000,11371,12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1024:
var AUTH_PORTS 113
var DNS_PORTS 53
var FINGER_PORTS 79
var FTP_PORTS [21,2100,3535]
var IMAP_PORTS 143
var IRC_PORTS [6665,6666,6667,6668,6669,7000]
var MSSQL_PORTS 1433
var NNTP_PORTS 119
var POP2_PORTS 109
var POP3_PORTS 110
var SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
var RLOGIN_PORTS 513
var RSH_PORTS 514
var SMB_PORTS [139,445]
var SMTP_PORTS 25
var SNMP_PORTS 161
var SSH_PORTS 22
var TELNET_PORTS 23
var MAIL_PORTS [25,143,465,691]
var SSL_PORTS [25,443,465,636,993,995]
var DCERPC_NCACN_IP_TCP [139,445]
var DCERPC_NCADG_IP_UDP [138,1024:]
var DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
var DCERPC_NCACN_UDP_LONG [135,1024:]
var DCERPC_NCACN_UDP_SHORT [135,593,1024:]
var DCERPC_NCACN_TCP [2103,2105,2107]
var DCERPC_BRIGHTSTORE [6503,6504]
var RULE_PATH ../rules
var SIP_SERVERS $HOME_NET 
var SIP_PORTS [5060,5061,5600]
var FILE_DATA_PORTS [$HTTP_PORTS,110,143]
var GTP_PORTS [2123,2152,3386] 
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
preprocessor frag3_global:max_frags 65536
preprocessor frag3_engine:policy Windows detect_anomalies min_ttl 1 timeout 180
preprocessor http_inspect:global decompress_depth 65535 compress_depth 65535 iis_unicode_map
unicode.map 1252
preprocessor http_inspect_server:server default max_spaces 200 extended_response_inspection
inspect_gzip unlimited_decompress enable_cookie normalize_javascript http_methods { GET POST PUT
SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE
TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT
PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } normalize_utf
webroot no iis_delimiter no apache_whitespace no directory no iis_backslash no multi_slash no
non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } bare_byte no u_encode yes double_decode no
iis_unicode no utf_8 no ascii no oversize_dir_length 500 no_alerts chunk_length 500000 post_depth
65495 client_flow_depth 0 server_flow_depth 0 ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631
801 808 818 901 972 1158 1220 1414 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848
5117 5250 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7779 8000 8008 8014 8028 8080 8081 8082 8085
8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443
9999 10000 11371 12601 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555
56712 }
preprocessor perfmonitor:pktcnt 5000 snortfile snort.stats time 300
preprocessor rpc_decode:111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 
no_alert_large_fragments no_alert_incomplete no_alert_multiple_requests
preprocessor sfportscan:sense_level { low } scan_type { all } proto { tcp udp }
preprocessor stream5_global:max_udp 131072,track_icmp no,track_udp yes,max_udp 131072,track_tcp
yes,max_tcp 262144,memcap 134217728
preprocessor stream5_tcp:max_queued_segs 2621,ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135
136 137 139 143 161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181
32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, ports both 36 80 81 82 83 84 85 86 87 88 89 90 110
311 383 443 465 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 1220 1414 1533 1741 1830 2231
2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7907 7000 7001 7071 7144
7145 7510 7802 7770 7777 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915
7916 7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280
8300 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000 11371 12601 15489 29991 33300
34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712,policy windows,timeout 180
preprocessor stream5_udp:ignore_any_rules,timeout 180
preprocessor dcerpc2:events [co ],memcap 102400
preprocessor dcerpc2_server:default,smb_invalid_shares ["C$", "D$", "ADMIN$"],smb_max_chain
3,autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:],detect [smb [139,445], tcp 135, udp
135, rpc-over-http-server 593],policy WinXP
preprocessor dns:enable_rdata_overflow ports { 53 }
preprocessor ftp_telnet:global inspection_type stateful encrypted_traffic no
preprocessor ftp_telnet_protocol:telnet normalize ayt_attack_thresh 60
preprocessor ftp_telnet_protocol:ftp server default data_chan chk_str_fmt { ACCT ADAT ALLO APPE AUTH
CEL CLNT CMD } chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } chk_str_fmt { LANG LIST LPRT MACB MAIL
MDTM MIC MKD } chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } chk_str_fmt { PROT REST RETR RMD RNFR
RNTO SDUP SITE } chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } chk_str_fmt { XCRC XCWD XMAS XMD5
XMKD XRCP XRMD XRSQ } chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } cmd_validity ALLO < int [ char R int ] >
cmd_validity EPSV < [ { char 12 | char A char L char L } ] > cmd_validity MACB < string > cmd_validity MDTM < [
date nnnnnnnnnnnnnn[.n[n[n]]] ] string > cmd_validity MODE < char ASBCZ > cmd_validity PORT < host_port
> cmd_validity PROT < char CSEP > cmd_validity STRU < char FRPO [ string ] > cmd_validity TYPE < { char AE [
char NTC ] | char I | char L [ number ] } > alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
REIN STOU SYST XCUP XPWD } alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD }
alt_max_param_len 256 { CWD RNTO } alt_max_param_len 400 { PORT } alt_max_param_len 512 { SIZE }
def_max_param_len 100 ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } ftp_cmds { CEL CLNT CMD CONF CWD
DELE ENC EPRT } ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD
MLST } ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR }
ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD }
ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } ports { 21 2100 3535 }
preprocessor ftp_telnet_protocol:ftp client default bounce yes max_resp_len 256 telnet_cmds no
preprocessor smtp:log_email_hdrs log_filename log_rcptto log_mailfrom uu_decode_depth 0
bitenc_decode_depth 0 qp_decode_depth 0 b64_decode_depth 0 valid_cmds { ATRN AUTH BDAT CHUNKING DATA
DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
RSET SAML SEND SOML } valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 }
valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } xlink2state
{ enable } alt_max_command_line_len 260 { MAIL } alt_max_command_line_len 300 { RCPT }
alt_max_command_line_len 500 { HELP HELO ETRN EHLO } alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE
BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } alt_max_command_line_len 246 { SEND SAML SOML AUTH
TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR
XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL
ESAM ESND ESOM ETRN EVFY } normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND
SOML } normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 }
normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR }
no_alerts max_response_line_len 512 max_header_line_len 1000 max_command_line_len 512 normalize
cmds inspection_type stateful ports { 25 465 587 691 }
preprocessor ssh:enable_srvoverflow enable_ssh1crc32 enable_respoverflow
max_server_version_len 100 max_client_bytes 19600 max_encrypted_packets 20 autodetect
server_ports { 22 }
preprocessor ssl:trustservers,noinspect_encrypted,ports { 443 465 563 636 989 992 993 994 995 7801 7702
7802 7900 7901 7902 7903 7904 7905 7906 6907 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919
7920 }
preprocessor sip:max_content_len 1024,max_contact_len 512,max_via_len 1024,max_to_len
256,max_from_len 256,max_requestName_len 20,max_call_id_len 80,max_uri_len 512,methods { invite
cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack
publish service unsubscribe prack },ports { 5060 5061 5600 },max_sessions 10000
preprocessor modbus:ports { 502 }
preprocessor dnp3:check_crc memcap 262144 ports { 20000 }
preprocessor normalize_ip4
preprocessor normalize_tcp:ecn stream ips
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
preprocessor reputation:white trust,scan_local,blacklist
$BLACK_LIST_PATH/blacklist.list,whitelist $WHITE_LIST_PATH/whitelist.list,nested_ip
inner,priority whitelist,memcap 500
suppress gen_id 123, sig_id 8 
suppress gen_id 122, sig_id 27 
suppress gen_id 126, sig_id 2 
suppress gen_id 140, sig_id 2 
suppress gen_id 140, sig_id 10 
suppress gen_id 145, sig_id 2 
suppress gen_id 120, sig_id 8 
suppress gen_id 140, sig_id 12 
suppress gen_id 137, sig_id 1 
suppress gen_id 133, sig_id 27 
suppress gen_id 133, sig_id 28 
suppress gen_id 120, sig_id 8 
suppress gen_id 136, sig_id 2
output unified2:filename snort.log,limit 256
include include_rule_files.config
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
N0de | 20 Apr 17:05 2015
Picon

