Mar 29 21:45:56 JWserver snort[22322]: Running in IDS mode Mar 29 21:45:56 JWserver snort[22322]: Mar 29 21:45:56 JWserver snort[22322]: --== Initializing Snort ==-- Mar 29 21:45:56 JWserver snort[22322]: Initializing Output Plugins! Mar 29 21:45:56 JWserver snort[22322]: Initializing Preprocessors! Mar 29 21:45:56 JWserver snort[22322]: Initializing Plug-ins! Mar 29 21:45:56 JWserver snort[22322]: Parsing Rules file "/etc/snort/snort.conf" Mar 29 21:45:56 JWserver snort[22322]: PortVar 'HTTP_PORTS' defined : Mar 29 21:45:56 JWserver snort[22322]: [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] Mar 29 21:45:56 JWserver snort[22322]: Mar 29 21:45:56 JWserver snort[22322]: PortVar 'SHELLCODE_PORTS' defined : Mar 29 21:45:56 JWserver snort[22322]: [ 0:79 81:65535 ] Mar 29 21:45:56 JWserver snort[22322]: Mar 29 21:45:56 JWserver snort[22322]: PortVar 'ORACLE_PORTS' defined : Mar 29 21:45:56 JWserver snort[22322]: [ 1024:65535 ] Mar 29 21:45:56 JWserver snort[22322]: Mar 29 21:45:56 JWserver snort[22322]: PortVar 'SSH_PORTS' defined : Mar 29 21:45:56 JWserver snort[22322]: [ 22 ] Mar 29 21:45:56 JWserver snort[22322]: Mar 29 21:45:56 JWserver snort[22322]: PortVar 'FTP_PORTS' defined : Mar 29 21:45:56 JWserver snort[22322]: [ 21 2100 3535 ] Mar 29 21:45:56 JWserver snort[22322]: Mar 29 21:45:56 JWserver snort[22322]: PortVar 'SIP_PORTS' defined : Mar 29 21:45:56 JWserver snort[22322]: [ 5060:5061 5600 ] Mar 29 21:45:56 JWserver snort[22322]: Mar 29 21:45:56 JWserver snort[22322]: PortVar 'FILE_DATA_PORTS' defined : Mar 29 21:45:56 JWserver snort[22322]: [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] Mar 29 21:45:56 JWserver snort[22322]: Mar 29 21:45:56 JWserver snort[22322]: PortVar 'GTP_PORTS' defined : Mar 29 21:45:56 JWserver snort[22322]: [ 2123 2152 3386 ] Mar 29 21:45:56 JWserver snort[22322]: Mar 29 21:45:56 JWserver snort[22322]: Detection: Mar 29 21:45:56 JWserver snort[22322]: Search-Method = AC-Full-Q Mar 29 21:45:56 JWserver snort[22322]: Split Any/Any group = enabled Mar 29 21:45:56 JWserver snort[22322]: Search-Method-Optimizations = enabled Mar 29 21:45:56 JWserver snort[22322]: Maximum pattern length = 20 Mar 29 21:45:56 JWserver snort[22322]: Tagged Packet Limit: 256 Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic engine /usr/lib64/snort-2.9.6.2_dynamicengine/libsf_engine.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... Mar 29 21:45:56 JWserver snort[22322]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules. Mar 29 21:45:56 JWserver snort[22322]: Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules Mar 29 21:45:56 JWserver snort[22322]: Loading all dynamic preprocessor libs from /usr/lib64/snort-2.9.6.2_dynamicpreprocessor/... Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_ssh_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_smtp_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_reputation_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_sip_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_sdf_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_dns_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_pop_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_dce2_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_imap_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_dnp3_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_ssl_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_modbus_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Loading dynamic preprocessor library /usr/lib64/snort-2.9.6.2_dynamicpreprocessor//libsf_gtp_preproc.so... Mar 29 21:45:56 JWserver snort[22322]: done Mar 29 21:45:56 JWserver snort[22322]: Finished Loading all dynamic preprocessor libs from /usr/lib64/snort-2.9.6.2_dynamicpreprocessor/ Mar 29 21:45:56 JWserver snort[22322]: Log directory = /var/log/snort Mar 29 21:45:56 JWserver snort[22322]: WARNING: ip4 normalizations disabled because not inline. Mar 29 21:45:56 JWserver snort[22322]: WARNING: tcp normalizations disabled because not inline. Mar 29 21:45:56 JWserver snort[22322]: WARNING: icmp4 normalizations disabled because not inline. Mar 29 21:45:56 JWserver snort[22322]: WARNING: ip6 normalizations disabled because not inline. Mar 29 21:45:56 JWserver