[people/pmueller/ipfire-2.x.git] / config / snort / snort.conf

###################################################
#
# This file contains the default snort configuration.
# for all IPFire Versions
# Unless you are totally happy with this file, please
# only change whats needed
# This file is automatically changed by 
# the webinterface, too.
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Only area a user needs to edit
include /etc/snort/vars
var EXTERNAL_NET    !$HOME_NET
var SMTP_SERVERS    $HOME_NET
var HTTP_SERVERS    $HOME_NET
var SQL_SERVERS     $HOME_NET
var TELNET_SERVERS  $HOME_NET
var HTTP_PORTS      80
var SHELLCODE_PORTS !80
var ORACLE_PORTS    1521
var AIM_SERVERS     [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH       /etc/snort/rules

###################################################
# Do NOT Edit past this line
###################################################
config detection: search-method lowmem
preprocessor flow: memcap 2097152, stats_interval 0, hash 2
preprocessor frag2: memcap 2097152
preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble: noalerts
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 }
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: \
	scoreboard-memcap-talker 1048576 \
	scoreboard-rows-talker 10000 \
	talker-sliding-scale-factor 0.50 \
	talker-fixed-threshold 30 \
	talker-sliding-threshold 30 \
	talker-sliding-window 20 \
	talker-fixed-window 30 \
	scoreboard-memcap-scanner 1048576 \
	scoreboard-rows-scanner 10000 \
	scanner-sliding-window 20 \
	scanner-sliding-scale-factor 0.50 \
	scanner-fixed-threshold 15 \
	scanner-sliding-threshold 40 \
	scanner-fixed-window 15 \
	unique-memcap 1048576 \
	unique-rows 10000 \
	server-memcap 1048576 \
	server-rows 10000 \
	server-watchnet $HOME_NET \
	server-ignore-limit 100 \
	server-learning-time 3600 \
	server-scanner-limit 4 \
	alert-mode once \
	output-mode msg \
	tcp-penalties on
preprocessor xlink2state: ports { 25 691 }
#=========================================
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
#=========================================
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-botcc-BLOCK.rules
include $RULE_PATH/bleeding-botcc.excluded
include $RULE_PATH/bleeding-botcc.rules
include $RULE_PATH/bleeding-botcc.rules.dragon.xml
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-drop-BLOCK.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-drop.rules.dragon.xml
include $RULE_PATH/bleeding-dshield-BLOCK.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-sid-msg.map
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-voip.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding.rules
include $RULE_PATH/community-bot.rules
include $RULE_PATH/community-deleted.rules
include $RULE_PATH/community-dos.rules
include $RULE_PATH/community-exploit.rules
include $RULE_PATH/community-ftp.rules
include $RULE_PATH/community-game.rules
include $RULE_PATH/community-icmp.rules
include $RULE_PATH/community-imap.rules
include $RULE_PATH/community-inappropriate.rules
include $RULE_PATH/community-mail-client.rules
include $RULE_PATH/community-misc.rules
include $RULE_PATH/community-nntp.rules
include $RULE_PATH/community-oracle.rules
include $RULE_PATH/community-policy.rules
include $RULE_PATH/community-sid-msg.map
include $RULE_PATH/community-sip.rules
include $RULE_PATH/community-smtp.rules
include $RULE_PATH/community-sql-injection.rules
include $RULE_PATH/community-virus.rules
include $RULE_PATH/community-web-attacks.rules
include $RULE_PATH/community-web-cgi.rules
include $RULE_PATH/community-web-client.rules
include $RULE_PATH/community-web-dos.rules
include $RULE_PATH/community-web-iis.rules
include $RULE_PATH/community-web-misc.rules
include $RULE_PATH/community-web-php.rules
Commit	Line	Data
cd1a2927 MT	1	###################################################
	2	#
	3	# This file contains the default snort configuration.
46dff713 MT	4	# for all IPFire Versions
46dff713 MT	5	# Unless you are totally happy with this file, please
cd1a2927	6	# only change whats needed
46dff713 MT	7	# This file is automatically changed by
46dff713 MT	8	# the webinterface, too.
