D:\Snort\bin>snort -l d:\snort\log -c d:\snort\etc\snort.conf -T Running in IDS mode Log directory = d:\snort\log Initializing Network Interface \ --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \ Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file d:\snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: d:\snort\etc\unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Using LOCAL time database: compiled support for ( mysql odbc mssql ) database: configured to use mssql database: user = snort database: password is set database: database name = snort database: host = 158.232.85.36 database: port = 1433 database: sensor name = GE-3E-06 database: SQL Server message 5701, state 2, severity 0: Changed database context to 'master'. Server 'GE-3E-06', database: SQL Server message 5701, state 1, severity 0: Changed database context to 'snort'. Server 'GE-3E-06', Line 1 database: sensor id = 1 database: schema version = 106 database: using the "log" facility database: compiled support for ( mysql odbc mssql ) database: configured to use mssql database: user = snort database: password is set database: database name = snort database: host = 158.232.85.36 database: port = 1433 database: sensor name = GE-3E-06 database: SQL Server message 5701, state 2, severity 0: Changed database context to 'master'. Server 'GE-3E-06', database: SQL Server message 5701, state 1, severity 0: Changed database context to 'snort'. Server 'GE-3E-06', Line 1 database: sensor id = 1 database: schema version = 106 database: using the "alert" facility 1615 Snort rules read... 1615 Option Chains linked into 152 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds= 60 +-----------------------[suppression]------------------------------------------ ------------------------------------------------------------------------------- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.1-ODBC-MySQL-MSSQL-FlexRESP-WIN32 (Build 24) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.1 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) Snort sucessfully loaded all rules and checked all rule chains! Final Flow Statistics ,----[ FLOWCACHE STATS ]---------- Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) Overhead blocks: 1 Could Hold: (0) IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s finds: 0 reversed: 0(%0.000000) find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 0 database: Closing connection to database "+" database: Closing connection to database "" Snort exiting D:\Snort\bin>