[原创]快速建立一个入侵检测系统

包子

　欢迎转载，请保留作者信息
包子@郑州大学网络安全园
http://secu.zzu.edu.cn


入侵检测系统也叫IDS=instrusion detection system,他常常被网络管理员用来检测网络受攻击的程度和频繁度，为他进行下一步的管理提供充足的资料。
这里采用linux+snort,因为他们都是免费的,并且采用源码包安装
软件下载
libpcap http://www.tcpdump.org

snort-1.9 http://www.snort.org
首先你必须有root权限
su
passwd:**********
由于snort需要libpcap,所以先安装他
cd /usr/src
tar zxvf libpcap-0.6.2.tar.gz
tar zxvf snort-1.9.0.tar.gz
[root@SEC src]# cd libpcap-0.6.2
[root@SEC libpcap-0.6.2]# ./configure --prefix=/usr/local/libpcap-0.6.2
[root@SEC libpcap-0.6.2]#make
[root@SEC libpcap-0.6.2]#make install
接着安装snort，如果不需要把日志写到mysql数据库的话，配置很简单
[root@SEC libpcap-0.6.2]#cd ../snort-1.9.0
[root@SEC snort-1.9.0]#./configure --prefix=/usr/local/snort19
[root@SEC snort-1.9.0]#make
[root@SEC snort-1.9.0]#make install
OK,安装完毕，如果在上述安装过程中出现任何错误，请查看README文件
接着，把当前目录下的etc目录和rules目录cp到snort的安装目录
[root@SEC snort-1.9.0]#cp etc /usr/local/snort19 -r
[root@SEC snort-1.9.0]#cp rules /usr/local/snort19 -r
接着，把etc下的classification.config复制到/root/目录下
再把etc里面的snort.conf复制到root目录下并改名为.snortrc
[root@SEC snort-1.9.0]#cp etc/classification.config /root/
[root@SEC snort-1.9.0]#cp etc/snort.conf /root/.snortrc
现在编辑snort的配置文件.snortrc
vi /root/.snortrc
先在102行找到var RULE_PATH ../rules
把他改成var RULE_PATH /usr/local/snort19/rules
然后在590行看到
include $RULE_PATH/bad-traffic.rules
这些是SNORT的规则集，针对系统类型和网络环境选上你所需要的规则，OK，编辑完毕！
接着为了方便，我们把snort的可执行程序复制/usr/sbin目录
[root@SEC snort-1.9.0]#cp /usr/local/snort19/bin/snort /usr/sbin/snort
最后为snort放日志创建一个目录
[root@SEC snort-1.9.0]#mkdir /var/log/snort
马上测试一下
[root@SEC snort-1.9.0]#snort
Initializing Output Plugins!
Log directory = /var/log/snort

Initializing Network Interface eth0
using config file /root/.snortrc
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /root/.snortrc
等等的输出，如果你看到的是这样的，那么恭喜你，你成功了！
下面让我们一起来看看snort的参数
[root@SEC snort-1.9.0]# snort --help
Initializing Output Plugins!
snort: invalid option -- -

-*> Snort! <*-
Version 1.9.0 (Build 209)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
USAGE: snort [-options]
Options:
-A Set alert mode: fast, full, console, or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-a Display ARP packets
-b Log packets in tcpdump format (much faster!)
-c Use Rules File
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-f Turn off fflush() calls after binary log writes
-F Read BPF filters from file
-g Run snort gid as group (or gid) after initialization
-G Add reference ids back into alert msgs (modes: basic, url)
-h Home network =
-i Listen on interface
-I Add Interface name to alert output
-l Log to directory
-m Set umask =
-n Exit after receiving packets
-N Turn off logging (alerts still work)
-o Change the rule testing order to Pass|Alert|Log
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-r Read and process tcpdump file
-R Include 'id' in snort_intf.pid file name
-s Log alert messages to syslog
-S Set rules file variable n equal to value v
-t
Chroots process to
after initialization
-T Test and report on the current Snort configuration
-u Run snort uid as user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-w Dump 802.11 management and control frames
-X Dump the raw packet data starting at the link layer
-y Include year in timestamp in the alert and log files
-z Set assurance mode, match on established sesions (for TCP)
-? Show this information
are standard BPF options, as seen in TCPDump

这里主要是要了解几个重要的参数
-A 设置报警模式，是快速，完全，或者是控制台，亦或是不报警
-a 捕获ARP包
-b 使用tcpdump的格式来写入日志
-c 指定配置文件路径
-d 捕获应用层数据
-D 后台运行snort
-e 显示第二层头信息
-h 设置监听主机
-m 设置掩码
-z 只匹配已经完全建立链接的会话

我一般是使用
snort -A fast -Db -e -z来运行snort的
其他还有一些很有用的参数，而且可以在配置文件那让snort把日志写到mysql数据库，这样对日志的处理就可以很方便了
如果需要知道更加多的信息，可以去www.snort.org看doc，或者看man page