[repost] Super slow performance of snort 2.9.6.0 in inline mode

Hi all,

This is a repost. For some obscure reason, my original message didn't show up in the list, so here it is again with its original file attachments. :)

---------------------------------Original message----------------------------------

I'm running the attached configuration file with an up to date connectivity policy ruleset selected through pulledpork. (around 840 rules total)

The result of this configuration when ran inline was of about 600 alerts from the ppm preprocessor, configured to fastpath any packet taking too long to process (1 second).

What i cannot make sense with is that the server was 96% idle in average during that test run, no other alert raised but gid 134, and ppm reported that the average delay was of 20usec at snort exit. Basically: Snort wasn't able to analyse in time the packets while the server was completely idle. :|

Snort.stats is telling us that the maximum observed bandwidth was of 14mbits/s.

Do you see anything weird in the following configuration file? Anything conflictual? Thank you for any input that you may have.

Snort: 2.9.6.0

Snort was run this way:

/usr/bin/snort --dynamic-engine-lib /usr/lib/snort_dynamicengine/libsf_engine.so --dynamic-preprocessor-lib-dir /usr/lib/snort_dynamicpreprocessor/ --dynamic-detection-lib-dir /usr/lib/snort_dynamicrules/ -i eth2:eth3 -c snort.conf -l /var/log --perfmon-file snort.stats --enable-inline-test -M


Here is the timestamps of when PPM alerts raised:

1 x Sat Apr 11 09:12:50 EDT 2015

1 x Sat Apr 11 09:59:44 EDT 2015

2 x Sat Apr 11 10:00:10 EDT 2015

2 x Sat Apr 11 10:02:12 EDT 2015

2 x Sat Apr 11 10:04:51 EDT 2015

1 x Sat Apr 11 10:06:14 EDT 2015

13 x Sat Apr 11 10:06:22 EDT 2015

13 x Sat Apr 11 10:06:38 EDT 2015

13 x Sat Apr 11 10:07:01 EDT 2015

14 x Sat Apr 11 10:07:14 EDT 2015

13 x Sat Apr 11 10:08:13 EDT 2015

3 x Sat Apr 11 10:09:16 EDT 2015

1 x Sat Apr 11 10:12:19 EDT 2015

16 x Sat Apr 11 10:12:20 EDT 2015

1 x Sat Apr 11 10:12:21 EDT 2015

27 x Sat Apr 11 10:12:22 EDT 2015

1 x Sat Apr 11 10:12:23 EDT 2015

1 x Sat Apr 11 10:12:26 EDT 2015

1 x Sat Apr 11 10:12:27 EDT 2015

2 x Sat Apr 11 10:12:28 EDT 2015

1 x Sat Apr 11 10:12:29 EDT 2015

31 x Sat Apr 11 10:13:22 EDT 2015

11 x Sat Apr 11 10:13:23 EDT 2015

14 x Sat Apr 11 10:13:25 EDT 2015

3 x Sat Apr 11 10:14:22 EDT 2015

2 x Sat Apr 11 10:16:23 EDT 2015

1 x Sat Apr 11 10:19:25 EDT 2015

2 x Sat Apr 11 10:20:26 EDT 2015

3 x Sat Apr 11 10:22:28 EDT 2015

1 x Sat Apr 11 10:25:30 EDT 2015

1 x Sat Apr 11 10:28:32 EDT 2015

1 x Sat Apr 11 10:28:33 EDT 2015

39 x Sat Apr 11 10:28:35 EDT 2015

5 x Sat Apr 11 10:28:36 EDT 2015

1 x Sat Apr 11 10:28:42 EDT 2015

17 x Sat Apr 11 10:28:44 EDT 2015

1 x Sat Apr 11 10:28:52 EDT 2015

1 x Sat Apr 11 10:29:25 EDT 2015

1 x Sat Apr 11 10:30:34 EDT 2015

1 x Sat Apr 11 10:31:35 EDT 2015

2 x Sat Apr 11 10:32:37 EDT 2015

1 x Sat Apr 11 10:33:38 EDT 2015

2 x Sat Apr 11 10:34:39 EDT 2015

1 x Sat Apr 11 10:38:42 EDT 2015

1 x Sat Apr 11 10:41:45 EDT 2015

1 x Sat Apr 11 10:42:21 EDT 2015

2 x Sat Apr 11 10:42:22 EDT 2015

2 x Sat Apr 11 10:43:46 EDT 2015

1 x Sat Apr 11 10:45:47 EDT 2015

1 x Sat Apr 11 10:47:49 EDT 2015

1 x Sat Apr 11 10:49:50 EDT 2015

2 x Sat Apr 11 10:51:51 EDT 2015

1 x Sat Apr 11 10:52:52 EDT 2015

3 x Sat Apr 11 10:53:53 EDT 2015

1 x Sat Apr 11 10:54:54 EDT 2015

2 x Sat Apr 11 10:55:55 EDT 2015

1 x Sat Apr 11 10:58:31 EDT 2015

2 x Sat Apr 11 10:58:32 EDT 2015

2 x Sat Apr 11 10:59:58 EDT 2015

2 x Sat Apr 11 11:01:59 EDT 2015

1 x Sat Apr 11 11:02:00 EDT 2015

13 x Sat Apr 11 11:03:28 EDT 2015

1 x Sat Apr 11 11:04:00 EDT 2015

1 x Sat Apr 11 11:08:03 EDT 2015

2 x Sat Apr 11 11:09:04 EDT 2015

3 x Sat Apr 11 11:11:05 EDT 2015

1 x Sat Apr 11 11:13:57 EDT 2015

2 x Sat Apr 11 11:13:58 EDT 2015

10 x Sat Apr 11 11:16:01 EDT 2015

2 x Sat Apr 11 11:16:02 EDT 2015

1 x Sat Apr 11 12:53:05 EDT 2015

2 x Sat Apr 11 12:55:06 EDT 2015

2 x Sat Apr 11 12:58:07 EDT 2015

1 x Sat Apr 11 13:00:01 EDT 2015

2 x Sat Apr 11 13:02:10 EDT 2015

2 x Sat Apr 11 13:03:11 EDT 2015

8 x Sat Apr 11 13:04:44 EDT 2015

1 x Sat Apr 11 13:05:13 EDT 2015

2 x Sat Apr 11 13:07:14 EDT 2015

39 x Sat Apr 11 13:08:47 EDT 2015

23 x Sat Apr 11 13:08:48 EDT 2015

2 x Sat Apr 11 13:09:15 EDT 2015

2 x Sat Apr 11 13:11:16 EDT 2015

2 x Sat Apr 11 13:14:18 EDT 2015

1 x Sat Apr 11 13:16:19 EDT 2015

2 x Sat Apr 11 13:19:21 EDT 2015

2 x Sat Apr 11 13:20:22 EDT 2015

13 x Sat Apr 11 13:22:02 EDT 2015

23 x Sat Apr 11 13:22:03 EDT 2015

10 x Sat Apr 11 13:22:04 EDT 2015

12 x Sat Apr 11 13:22:05 EDT 2015

13 x Sat Apr 11 13:22:06 EDT 2015

13 x Sat Apr 11 13:22:52 EDT 2015

1 x Sat Apr 11 13:24:25 EDT 2015

13 x Sat Apr 11 13:24:58 EDT 2015

13 x Sat Apr 11 13:25:37 EDT 2015

13 x Sat Apr 11 13:26:09 EDT 2015

13 x Sat Apr 11 13:26:12 EDT 2015

26 x Sat Apr 11 13:26:34 EDT 2015

1 x Sat Apr 11 13:27:26 EDT 2015

1 x Sat Apr 11 13:28:27 EDT 2015

13 x Sat Apr 11 13:29:20 EDT 2015

13 x Sat Apr 11 13:29:21 EDT 2015

2 x Sat Apr 11 13:29:22 EDT 2015

13 x Sat Apr 11 13:29:24 EDT 2015

13 x Sat Apr 11 13:29:48 EDT 2015

41 x Sat Apr 11 13:29:49 EDT 2015

9 x Sat Apr 11 13:29:51 EDT 2015

2 x Sat Apr 11 13:30:28 EDT 2015

20 x Sat Apr 11 13:31:02 EDT 2015

13 x Sat Apr 11 13:31:03 EDT 2015

15 x Sat Apr 11 13:31:04 EDT 2015

2 x Sat Apr 11 13:31:05 EDT 2015

16 x Sat Apr 11 13:31:08 EDT 2015

13 x Sat Apr 11 13:31:20 EDT 2015

10 x Sat Apr 11 13:31:21 EDT 2015

1 x Sat Apr 11 13:32:30 EDT 2015

13 x Sat Apr 11 13:32:53 EDT 2015

2 x Sat Apr 11 13:34:31 EDT 2015

2 x Sat Apr 11 13:36:32 EDT 2015

1 x Sat Apr 11 13:37:33 EDT 2015

2 x Sat Apr 11 13:41:59 EDT 2015

2 x Sat Apr 11 13:44:00 EDT 2015

1 x Sat Apr 11 13:46:01 EDT 2015

1 x Sat Apr 11 13:47:02 EDT 2015

1 x Sat Apr 11 13:48:03 EDT 2015

2 x Sat Apr 11 13:50:05 EDT 2015

1 x Sat Apr 11 13:54:06 EDT 2015

13 x Sat Apr 11 13:54:14 EDT 2015

13 x Sat Apr 11 13:54:28 EDT 2015

9 x Sat Apr 11 13:55:52 EDT 2015

2 x Sat Apr 11 13:56:08 EDT 2015

1 x Sat Apr 11 13:58:09 EDT 2015

2 x Sat Apr 11 14:01:11 EDT 2015

1 x Sat Apr 11 14:03:12 EDT 2015

1 x Sat Apr 11 14:05:14 EDT 2015

2 x Sat Apr 11 14:06:18 EDT 2015

1 x Sat Apr 11 14:07:15 EDT 2015

1 x Sat Apr 11 16:03:05 EDT 2015

1 x Sat Apr 11 16:05:19 EDT 2015

26 x Sat Apr 11 16:10:06 EDT 2015

15 x Sat Apr 11 16:10:07 EDT 2015

2 x Sat Apr 11 16:10:08 EDT 2015

2 x Sat Apr 11 16:10:09 EDT 2015

3 x Sat Apr 11 16:10:17 EDT 2015

2 x Sat Apr 11 16:10:18 EDT 2015

13 x Sat Apr 11 16:10:20 EDT 2015

28 x Sat Apr 11 16:10:21 EDT 2015

3 x Sat Apr 11 16:10:22 EDT 2015

2 x Sat Apr 11 16:10:23 EDT 2015

3 x Sat Apr 11 16:10:46 EDT 2015

