The other sections seem fine. In addition to this here arent any rules copied to the sensor. on /etc/snort
How do I tell if IDS is downloading the rules to the local machine from the download locations and if it is downloading how can I then include the rules in the snort.conf file that is uploaded to the sensor?
####################################################
# http://www.activeworx.org Snort Ruleset
# IDS Policy Manager 2.0
# Current Database Updated - 2007/08/13 11:15:51 AM
#########################################
# Set Variables:
var HOME_NET [192.168.129.0/24,192.168.130.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort
#########################################
# Configure Snort Decoder
#config disable_decode_alerts
#config disable_tcpopt_experimental_alerts
#config disable_tcpopt_obsolete_alerts
#config disable_tcpopt_ttcp_alerts
#config disable_tcpopt_alerts
#config disable_ipopt_alerts
#config enable_decode_oversized_alerts
#config enable_decode_oversized_drops
#config detection: search-method lowmem
#config layer2resets: 00
#config flowbits_size: 64
#config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
#config ignore_ports: tcp 21 6667
#config ignore_ports: udp 1
#########################################
# Configure dynamic loaded libraries
dynamicpreprocessor directory /usr/lib64/snort/dynamicpreprocessor/
#dynamicpreprocessor file /usr/lib64/snort/dynamicpreprocessor/libdynamicexample.so
dynamicengine /usr/lib64/snort/dynamicengine/libsf_engine.so
#dynamicdetection directory /usr/lib64/snort/dynamicrule/
#dynamicdetection file /usr/lib64/snort/dynamicrule/libdynamicexamplerule.so
#########################################
# Configure Preprocessors
preprocessor flow: stats_interval 0 hash 2
#preprocessor frag2
#preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
#preprocessor frag3_engine: policy linux bind_to [10.1.1.12/32,10.1.1.13/32] detect_anomalies
#preprocessor frag3_engine: policy first bind_to 10.2.1.0/24 detect_anomalies
#preprocessor frag3_engine: policy last bind_to 10.3.1.0/24
#preprocessor frag3_engine: policy bsd
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
#preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
#preprocessor stream5_tcp: policy first, use_static_footprint_sizes
#preprocessor stream5_udp: ignore_any_rules
#preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500
#preprocessor http_inspect_server: server 1.1.1.1 ports { 80 3128 8080 } flow_depth 0 ascii no double_decode yes non_rfc_char { 0x00 } chunk_length 500000 non_strict oversize_dir_length 300 no_alerts
preprocessor rpc_decode: 111 32771
#preprocessor bo: noalert { client | server | general | snort_attack } drop { client | server | general | snort_attack }
#preprocessor bo: noalert { general server } drop { snort_attack }
preprocessor bo
#preprocessor telnet_decode
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful
preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan
preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce yes telnet_cmds yes
preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
#preprocessor ssh: server_ports { 22 } max_client_bytes 19600 max_encrypted_packets 20
#preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
preprocessor dns: ports { 53 } enable_rdata_overflow
#########################################
# Output Modules
#output alert_syslog: LOG_AUTH LOG_ALERT
#output alert_syslog: LOG_AUTH LOG_ALERT
#output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
#output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
#output log_tcpdump: tcpdump.log
#output database: log, mysql, user=root password=test dbname=db host=localhost
#output database: alert, postgresql, user=snort dbname=snort
#output database: log, odbc, user=snort dbname=snort
#output database: log, mssql, dbname=snort user=snort password=test
#output database: log, oracle, dbname=snort user=snort password=test
output database: log, mysql, dbname=snort_log user=root host=localhost password=Qw3rty!
#output alert_unified: filename snort.alert, limit 128
#output log_unified: filename snort.log, limit 128
#output alert_prelude
#output alert_prelude: profile=snort-profile-name
#########################################
# Config Files
# Classification and Priorities
include classification.config
# References
include reference.config
# Threshold and Suppression
include threshold.config
#########################################
# Rule Groups