这里先截取一个日志片段来说明一些问题
11/13-05:29:27.429801 UDP src: 24.24.146.64 dst: 202.196.64.30 sport: 1028 dport: 137 tgts: 6 ports: 6 event_id: 0
11/13-05:29:27.759801 UDP src: 24.24.146.64 dst: 202.196.64.32 sport: 1028 dport: 137 tgts: 7 ports: 7 event_id: 471
11/13-05:29:34.279801 UDP src: 24.24.146.64 dst: 202.196.64.72 sport: 1028 dport: 137 tgts: 8 ports: 8 event_id: 471
11/13-05:29:34.449801 UDP src: 24.24.146.64 dst: 202.196.64.73 sport: 1028 dport: 137 tgts: 9 ports: 9 event_id: 471
11/13-05:29:37.549801 UDP src: 24.24.146.64 dst: 202.196.64.92 sport: 1028 dport: 137 tgts: 10 ports: 10 event_id: 471
11/13-05:29:41.989801 UDP src: 24.24.146.64 dst: 202.196.64.119 sport: 1028 dport: 137 tgts: 11 ports: 11 event_id: 471
11/13-05:29:42.139801 UDP src: 24.24.146.64 dst: 202.196.64.120 sport: 1028 dport: 137 tgts: 12 ports: 12 event_id: 471

这段日志告诉我
今天早上5点左右，有个IP是24.24.146.64的朋友，在扫描202.196.64网段的共享或者是在使用一些低级的操作系统鉴别工具来鉴别这个网段的操作系统类型（因为高级的系统指纹鉴别系统是不会扫描137端口的）
详细的分析一条日志吧
11/13-05:29:27.429801 UDP src: 24.24.146.64 dst: 202.196.64.30 sport: 1028 dport: 137 tgts: 6 ports: 6 event_id: 0

UDP是使用的协议
SRC是源IP
DST是目标IP
SPORT是源端口
DPORT是目标端口
根据上面的内容再结合攻击手段的特征，很容易就可以发现对方在做什么了


现在推荐阅读这个

http://www.linuxsir.cn/forum.php?mod=viewthread&tid=77014

http://secu.zzu.edu.cn/modules.p ... rticle&artid=25

zsk2000

我这里出线n多错误!呵呵!

zsk2000

到最后的提示
是不能初始化目标!你说晕不晕!

zsk2000

Initializing Output Plugins!
Log directory = /var/log/snort

Initializing Network Interface eth0
using config file /root/.snortrc
Parsing Rules file /root/.snortrc

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Initializing Preprocessors!
Initializing Plug-ins!
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line
WARNING classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line
WARNING classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line
WARNING classification.config(48): Duplicate classification "string-detect"found, ignoring this line
WARNING classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line
WARNING classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line
WARNING classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line
WARNING classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line
WARNING classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line
WARNING classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line
WARNING classification.config(55): Duplicate classification "network-scan"found, ignoring this line
WARNING classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line
WARNING classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line
WARNING classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line
WARNING classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line
WARNING classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line
WARNING classification.config(61): Duplicate classification "misc-activity"found, ignoring this line
WARNING classification.config(62): Duplicate classification "misc-attack"found, ignoring this line
WARNING classification.config(63): Duplicate classification "icmp-event"found, ignoring this line
WARNING classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line
WARNING classification.config(65): Duplicate classification "policy-violation"found, ignoring this line
WARNING classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line

zsk2000

经过检查发现在/usr/snort/etc/目录下的classification.config文件中的30-66行为
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
#config classification: bad-unknown,Potentially Bad Traffic, 2
#config classification: attempted-recon,Attempted Information Leak,2
#config classification: successful-recon-limited,Information Leak,2
#config classification: successful-recon-largescale,Large Scale Information Leak,2
#config classification: attempted-dos,Attempted Denial of Service,2
#config classification: successful-dos,Denial of Service,2
#config classification: attempted-user,Attempted User Privilege Gain,1
#config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
#config classification: successful-user,Successful User Privilege Gain,1
#config classification: attempted-admin,Attempted Administrator Privilege Gain,1
#config classification: successful-admin,Successful Administrator Privilege Gain,1


# NEW CLASSIFICATIONS
#config classification: rpc-portmap-decode,Decode of an RPC Query,2
#config classification: shellcode-detect,Executable code was detected,1
#config classification: string-detect,A suspicious string was detected,3
#config classification: suspicious-filename-detect,A suspicious filename was detected,2
#config classification: suspicious-login,An attempted login using a suspicious username was detected,2
#config classification: system-call-detect,A system call was detected,2
#config classification: tcp-connection,A TCP connection was detected,4
#config classification: trojan-activity,A Network Trojan was detected, 1
#config classification: unusual-client-port-connection,A client was using an unusual port,2
#config classification: network-scan,Detection of a Network Scan,3
#config classification: denial-of-service,Detection of a Denial of Service Attack,2
#config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
#config classification: protocol-command-decode,Generic Protocol Command Decode,3
#config classification: web-application-activity,access to a potentially vulnerable web application,2
#config classification: web-application-attack,Web Application Attack,1
#config classification: misc-activity,Misc activity,3
#config classification: misc-attack,Misc Attack,2
#config classification: icmp-event,Generic ICMP event,3
#config classification: kickass-porn,SCORE! Get the lotion!,1
#config classification: policy-violation,Potential Corporate Privacy Violation,1
#config classification: default-login-attempt,Attempt to login by a default username and password,2

zsk2000

经过再次检查在/root下的该文件才是snort读取的
最后检测时候还是有错误，请看最后的结果！还是不能初始化


Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
ERROR: Can't initialize mempool for Targets
Fatal Error, Quitting..
被我删除了一点

sypdz

这样贴配置,看起来很不爽!

zsk2000

没人回答我啊！

epidemic

考，包子也在这里混？