2 x Sat Apr 11 16:17:08 EDT 2015

1 x Sat Apr 11 16:17:09 EDT 2015

1 x Sat Apr 11 16:17:17 EDT 2015

92 x Sat Apr 11 16:36:36 EDT 2015

52 x Sat Apr 11 16:36:38 EDT 2015

74 x Sat Apr 11 16:36:40 EDT 2015

87 x Sat Apr 11 16:36:41 EDT 2015

8 x Sat Apr 11 16:36:42 EDT 2015

13 x Sat Apr 11 16:40:05 EDT 2015

13 x Sat Apr 11 16:40:06 EDT 2015

2 x Sat Apr 11 16:40:24 EDT 2015

1 x Sat Apr 11 16:40:25 EDT 2015

1 x Sat Apr 11 21:16:47 EDT 2015

5 x Sat Apr 11 21:37:34 EDT 2015

17 x Sat Apr 11 21:37:35 EDT 2015

2 x Sat Apr 11 22:08:31 EDT 2015

1 x Sat Apr 11 22:53:09 EDT 2015

11 x Sat Apr 11 22:53:10 EDT 2015

1 x Sun Apr 12 00:16:27 EDT 2015

1 x Sun Apr 12 00:56:20 EDT 2015

6 x Sun Apr 12 00:56:21 EDT 2015

5 x Sun Apr 12 00:56:22 EDT 2015

10 x Sun Apr 12 07:24:52 EDT 2015

14 x Sun Apr 12 07:25:21 EDT 2015

26 x Sun Apr 12 07:26:08 EDT 2015

1 x Sun Apr 12 07:27:34 EDT 2015

1 x Sun Apr 12 07:27:35 EDT 2015

14 x Sun Apr 12 07:27:58 EDT 2015

2 x Sun Apr 12 07:28:09 EDT 2015

3 x Sun Apr 12 14:56:02 EDT 2015

1 x Sun Apr 12 18:13:43 EDT 2015

15 x Sun Apr 12 18:14:05 EDT 2015

3 x Sun Apr 12 18:14:08 EDT 2015

12 x Sun Apr 12 18:14:09 EDT 2015

3 x Sun Apr 12 18:14:19 EDT 2015

12 x Sun Apr 12 18:14:20 EDT 2015

15 x Sun Apr 12 18:16:07 EDT 2015

15 x Sun Apr 12 18:16:09 EDT 2015

1 x Sun Apr 12 18:27:23 EDT 2015

2 x Sun Apr 12 18:44:25 EDT 2015

1 x Sun Apr 12 19:14:05 EDT 2015

15 x Sun Apr 12 19:36:52 EDT 2015

16 x Sun Apr 12 19:36:53 EDT 2015

15 x Sun Apr 12 19:37:39 EDT 2015

2 x Sun Apr 12 19:37:42 EDT 2015

42 x Sun Apr 12 19:37:44 EDT 2015

20 x Sun Apr 12 19:37:45 EDT 2015

15 x Sun Apr 12 19:37:49 EDT 2015

16 x Sun Apr 12 19:38:20 EDT 2015

1 x Sun Apr 12 20:02:34 EDT 2015

24 x Sun Apr 12 20:06:06 EDT 2015

107 x Sun Apr 12 20:06:07 EDT 2015

15 x Sun Apr 12 20:06:08 EDT 2015

31 x Sun Apr 12 20:06:09 EDT 2015

32 x Sun Apr 12 20:06:11 EDT 2015

1 x Sun Apr 12 20:06:13 EDT 2015

62 x Sun Apr 12 20:06:14 EDT 2015

15 x Sun Apr 12 20:06:16 EDT 2015

16 x Sun Apr 12 20:06:17 EDT 2015

1 x Sun Apr 12 20:06:18 EDT 2015

1 x Sun Apr 12 20:06:23 EDT 2015

1 x Sun Apr 12 20:07:40 EDT 2015

39 x Sun Apr 12 20:12:47 EDT 2015

100 x Sun Apr 12 20:12:49 EDT 2015

53 x Sun Apr 12 20:12:51 EDT 2015

84 x Sun Apr 12 20:12:53 EDT 2015

17 x Sun Apr 12 20:12:54 EDT 2015

1 x Sun Apr 12 20:15:04 EDT 2015

2 x Sun Apr 12 20:15:09 EDT 2015

3 x Sun Apr 12 20:15:11 EDT 2015

3 x Sun Apr 12 20:16:47 EDT 2015

1 x Sun Apr 12 20:17:39 EDT 2015

15 x Sun Apr 12 20:17:42 EDT 2015

1 x Sun Apr 12 20:18:16 EDT 2015

1 x Sun Apr 12 20:18:17 EDT 2015

1 x Sun Apr 12 20:20:14 EDT 2015

1 x Sun Apr 12 20:20:16 EDT 2015

2 x Sun Apr 12 20:21:44 EDT 2015

2 x Sun Apr 12 20:21:45 EDT 2015

1 x Sun Apr 12 20:24:29 EDT 2015

1 x Sun Apr 12 20:30:52 EDT 2015

1 x Sun Apr 12 20:33:05 EDT 2015

1 x Sun Apr 12 20:43:45 EDT 2015

1 x Sun Apr 12 20:43:46 EDT 2015

1 x Sun Apr 12 20:47:32 EDT 2015

1 x Sun Apr 12 20:47:33 EDT 2015

2 x Sun Apr 12 20:57:23 EDT 2015

4 x Sun Apr 12 20:58:31 EDT 2015

16 x Sun Apr 12 21:00:12 EDT 2015

3 x Sun Apr 12 21:04:46 EDT 2015

1 x Sun Apr 12 21:07:44 EDT 2015

10 x Mon Apr 13 06:53:30 EDT 2015

5 x Mon Apr 13 06:53:31 EDT 2015

16 x Mon Apr 13 06:53:32 EDT 2015

14 x Mon Apr 13 06:53:36 EDT 2015

11 x Mon Apr 13 06:54:43 EDT 2015

17 x Mon Apr 13 06:54:50 EDT 2015

1 x Mon Apr 13 06:55:13 EDT 2015

15 x Mon Apr 13 06:55:14 EDT 2015

1 x Mon Apr 13 06:55:15 EDT 2015

11 x Mon Apr 13 06:55:23 EDT 2015

1 x Mon Apr 13 06:55:26 EDT 2015

8 x Mon Apr 13 06:55:43 EDT 2015

3 x Mon Apr 13 06:55:44 EDT 2015

14 x Mon Apr 13 06:55:50 EDT 2015

26 x Mon Apr 13 06:55:59 EDT 2015

13 x Mon Apr 13 06:56:05 EDT 2015

1 x Mon Apr 13 06:56:35 EDT 2015

1 x Mon Apr 13 06:56:55 EDT 2015

1 x Mon Apr 13 06:57:00 EDT 2015

12 x Mon Apr 13 06:57:17 EDT 2015

2 x Mon Apr 13 06:57:18 EDT 2015

13 x Mon Apr 13 06:57:31 EDT 2015

13 x Mon Apr 13 06:59:29 EDT 2015

15 x Mon Apr 13 06:59:48 EDT 2015

1 x Mon Apr 13 06:59:49 EDT 2015

1 x Mon Apr 13 06:59:51 EDT 2015




timestamp: 1428698209
Rule Profile Statistics (worst 20 rules)
==========================================================
No rules were profiled

timestamp: 1428698218
Rule Profile Statistics (worst 20 rules)
==========================================================
No rules were profiled

timestamp: 1428714039
Rule Profile Statistics (worst 20 rules)
==========================================================
No rules were profiled

timestamp: 1428800713
Rule Profile Statistics (worst 20 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs  Avg/Check  Avg/Match Avg/Nonmatch   Disabled
   ===      === === ===     ======   =======    ======           =========  =========  ========= ============   ========
     1    20560   1   7          6         0         0                 251       41.9        0.0         41.9          0
     2    24037   1   5        299         0         0                8856       29.6        0.0         29.6          0
     3    32544   1   1         76         0         0                1969       25.9        0.0         25.9          0
     4    32460   1   1         10         0         0                 255       25.6        0.0         25.6          0