cd1a2927 MT	9	#
	10	# 1) Set the network variables for your network
	11	# 2) Configure preprocessors
	12	# 3) Configure output plugins
	13	# 4) Customize your rule set
	14	#
cd1a2927 MT	15	###################################################
	16	# Only area a user needs to edit
	17	include /etc/snort/vars
	18	var EXTERNAL_NET !$HOME_NET
	19	var SMTP_SERVERS $HOME_NET
	20	var HTTP_SERVERS $HOME_NET
	21	var SQL_SERVERS $HOME_NET
	22	var TELNET_SERVERS $HOME_NET
	23	var HTTP_PORTS 80
	24	var SHELLCODE_PORTS !80
	25	var ORACLE_PORTS 1521
	26	var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
46dff713	27	var RULE_PATH /etc/snort/rules
cd1a2927 MT	28
	29	###################################################
	30	# Do NOT Edit past this line
	31	###################################################
	32	config detection: search-method lowmem
	33	preprocessor flow: memcap 2097152, stats_interval 0, hash 2
	34	preprocessor frag2: memcap 2097152
	35	preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts
	36	preprocessor stream4_reassemble: noalerts
	37	preprocessor http_inspect: global iis_unicode_map unicode.map 1252
	38	preprocessor http_inspect_server: server default profile all ports { 80 8080 }
	39	preprocessor rpc_decode: 111 32771
	40	preprocessor bo
	41	preprocessor telnet_decode
	42	preprocessor flow-portscan: \
	43	scoreboard-memcap-talker 1048576 \
	44	scoreboard-rows-talker 10000 \
	45	talker-sliding-scale-factor 0.50 \
	46	talker-fixed-threshold 30 \
	47	talker-sliding-threshold 30 \
	48	talker-sliding-window 20 \
	49	talker-fixed-window 30 \
	50	scoreboard-memcap-scanner 1048576 \
	51	scoreboard-rows-scanner 10000 \
	52	scanner-sliding-window 20 \
	53	scanner-sliding-scale-factor 0.50 \
	54	scanner-fixed-threshold 15 \
	55	scanner-sliding-threshold 40 \
	56	scanner-fixed-window 15 \
	57	unique-memcap 1048576 \
	58	unique-rows 10000 \
	59	server-memcap 1048576 \
	60	server-rows 10000 \
	61	server-watchnet $HOME_NET \
	62	server-ignore-limit 100 \
	63	server-learning-time 3600 \
	64	server-scanner-limit 4 \
	65	alert-mode once \
	66	output-mode msg \
	67	tcp-penalties on
	68	preprocessor xlink2state: ports { 25 691 }
	69	#=========================================
	70	include $RULE_PATH/classification.config
	71	include $RULE_PATH/reference.config
	72	#=========================================
46dff713 MT	73	include $RULE_PATH/bleeding-attack_response.rules
	74	include $RULE_PATH/bleeding-botcc-BLOCK.rules
	75	include $RULE_PATH/bleeding-botcc.excluded
	76	include $RULE_PATH/bleeding-botcc.rules
	77	include $RULE_PATH/bleeding-botcc.rules.dragon.xml
	78	include $RULE_PATH/bleeding-dos.rules
	79	include $RULE_PATH/bleeding-drop-BLOCK.rules
	80	include $RULE_PATH/bleeding-drop.rules
	81	include $RULE_PATH/bleeding-drop.rules.dragon.xml
	82	include $RULE_PATH/bleeding-dshield-BLOCK.rules
	83	include $RULE_PATH/bleeding-dshield.rules
	84	include $RULE_PATH/bleeding-exploit.rules
	85	include $RULE_PATH/bleeding-game.rules
	86	include $RULE_PATH/bleeding-inappropriate.rules
	87	include $RULE_PATH/bleeding-malware.rules
	88	include $RULE_PATH/bleeding-p2p.rules
	89	include $RULE_PATH/bleeding-policy.rules
	90	include $RULE_PATH/bleeding-scan.rules
	91	include $RULE_PATH/bleeding-sid-msg.map
	92	include $RULE_PATH/bleeding-virus.rules
	93	include $RULE_PATH/bleeding-voip.rules
	94	include $RULE_PATH/bleeding-web.rules
	95	include $RULE_PATH/bleeding.rules
	96	include $RULE_PATH/community-bot.rules
	97	include $RULE_PATH/community-deleted.rules
	98	include $RULE_PATH/community-dos.rules
	99	include $RULE_PATH/community-exploit.rules
	100	include $RULE_PATH/community-ftp.rules
	101	include $RULE_PATH/community-game.rules
	102	include $RULE_PATH/community-icmp.rules
	103	include $RULE_PATH/community-imap.rules
	104	include $RULE_PATH/community-inappropriate.rules
	105	include $RULE_PATH/community-mail-client.rules
	106	include $RULE_PATH/community-misc.rules
	107	include $RULE_PATH/community-nntp.rules
	108	include $RULE_PATH/community-oracle.rules
	109	include $RULE_PATH/community-policy.rules
	110	include $RULE_PATH/community-sid-msg.map
	111	include $RULE_PATH/community-sip.rules
	112	include $RULE_PATH/community-smtp.rules
	113	include $RULE_PATH/community-sql-injection.rules
	114	include $RULE_PATH/community-virus.rules
	115	include $RULE_PATH/community-web-attacks.rules
	116	include $RULE_PATH/community-web-cgi.rules
	117	include $RULE_PATH/community-web-client.rules
	118	include $RULE_PATH/community-web-dos.rules
	119	include $RULE_PATH/community-web-iis.rules
	120	include $RULE_PATH/community-web-misc.rules
	121	include $RULE_PATH/community-web-php.rules