snort[22322]: WARNING: icmp6 normalizations disabled because not inline. Mar 29 21:45:56 JWserver snort[22322]: Frag3 global config: Mar 29 21:45:56 JWserver snort[22322]: Max frags: 65536 Mar 29 21:45:56 JWserver snort[22322]: Fragment memory cap: 4194304 bytes Mar 29 21:45:56 JWserver snort[22322]: Frag3 engine config: Mar 29 21:45:56 JWserver snort[22322]: Bound Address: default Mar 29 21:45:56 JWserver snort[22322]: Target-based policy: WINDOWS Mar 29 21:45:56 JWserver snort[22322]: Fragment timeout: 180 seconds Mar 29 21:45:56 JWserver snort[22322]: Fragment min_ttl: 1 Mar 29 21:45:56 JWserver snort[22322]: Fragment Anomalies: Alert Mar 29 21:45:56 JWserver snort[22322]: Overlap Limit: 10 Mar 29 21:45:56 JWserver snort[22322]: Min fragment Length: 100 Mar 29 21:45:56 JWserver snort[22322]: Stream5 global config: Mar 29 21:45:56 JWserver snort[22322]: Track TCP sessions: ACTIVE Mar 29 21:45:56 JWserver snort[22322]: Max TCP sessions: 262144 Mar 29 21:45:56 JWserver snort[22322]: TCP cache pruning timeout: 30 seconds Mar 29 21:45:56 JWserver snort[22322]: TCP cache nominal timeout: 3600 seconds Mar 29 21:45:56 JWserver snort[22322]: Memcap (for reassembly packet storage): 8388608 Mar 29 21:45:56 JWserver snort[22322]: Track UDP sessions: ACTIVE Mar 29 21:45:56 JWserver snort[22322]: Max UDP sessions: 131072 Mar 29 21:45:56 JWserver snort[22322]: UDP cache pruning timeout: 30 seconds Mar 29 21:45:56 JWserver snort[22322]: UDP cache nominal timeout: 180 seconds Mar 29 21:45:56 JWserver snort[22322]: Track ICMP sessions: INACTIVE Mar 29 21:45:56 JWserver snort[22322]: Track IP sessions: INACTIVE Mar 29 21:45:56 JWserver snort[22322]: Log info if session memory consumption exceeds 1048576 Mar 29 21:45:56 JWserver snort[22322]: Send up to 2 active responses Mar 29 21:45:56 JWserver snort[22322]: Wait at least 5 seconds between responses Mar 29 21:45:56 JWserver snort[22322]: Protocol Aware Flushing: ACTIVE Mar 29 21:45:56 JWserver snort[22322]: Maximum Flush Point: 16000 Mar 29 21:45:56 JWserver snort[22322]: Max Expected Streams: 768 Mar 29 21:45:56 JWserver snort[22322]: Stream5 TCP Policy config: Mar 29 21:45:56 JWserver snort[22322]: Bound Address: default Mar 29 21:45:56 JWserver snort[22322]: Reassembly Policy: WINDOWS Mar 29 21:45:56 JWserver snort[22322]: Timeout: 180 seconds Mar 29 21:45:56 JWserver snort[22322]: Limit on TCP Overlaps: 10 Mar 29 21:45:56 JWserver snort[22322]: Maximum number of bytes to queue per session: 1048576 Mar 29 21:45:56 JWserver snort[22322]: Maximum number of segs to queue per session: 2621 Mar 29 21:45:56 JWserver snort[22322]: Options: Mar 29 21:45:56 JWserver snort[22322]: Require 3-Way Handshake: YES Mar 29 21:45:56 JWserver snort[22322]: 3-Way Handshake Timeout: 180 Mar 29 21:45:56 JWserver snort[22322]: Detect Anomalies: YES Mar 29 21:45:56 JWserver snort[22322]: Reassembly Ports: Mar 29 21:45:56 JWserver snort[22322]: 21 client (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 22 client (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 23 client (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 25 client (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 36 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 42 client (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 53 client (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 70 client (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 79 client (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 80 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 81 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 82 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 83 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 84 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 85 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 86 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 87 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 88 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 89 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: 90 client (Footprint) server (Footprint) Mar 29 21:45:56 JWserver snort[22322]: additional ports configured but not printed. Mar 29 21:45:56 JWserver snort[22322]: Stream5 UDP Policy config: Mar 29 21:45:56 