     5    25515   1   2         31         2         0                 722       23.3        1.2         24.8          0
     6    23134   1   3         53         0         0                1132       21.4        0.0         21.4          0
     7    31749   1   1        242         0         0                3691       15.3        0.0          9.5          0
     8    23870   1   6         27         0         0                 362       13.4        0.0         13.4          0
     9    15013   1  12          4         4         0                  39       10.0       10.0          0.0          0
    10    19211   1  12        264       264         0                2508        9.5        9.5          0.0          0
    11    31276   1   1       1390         0         0               12077        8.7        0.0          8.7          0
    12    31279   1   1       1390         0         0               11965        8.6        0.0          8.6          0
    13    28895   1   2         76         0         0                 618        8.1        0.0          8.1          0
    14    21625   1   6         76         0         0                 618        8.1        0.0          8.1          0
    15    32720   1   1          9         0         0                  70        7.8        0.0          7.8          0
    16    16425   1  15          1         0         0                   7        7.5        0.0          7.5          0
    17    24808   1   3       1325         0         0                8006        6.0        0.0          6.0          0
    18    15483   1  13         14        14         0                  81        5.8        5.8          0.0          0
    19    25513   1   3       1026         2         0                5762        5.6        5.2          5.6          0
    20    21623   1   6          8         0         0                  40        5.1        0.0          5.1          0

timestamp: 1428940048
Rule Profile Statistics (worst 20 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs  Avg/Check  Avg/Match Avg/Nonmatch   Disabled
   ===      === === ===     ======   =======    ======           =========  =========  ========= ============   ========
     1    32460   1   1         12         0         0                 401       33.5        0.0         33.5          0
     2    20560   1   7          9         0         0                 283       31.5        0.0         31.5          0
     3    24037   1   5        694         0         0               17456       25.2        0.0         25.2          0
     4    25515   1   2        181         1         0                3807       21.0        1.9         21.1          0
     5    23134   1   3         69         0         0                1360       19.7        0.0         19.7          0
     6    31749   1   1        354         0         0                5690       16.1        0.0          8.9          0
     7    23870   1   6         12         0         0                 176       14.7        0.0         14.7          0
     8    15237   1  10          1         0         0                  13       14.0        0.0         14.0          0
     9    15865   1  13          2         2         0                  23       11.8       11.8          0.0          0
    10    32544   1   1        268         0         0                2854       10.7        0.0         10.7          0
    11    19211   1  12        724       723         0                6931        9.6        9.6          5.3          0
    12    21623   1   6         20         0         0                 175        8.8        0.0          8.8          0
    13    28896   1   2         20         0         0                 175        8.8        0.0          8.8          0
    14    27598   1   1          3         0         0                  21        7.0        0.0          7.0          0
    15    25513   1   3       2691         0         0               17642        6.6        0.0          6.6          0
    16    15483   1  13         49        49         0                 302        6.2        6.2          0.0          0
    17    24808   1   3       1466         0         0                8932        6.1        0.0          6.1          0
    18    32720   1   1         10         0         0                  57        5.7        0.0          5.7          0
    19    31276   1   1        322         0         0                1839        5.7        0.0          5.7          0
    20    31279   1   1        322         0         0                1710        5.3        0.0          5.3          0
Attachment (snort.stats): application/octet-stream, 298 KiB

timestamp: 1428698209
Preprocessor Profile Statistics (worst 20)
==========================================================
No Preprocessors were profiled

timestamp: 1428698218
Preprocessor Profile Statistics (worst 20)
==========================================================
No Preprocessors were profiled

timestamp: 1428714039
Preprocessor Profile Statistics (worst 20)
==========================================================
No Preprocessors were profiled

timestamp: 1428800713
Preprocessor Profile Statistics (worst 20)
==========================================================
 Num            Preprocessor Layer     Checks      Exits           Microsecs  Avg/Check Pct of Caller Pct of Total
 ===            ============ =====     ======      =====           =========  ========= ============= ============
  1                    frag3     0         40         40                 385       9.63          0.00         0.00
   1             frag3insert     1         23         23                  35       1.56          9.31         0.00
   2            frag3rebuild     1         17         17                  16       0.96          4.24         0.00
  2                   detect     0    7684924    7684924            68923119       8.97         47.14        47.14
   1                    mpse     1    5545628    5545628            68037431      12.27         98.71        46.53
   2               rule eval     1    5164918    5164918             1260865       0.24          1.83         0.86
    1               rtn eval     2        459        459                 371       0.81          0.03         0.00
    2         rule tree eval     2    5164918    5164918             1085754       0.21         86.11         0.74
     1                  pcre     3       1598       1598               14856       9.30          1.37         0.01
     2               content     3      48618      48618               65541       1.35          6.04         0.04
     3             byte_test     3        599        599                 479       0.80          0.04         0.00
     4            uricontent     3          1          1                   0       0.56          0.00         0.00
     5             byte_jump     3          4          4                   1       0.44          0.00         0.00
     6  preproc_rule_options     3      98632      98632               23560       0.24          2.17         0.02
     7          urilen_check     3         13         13                   1       0.15          0.00         0.00
     8             file_data     3      54787      54787                1240       0.02          0.11         0.00
     9                  flow     3    4315769    4315769               84262       0.02          7.76         0.06
    10              flowbits     3    2849766    2849766               53382       0.02          4.92         0.04
  3                       s5     0    7446525    7446525            61955727       8.32         42.37        42.37
   1                   s5tcp     1    6953068    6953068            56430269       8.12         91.08        38.59
    1             s5TcpState     2    6940090    6940090            52366743       7.55         92.80        35.81
     1            s5TcpFlush     3     581802     581802             1357666       2.33          2.59         0.93
      1  s5TcpProcessRebuilt     4     581816     581816            40863060      70.23       3009.80        27.95
      2     s5TcpBuildPacket     4     581816     581816              674924       1.16         49.71         0.46
     2             s5TcpData     3    4035914    4035914             3944591       0.98          7.53         2.70
      1       s5TcpPktInsert     4    3034872    3034872             3026144       1.00         76.72         2.07
     3              s5TcpPAF     3    4261148    4261148              699773       0.16          1.34         0.48
    2           s5TcpNewSess     2      51598      51598              104922       2.03          0.19         0.07
   2                   s5udp     1     493457     493457              598120       1.21          0.97         0.41
  4               DceRpcMain     0    3951134    3951134            22102796       5.59         15.12        15.12
   1            DceRpcDetect     1     406316     406316            19242291      47.36         87.06        13.16
   2           DceRpcCoReass     1      34454      34454              252394       7.33          1.14         0.17
   3             DceRpcCoSeg     1          1          1                   1       1.43          0.00         0.00
   4            DceRpcCoFrag     1     352010     352010              241325       0.69          1.09         0.17
   5      DceRpcSmbNegotiate     1        539        539                 347       0.65          0.00         0.00
   6           DceRpcSession     1    3951134    3951682             1290833       0.33          5.84         0.88
    1       DceRpcNewSession     2    1814321    1814321              524483       0.29         40.63         0.36
    2     DceRpcSessionState     2     406865     406865               30920       0.08          2.40         0.02
   7            DceRpcSmbReq     1       1626       1626                 386       0.24          0.00         0.00
   8            DceRpcSmbFid     1        548        548                  78       0.14          0.00         0.00
   9             DceRpcCoCtx     1     433848     433848               60375       0.14          0.27         0.04
  10               DceRpcLog     1     475772     475772               57855       0.12          0.26         0.04
  5                      ssl     0     135023     135023              746230       5.53          0.51         0.51
  6              httpinspect     0    3656470    3656470             8389253       2.29          5.74         5.74
  7            ftptelnet_ftp     0        334        334                 632       1.89          0.00         0.00
  8                   decode     0    7697914    7697914             9822374       1.28          6.72         6.72
  9               sfportscan     0    7439929    7439929             3294390       0.44          2.25         2.25
 10                  perfmon     0    8270269    8270269             2564024       0.31          1.75         1.75
 11                     dnp3     0     494535     494535              134210       0.27          0.09         0.09
 12                      sip     0     675089     675089              153716       0.23          0.11         0.11
 13                     smtp     0    3133640    3133640              663215       0.21          0.45         0.45
 14               reputation     0    7527572    7527572             1152611       0.15          0.79         0.79
 15                      dns     0      59163      59163                8890       0.15          0.01         0.01
 16                   eventq     0   15960639   15960639             1683147       0.11          1.15         1.15
 17                   modbus     0    3131051    3131051              319937       0.10          0.22         0.22
 18                      ssh     0    3131051    3131051              301924       0.10          0.21         0.21
 total                 total     0    7689403    7689403           146222707      19.02          0.00         0.00