JWserver snort[22322]: Timeout: 180 seconds Mar 29 21:45:56 JWserver snort[22322]: HttpInspect Config: Mar 29 21:45:56 JWserver snort[22322]: GLOBAL CONFIG Mar 29 21:45:56 JWserver snort[22322]: Max Pipeline Requests: 0 Mar 29 21:45:56 JWserver snort[22322]: Inspection Type: STATELESS Mar 29 21:45:56 JWserver snort[22322]: Detect Proxy Usage: NO Mar 29 21:45:56 JWserver snort[22322]: IIS Unicode Map Filename: /etc/snort/unicode.map Mar 29 21:45:56 JWserver snort[22322]: IIS Unicode Map Codepage: 1252 Mar 29 21:45:56 JWserver snort[22322]: Memcap used for logging URI and Hostname: 150994944 Mar 29 21:45:56 JWserver snort[22322]: Max Gzip Memory: 838860 Mar 29 21:45:56 JWserver snort[22322]: Max Gzip Sessions: 5518 Mar 29 21:45:56 JWserver snort[22322]: Gzip Compress Depth: 65535 Mar 29 21:45:56 JWserver snort[22322]: Gzip Decompress Depth: 65535 Mar 29 21:45:56 JWserver snort[22322]: DEFAULT SERVER CONFIG: Mar 29 21:45:56 JWserver snort[22322]: Server profile: All Mar 29 21:45:56 JWserver snort[22322]: Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 Mar 29 21:45:56 JWserver snort[22322]: Server Flow Depth: 0 Mar 29 21:45:56 JWserver snort[22322]: Client Flow Depth: 0 Mar 29 21:45:56 JWserver snort[22322]: Max Chunk Length: 500000 Mar 29 21:45:56 JWserver snort[22322]: Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Mar 29 21:45:56 JWserver snort[22322]: Max Header Field Length: 750 Mar 29 21:45:56 JWserver snort[22322]: Max Number Header Fields: 100 Mar 29 21:45:56 JWserver snort[22322]: Max Number of WhiteSpaces allowed with header folding: 200 Mar 29 21:45:56 JWserver snort[22322]: Inspect Pipeline Requests: YES Mar 29 21:45:56 JWserver snort[22322]: URI Discovery Strict Mode: NO Mar 29 21:45:56 JWserver snort[22322]: Allow Proxy Usage: NO Mar 29 21:45:56 JWserver snort[22322]: Disable Alerting: NO Mar 29 21:45:56 JWserver snort[22322]: Oversize Dir Length: 500 Mar 29 21:45:56 JWserver snort[22322]: Only inspect URI: NO Mar 29 21:45:56 JWserver snort[22322]: Normalize HTTP Headers: NO Mar 29 21:45:56 JWserver snort[22322]: Inspect HTTP Cookies: YES Mar 29 21:45:56 JWserver snort[22322]: Inspect HTTP Responses: YES Mar 29 21:45:56 JWserver snort[22322]: Extract Gzip from responses: YES Mar 29 21:45:56 JWserver snort[22322]: Unlimited decompression of gzip data from responses: YES Mar 29 21:45:56 JWserver snort[22322]: Normalize Javascripts in HTTP Responses: YES Mar 29 21:45:56 JWserver snort[22322]: Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Mar 29 21:45:56 JWserver snort[22322]: Normalize HTTP Cookies: NO Mar 29 21:45:56 JWserver snort[22322]: Enable XFF and True Client IP: NO Mar 29 21:45:56 JWserver snort[22322]: Log HTTP URI data: NO Mar 29 21:45:56 JWserver snort[22322]: Log HTTP Hostname data: NO Mar 29 21:45:56 JWserver snort[22322]: Extended ASCII code support in URI: NO Mar 29 21:45:56 JWserver snort[22322]: Ascii: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: Double Decoding: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: %U Encoding: YES alert: YES Mar 29 21:45:56 JWserver snort[22322]: Bare Byte: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: UTF 8: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: IIS Unicode: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: Multiple Slash: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: IIS Backslash: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: Directory Traversal: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: Web Root Traversal: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: Apache WhiteSpace: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: IIS Delimiter: YES alert: NO Mar 29 21:45:56 JWserver snort[22322]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Mar 29 21:45:56 JWserver snort[22322]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Mar 29 21:45:56 JWserver snort[22322]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d Mar 29 21:45:56 JWserver snort[22322]: rpc_decode arguments: Mar 29 21:45:56 JWserver snort[22322]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 Mar 29 21:45:56 JWserver snort[22322]: alert_fragments: INACTIVE Mar 29 21:45:56 JWserver rsyslogd-2177: imuxsock begins to drop messages from pid 22322 due to rate-limiting