timestamp: 1428940048
Preprocessor Profile Statistics (worst 20)
==========================================================
 Num            Preprocessor Layer     Checks      Exits           Microsecs  Avg/Check Pct of Caller Pct of Total
 ===            ============ =====     ======      =====           =========  ========= ============= ============
  1                    frag3     0        599        599                5665       9.46          0.00         0.00
   1             frag3insert     1        302        302                 339       1.12          6.00         0.00
   2            frag3rebuild     1        297        297                 255       0.86          4.50         0.00
  2                   detect     0   18882958   18882958           154157544       8.16         43.96        43.96
   1                    mpse     1   13579495   13579495           142394746      10.49         92.37        40.61
   2               rule eval     1    7621378    7621378             2380766       0.31          1.54         0.68
    1               rtn eval     2       1137       1137                 915       0.81          0.04         0.00
    2         rule tree eval     2    7621378    7621378             2022970       0.27         84.97         0.58
     1                  pcre     3       3835       3835               33434       8.72          1.65         0.01
     2            uricontent     3          5          5                   9       1.93          0.00         0.00
     3               content     3      92741      92741              101562       1.10          5.02         0.03
     4             byte_test     3       1427       1427                1226       0.86          0.06         0.00
     5             byte_jump     3          4          4                   1       0.48          0.00         0.00
     6  preproc_rule_options     3     258235     258235               58111       0.23          2.87         0.02
     7              isdataat     3          2          2                   0       0.18          0.00         0.00
     8          urilen_check     3         51         51                   6       0.14          0.00         0.00
     9             file_data     3      17056      17056                 679       0.04          0.03         0.00
    10                  flow     3    6787978    6787978              175649       0.03          8.68         0.05
    11              flowbits     3    2517563    2517563               57140       0.02          2.82         0.02
  3                       s5     0   18674874   18674874           130341125       6.98         37.17        37.17
   1                   s5tcp     1   16439136   16439136           113705106       6.92         87.24        32.42
    1             s5TcpState     2   16434191   16434191           104067409       6.33         91.52        29.68
     1            s5TcpFlush     3    1359152    1359152             2790831       2.05          2.68         0.80
      1  s5TcpProcessRebuilt     4    1359171    1359171            79166251      58.25       2836.65        22.58
      2     s5TcpBuildPacket     4    1359171    1359171             1308550       0.96         46.89         0.37
     2             s5TcpData     3    9953165    9953165             7644370       0.77          7.35         2.18
      1       s5TcpPktInsert     4    6146388    6146388             5476132       0.89         71.64         1.56
     3              s5TcpPAF     3   10451411   10451411             1575618       0.15          1.51         0.45
    2           s5TcpNewSess     2      92917      92917              182355       1.96          0.16         0.05
   2                   s5udp     1    2235738    2235738             2878024       1.29          2.21         0.82
  4                      ssl     0     207944     207944             1244064       5.98          0.35         0.35
  5               DceRpcMain     0   11789317   11789317            62760638       5.32         17.90        17.90
   1            DceRpcDetect     1    1108158    1108158            53855013      48.60         85.81        15.36
   2           DceRpcCoReass     1      96319      96319              714368       7.42          1.14         0.20
   3            DceRpcCoFrag     1     988079     988079              652801       0.66          1.04         0.19
   4      DceRpcSmbNegotiate     1       1697       1697                1085       0.64          0.00         0.00
   5           DceRpcSession     1   11789317   11791039             4492159       0.38          7.16         1.28
    1       DceRpcNewSession     2    5794629    5794629             2023486       0.35         45.04         0.58
    2     DceRpcSessionState     2    1109880    1109880               82462       0.07          1.84         0.02
   6            DceRpcSmbReq     1       5116       5116                1272       0.25          0.00         0.00
   7            DceRpcSmbFid     1       1722       1722                 262       0.15          0.00         0.00
   8             DceRpcCoCtx     1    1200643    1200643              152222       0.13          0.24         0.04
   9               DceRpcLog     1    1302518    1302518              147165       0.11          0.23         0.04
  6            ftptelnet_ftp     0       1103       1103                2110       1.91          0.00         0.00
  7                   decode     0   19024618   19024618            25240228       1.33          7.20         7.20
  8              httpinspect     0    9917192    9917192            11205946       1.13          3.20         3.20
  9               sfportscan     0   18628919   18628919            11173468       0.60          3.19         3.19
 10                  perfmon     0   20365934   20365934             6409812       0.31          1.83         1.83
 11                     dnp3     0    2238800    2238800              573925       0.26          0.16         0.16
 12                      sip     0    4832721    4832721             1131755       0.23          0.32         0.32
 13                     smtp     0    8639541    8639541             2004228       0.23          0.57         0.57
 14                      ssh     0    8638697    8638697             1782666       0.21          0.51         0.51
 15               reputation     0   18742989   18742989             3070248       0.16          0.88         0.88
 16                      dns     0     119856     119856               16207       0.14          0.00         0.00
 17                   eventq     0   39376316   39376316             4465001       0.11          1.27         1.27
 18                   modbus     0    8638697    8638697              903829       0.10          0.26         0.26
 total                 total     0   19008424   19008424           350673636      18.45          0.00         0.00
config ppm:max-pkt-time 1000, fastpath-expensive-packets, pkt-log alert
config detection:search-method ac-nq search-optimize max-pattern-len 20
config flowbits_size:576
config event_queue:max_queue 8 log 3 order_events content_length
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config checksum_mode:all
config pcre_match_limit:3500
config pcre_match_limit_recursion:1500
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
config profile_preprocs:print 20, sort avg_ticks, filename preproc.stats.log append
config profile_rules:print 20, sort avg_ticks, filename rules.stats.log append
config daq_mode:inline
config daq_dir:/usr/lib64/daq
config daq:afpacket
config daq_var:buffer_size_mb=1024
config enable_decode_drops
var HOME_NET [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var FTP_SERVERS $HOME_NET
var SSH_SERVERS $HOME_NET
var POP_SERVERS $HOME_NET
var IMAP_SERVERS $HOME_NET
var RPC_SERVERS $HOME_NET
var WWW_SERVERS $HOME_NET
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,4000,4343,4848,5117,5250,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8888,8899,9000,9060,9080,9090,9091,9111,9443,9999,10000,11371,12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1024:
var AUTH_PORTS 113
var DNS_PORTS 53
var FINGER_PORTS 79
var FTP_PORTS [21,2100,3535]
var IMAP_PORTS 143
var IRC_PORTS [6665,6666,6667,6668,6669,7000]
var MSSQL_PORTS 1433
var NNTP_PORTS 119
var POP2_PORTS 109
var POP3_PORTS 110
var SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
var RLOGIN_PORTS 513
var RSH_PORTS 514
var SMB_PORTS [139,445]
var SMTP_PORTS 25
var SNMP_PORTS 161
var SSH_PORTS 22
var TELNET_PORTS 23
var MAIL_PORTS [25,143,465,691]
var SSL_PORTS [25,443,465,636,993,995]
var DCERPC_NCACN_IP_TCP [139,445]
var DCERPC_NCADG_IP_UDP [138,1024:]
var DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
var DCERPC_NCACN_UDP_LONG [135,1024:]
var DCERPC_NCACN_UDP_SHORT [135,593,1024:]
var DCERPC_NCACN_TCP [2103,2105,2107]
var DCERPC_BRIGHTSTORE [6503,6504]
var RULE_PATH ../rules
var SIP_SERVERS $HOME_NET 
var SIP_PORTS [5060,5061,5600]
var FILE_DATA_PORTS [$HTTP_PORTS,110,143]
var GTP_PORTS [2123,2152,3386] 
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
preprocessor frag3_global:max_frags 65536
preprocessor frag3_engine:policy Windows detect_anomalies min_ttl 1 timeout 180
preprocessor http_inspect:global decompress_depth 65535 compress_depth 65535 iis_unicode_map
unicode.map 1252
preprocessor http_inspect_server:server default max_spaces 200 extended_response_inspection
inspect_gzip unlimited_decompress enable_cookie normalize_javascript http_methods { GET POST PUT
SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE
TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT
PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } normalize_utf
webroot no iis_delimiter no apache_whitespace no directory no iis_backslash no multi_slash no
non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } bare_byte no u_encode yes double_decode no
iis_unicode no utf_8 no ascii no oversize_dir_length 500 no_alerts chunk_length 500000 post_depth
65495 client_flow_depth 0 server_flow_depth 0 ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631
801 808 818 901 972 1158 1220 1414 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848
5117 5250 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7779 8000 8008 8014 8028 8080 8081 8082 8085
8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443
9999 10000 11371 12601 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555
56712 }
preprocessor perfmonitor:pktcnt 5000 snortfile snort.stats time 300
preprocessor rpc_decode:111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 
no_alert_large_fragments no_alert_incomplete no_alert_multiple_requests
preprocessor sfportscan:sense_level { low } scan_type { all } proto { tcp udp }
preprocessor stream5_global:max_udp 131072,track_icmp no,track_udp yes,max_udp 131072,track_tcp
yes,max_tcp 262144,memcap 134217728
preprocessor stream5_tcp:max_queued_segs 2621,ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135
136 137 139 143 161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181
32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, ports both 36 80 81 82 83 84 85 86 87 88 89 90 110
311 383 443 465 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 1220 1414 1533 1741 1830 2231
2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7907 7000 7001 7071 7144
7145 7510 7802 7770 7777 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915
7916 7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280
8300 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000 11371 12601 15489 29991 33300
34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712,policy windows,timeout 180
preprocessor stream5_udp:ignore_any_rules,timeout 180
preprocessor dcerpc2:events [co ],memcap 102400
preprocessor dcerpc2_server:default,smb_invalid_shares ["C$", "D$", "ADMIN$"],smb_max_chain
3,autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:],detect [smb [139,445], tcp 135, udp
135, rpc-over-http-server 593],policy WinXP
preprocessor dns:enable_rdata_overflow ports { 53 }
preprocessor ftp_telnet:global inspection_type stateful encrypted_traffic no
preprocessor ftp_telnet_protocol:telnet normalize ayt_attack_thresh 60
preprocessor ftp_telnet_protocol:ftp server default data_chan chk_str_fmt { ACCT ADAT ALLO APPE AUTH
CEL CLNT CMD } chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } chk_str_fmt { LANG LIST LPRT MACB MAIL
MDTM MIC MKD } chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } chk_str_fmt { PROT REST RETR RMD RNFR
RNTO SDUP SITE } chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } chk_str_fmt { XCRC XCWD XMAS XMD5
XMKD XRCP XRMD XRSQ } chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } cmd_validity ALLO < int [ char R int ] >
cmd_validity EPSV < [ { char 12 | char A char L char L } ] > cmd_validity MACB < string > cmd_validity MDTM < [
date nnnnnnnnnnnnnn[.n[n[n]]] ] string > cmd_validity MODE < char ASBCZ > cmd_validity PORT < host_port
> cmd_validity PROT < char CSEP > cmd_validity STRU < char FRPO [ string ] > cmd_validity TYPE < { char AE [
char NTC ] | char I | char L [ number ] } > alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
REIN STOU SYST XCUP XPWD } alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD }
alt_max_param_len 256 { CWD RNTO } alt_max_param_len 400 { PORT } alt_max_param_len 512 { SIZE }
def_max_param_len 100 ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } ftp_cmds { CEL CLNT CMD CONF CWD
DELE ENC EPRT } ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD
MLST } ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR }
ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD }
ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } ports { 21 2100 3535 }
preprocessor ftp_telnet_protocol:ftp client default bounce yes max_resp_len 256 telnet_cmds no
preprocessor smtp:log_email_hdrs log_filename log_rcptto log_mailfrom uu_decode_depth 0
bitenc_decode_depth 0 qp_decode_depth 0 b64_decode_depth 0 valid_cmds { ATRN AUTH BDAT CHUNKING DATA
DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
RSET SAML SEND SOML } valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 }
valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } xlink2state
{ enable } alt_max_command_line_len 260 { MAIL } alt_max_command_line_len 300 { RCPT }
alt_max_command_line_len 500 { HELP HELO ETRN EHLO } alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE
BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } alt_max_command_line_len 246 { SEND SAML SOML AUTH
TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR
XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL
ESAM ESND ESOM ETRN EVFY } normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND
SOML } normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 }
normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR }
no_alerts max_response_line_len 512 max_header_line_len 1000 max_command_line_len 512 normalize
cmds inspection_type stateful ports { 25 465 587 691 }
preprocessor ssh:enable_srvoverflow enable_ssh1crc32 enable_respoverflow
max_server_version_len 100 max_client_bytes 19600 max_encrypted_packets 20 autodetect
server_ports { 22 }
preprocessor ssl:trustservers,noinspect_encrypted,ports { 443 465 563 636 989 992 993 994 995 7801 7702
7802 7900 7901 7902 7903 7904 7905 7906 6907 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919
7920 }
preprocessor sip:max_content_len 1024,max_contact_len 512,max_via_len 1024,max_to_len
256,max_from_len 256,max_requestName_len 20,max_call_id_len 80,max_uri_len 512,methods { invite
cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack
publish service unsubscribe prack },ports { 5060 5061 5600 },max_sessions 10000
preprocessor modbus:ports { 502 }
preprocessor dnp3:check_crc memcap 262144 ports { 20000 }
preprocessor normalize_ip4
preprocessor normalize_tcp:ecn stream ips
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
preprocessor reputation:white trust,scan_local,blacklist
$BLACK_LIST_PATH/blacklist.list,whitelist $WHITE_LIST_PATH/whitelist.list,nested_ip
inner,priority whitelist,memcap 500
suppress gen_id 123, sig_id 8 
suppress gen_id 122, sig_id 27 
suppress gen_id 126, sig_id 2 
suppress gen_id 140, sig_id 2 
suppress gen_id 140, sig_id 10 
suppress gen_id 145, sig_id 2 
suppress gen_id 120, sig_id 8 
suppress gen_id 140, sig_id 12 
suppress gen_id 137, sig_id 1 
suppress gen_id 133, sig_id 27 
suppress gen_id 133, sig_id 28 
suppress gen_id 120, sig_id 8 
suppress gen_id 136, sig_id 2
output unified2:filename snort.log,limit 256
include include_rule_files.config
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane