]>
Commit | Line | Data |
---|---|---|
767cb737 | 1 | #-------------------------------------------------- |
8581d1ef | 2 | # http://www.snort.org Snort 2.8.4 Ruleset |
767cb737 SS |
3 | # Contact: snort-sigs@lists.sourceforge.net |
4 | #-------------------------------------------------- | |
5 | # $Id$ | |
6 | # | |
7 | ################################################### | |
8 | # This file contains a sample snort configuration. | |
9 | # You can take the following steps to create your own custom configuration: | |
10 | # | |
11 | # 1) Set the variables for your network | |
12 | # 2) Configure dynamic loaded libraries | |
13 | # 3) Configure preprocessors | |
14 | # 4) Configure output plugins | |
15 | # 5) Add any runtime config directives | |
16 | # 6) Customize your rule set | |
17 | # | |
cd1a2927 | 18 | ################################################### |
767cb737 SS |
19 | # Step #1: Set the network variables: |
20 | # | |
21 | # You must change the following variables to reflect your local network. The | |
22 | # variable is currently setup for an RFC 1918 address space. | |
23 | # | |
24 | # You can specify it explicitly as: | |
25 | # | |
26 | # var HOME_NET 10.1.1.0/24 | |
27 | # | |
28 | # or use global variable $<interfacename>_ADDRESS which will be always | |
29 | # initialized to IP address and netmask of the network interface which you run | |
30 | # snort at. Under Windows, this must be specified as | |
31 | # $(<interfacename>_ADDRESS), such as: | |
32 | # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) | |
33 | # | |
34 | # var HOME_NET $eth0_ADDRESS | |
35 | # | |
36 | # You can specify lists of IP addresses for HOME_NET | |
37 | # by separating the IPs with commas like this: | |
38 | # | |
39 | # var HOME_NET [10.1.1.0/24,192.168.1.0/24] | |
40 | # | |
41 | # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! | |
42 | # | |
43 | # or you can specify the variable to be any IP address | |
44 | # like this: | |
45 | ||
46 | var HOME_NET any | |
47 | ||
48 | # Set up the external network addresses as well. A good start may be "any" | |
49 | var EXTERNAL_NET any | |
50 | ||
51 | # Configure your server lists. This allows snort to only look for attacks to | |
52 | # systems that have a service up. Why look for HTTP attacks if you are not | |
53 | # running a web server? This allows quick filtering based on IP addresses | |
54 | # These configurations MUST follow the same configuration scheme as defined | |
55 | # above for $HOME_NET. | |
56 | ||
57 | # List of DNS servers on your network | |
58 | var DNS_SERVERS $HOME_NET | |
59 | ||
60 | # List of SMTP servers on your network | |
61 | var SMTP_SERVERS $HOME_NET | |
62 | ||
63 | # List of web servers on your network | |
64 | var HTTP_SERVERS $HOME_NET | |
65 | ||
66 | # List of sql servers on your network | |
67 | var SQL_SERVERS $HOME_NET | |
68 | ||
69 | # List of telnet servers on your network | |
70 | var TELNET_SERVERS $HOME_NET | |
71 | ||
72 | # List of snmp servers on your network | |
73 | var SNMP_SERVERS $HOME_NET | |
74 | ||
75 | # Configure your service ports. This allows snort to look for attacks destined | |
76 | # to a specific application only on the ports that application runs on. For | |
77 | # example, if you run a web server on port 8081, set your HTTP_PORTS variable | |
78 | # like this: | |
79 | # | |
80 | # portvar HTTP_PORTS 8081 | |
81 | # | |
82 | # Ports you run web servers on | |
83 | portvar HTTP_PORTS 80 | |
84 | ||
85 | # NOTE: If you wish to define multiple HTTP ports, use the portvar | |
86 | # syntax to represent lists of ports and port ranges. Examples: | |
87 | ## portvar HTTP_PORTS [80,8080] | |
88 | ## portvar HTTP_PORTS [80,8000:8080] | |
89 | # And only include the rule that uses $HTTP_PORTS once. | |
90 | # | |
91 | # The pre-2.8.0 approach of redefining the variable to a different port and | |
92 | # including the rules file twice is obsolete. See README.variables for more | |
93 | # details. | |
94 | ||
95 | # Ports you want to look for SHELLCODE on. | |
96 | portvar SHELLCODE_PORTS !80 | |
97 | ||
98 | # Ports you might see oracle attacks on | |
99 | portvar ORACLE_PORTS 1521 | |
100 | ||
101 | # other variables | |
102 | # | |
103 | # AIM servers. AOL has a habit of adding new AIM servers, so instead of | |
104 | # modifying the signatures when they do, we add them to this list of servers. | |
105 | var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] | |
106 | ||
107 | # Path to your rules files (this can be a relative path) | |
108 | # Note for Windows users: You are advised to make this an absolute path, | |
109 | # such as: c:\snort\rules | |
110 | var RULE_PATH /etc/snort/rules | |
111 | var PREPROC_RULE_PATH /etc/snort/preproc_rules | |
112 | ||
113 | # Configure the snort decoder | |
114 | # ============================ | |
115 | # | |
116 | # Snort's decoder will alert on lots of things such as header | |
117 | # truncation or options of unusual length or infrequently used tcp options | |
118 | # | |
119 | # | |
120 | # Stop generic decode events: | |
121 | # | |
122 | # config disable_decode_alerts | |
123 | # | |
124 | # Stop Alerts on experimental TCP options | |
125 | # | |
126 | # config disable_tcpopt_experimental_alerts | |
127 | # | |
128 | # Stop Alerts on obsolete TCP options | |
129 | # | |
130 | # config disable_tcpopt_obsolete_alerts | |
131 | # | |
132 | # Stop Alerts on T/TCP alerts | |
133 | # | |
134 | # In snort 2.0.1 and above, this only alerts when a TCP option is detected | |
135 | # that shows T/TCP being actively used on the network. If this is normal | |
136 | # behavior for your network, disable the next option. | |
137 | # | |
138 | # config disable_tcpopt_ttcp_alerts | |
139 | # | |
140 | # Stop Alerts on all other TCPOption type events: | |
141 | # | |
142 | # config disable_tcpopt_alerts | |
143 | # | |
144 | # Stop Alerts on invalid ip options | |
145 | # | |
146 | # config disable_ipopt_alerts | |
147 | # | |
148 | # Alert if value in length field (IP, TCP, UDP) is greater than the | |
149 | # actual length of the captured portion of the packet that the length | |
150 | # is supposed to represent: | |
151 | # | |
152 | # config enable_decode_oversized_alerts | |
153 | # | |
154 | # Same as above, but drop packet if in Inline mode - | |
155 | # enable_decode_oversized_alerts must be enabled for this to work: | |
156 | # | |
157 | # config enable_decode_oversized_drops | |
cd1a2927 | 158 | # |
767cb737 SS |
159 | |
160 | # Configure the detection engine | |
161 | # =============================== | |
162 | # | |
163 | # Use a different pattern matcher in case you have a machine with very limited | |
164 | # resources: | |
cd1a2927 | 165 | # |
767cb737 SS |
166 | # config detection: search-method lowmem |
167 | ||
168 | # Configure Inline Resets | |
169 | # ======================== | |
170 | # | |
171 | # If running an iptables firewall with snort in InlineMode() we can now | |
172 | # perform resets via a physical device. We grab the indev from iptables | |
173 | # and use this for the interface on which to send resets. This config | |
174 | # option takes an argument for the src mac address you want to use in the | |
175 | # reset packet. This way the bridge can remain stealthy. If the src mac | |
176 | # option is not set we use the mac address of the indev device. If we | |
177 | # don't set this option we will default to sending resets via raw socket, | |
178 | # which needs an ipaddress to be assigned to the int. | |
cd1a2927 | 179 | # |
767cb737 SS |
180 | # config layer2resets: 00:06:76:DD:5F:E3 |
181 | ||
cd1a2927 | 182 | ################################################### |
767cb737 SS |
183 | # Step #2: Configure dynamic loaded libraries |
184 | # | |
185 | # If snort was configured to use dynamically loaded libraries, | |
186 | # those libraries can be loaded here. | |
187 | # | |
188 | # Each of the following configuration options can be done via | |
189 | # the command line as well. | |
190 | # | |
191 | # Load all dynamic preprocessors from the install path | |
192 | # (same as command line option --dynamic-preprocessor-lib-dir) | |
193 | # | |
4fba936c | 194 | dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ |
767cb737 SS |
195 | # |
196 | # Load a specific dynamic preprocessor library from the install path | |
197 | # (same as command line option --dynamic-preprocessor-lib) | |
198 | # | |
199 | # dynamicpreprocessor file /usr/lib/snort_dynamicpreprocessor/libdynamicexample.so | |
200 | # | |
201 | # Load a dynamic engine from the install path | |
202 | # (same as command line option --dynamic-engine-lib) | |
203 | # | |
204 | dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so | |
205 | # | |
206 | # Load all dynamic rules libraries from the install path | |
207 | # (same as command line option --dynamic-detection-lib-dir) | |
208 | # | |
209 | # dynamicdetection directory /usr/lib/snort_dynamicrule/ | |
210 | # | |
211 | # Load a specific dynamic rule library from the install path | |
212 | # (same as command line option --dynamic-detection-lib) | |
213 | # | |
214 | # dynamicdetection file /usr/lib/snort_dynamicrule/libdynamicexamplerule.so | |
215 | # | |
cd1a2927 MT |
216 | |
217 | ################################################### | |
767cb737 SS |
218 | # Step #3: Configure preprocessors |
219 | # | |
220 | # General configuration for preprocessors is of | |
221 | # the form | |
222 | # preprocessor <name_of_processor>: <configuration_options> | |
223 | ||
767cb737 SS |
224 | # frag3: Target-based IP defragmentation |
225 | # -------------------------------------- | |
226 | # | |
227 | # Frag3 is a brand new IP defragmentation preprocessor that is capable of | |
228 | # performing "target-based" processing of IP fragments. Check out the | |
229 | # README.frag3 file in the doc directory for more background and configuration | |
230 | # information. | |
231 | # | |
232 | # Frag3 configuration is a two step process, a global initialization phase | |
233 | # followed by the definition of a set of defragmentation engines. | |
234 | # | |
235 | # Global configuration defines the number of fragmented packets that Snort can | |
236 | # track at the same time and gives you options regarding the memory cap for the | |
237 | # subsystem or, optionally, allows you to preallocate all the memory for the | |
238 | # entire frag3 system. | |
239 | # | |
240 | # frag3_global options: | |
241 | # max_frags: Maximum number of frag trackers that may be active at once. | |
242 | # Default value is 8192. | |
243 | # memcap: Maximum amount of memory that frag3 may access at any given time. | |
244 | # Default value is 4MB. | |
245 | # prealloc_frags: Maximum number of individual fragments that may be processed | |
246 | # at once. This is instead of the memcap system, uses static | |
247 | # allocation to increase performance. No default value. Each | |
248 | # preallocated fragment typically eats ~1550 bytes. However, | |
249 | # the exact amount is determined by the snaplen, and this can | |
250 | # go as high as 64K so beware! | |
251 | # | |
252 | # Target-based behavior is attached to an engine as a "policy" for handling | |
253 | # overlaps and retransmissions as enumerated in the Paxson paper. There are | |
254 | # currently five policy types available: "BSD", "BSD-right", "First", "Linux" | |
255 | # and "Last". Engines can be bound to standard Snort CIDR blocks or | |
256 | # IP lists. | |
257 | # | |
258 | # frag3_engine options: | |
259 | # timeout: Amount of time a fragmented packet may be active before expiring. | |
260 | # Default value is 60 seconds. | |
261 | # ttl_limit: Limit of delta allowable for TTLs of packets in the fragments. | |
262 | # Based on the initial received fragment TTL. | |
263 | # min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this | |
264 | # value will be discarded. Default value is 0. | |
265 | # detect_anomalies: Activates frag3's anomaly detection mechanisms. | |
266 | # policy: Target-based policy to assign to this engine. Default is BSD. | |
267 | # bind_to: IP address set to bind this engine to. Default is all hosts. | |
268 | # | |
269 | # Frag3 configuration example: | |
270 | #preprocessor frag3_global: max_frags 65536, prealloc_frags 65536 | |
271 | #preprocessor frag3_engine: policy linux \ | |
272 | # bind_to [10.1.1.12/32,10.1.1.13/32] \ | |
273 | # detect_anomalies | |
274 | #preprocessor frag3_engine: policy first \ | |
275 | # bind_to 10.2.1.0/24 \ | |
276 | # detect_anomalies | |
277 | #preprocessor frag3_engine: policy last \ | |
278 | # bind_to 10.3.1.0/24 | |
279 | #preprocessor frag3_engine: policy bsd | |
280 | ||
4fba936c SS |
281 | preprocessor frag3_global: max_frags 65536 |
282 | preprocessor frag3_engine: policy first detect_anomalies | |
767cb737 | 283 | |
767cb737 SS |
284 | # stream5: Target Based stateful inspection/stream reassembly for Snort |
285 | # --------------------------------------------------------------------- | |
8581d1ef SS |
286 | # Stream5 is a target-based stream engine for Snort. It handles both |
287 | # TCP and UDP connection tracking as well as TCP reassembly. | |
767cb737 SS |
288 | # |
289 | # See README.stream5 for details on the configuration options. | |
290 | # | |
8581d1ef | 291 | # Example config |
767cb737 SS |
292 | preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ |
293 | track_udp no | |
294 | preprocessor stream5_tcp: policy first, use_static_footprint_sizes | |
295 | # preprocessor stream5_udp: ignore_any_rules | |
296 | ||
297 | ||
298 | # Performance Statistics | |
299 | # ---------------------- | |
300 | # Documentation for this is provided in the Snort Manual. You should read it. | |
301 | # It is included in the release distribution as doc/snort_manual.pdf | |
302 | # | |
303 | # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 | |
304 | ||
305 | # http_inspect: normalize and detect HTTP traffic and protocol anomalies | |
306 | # | |
307 | # lots of options available here. See doc/README.http_inspect. | |
308 | # unicode.map should be wherever your snort.conf lives, or given | |
309 | # a full path to where snort can find it. | |
310 | preprocessor http_inspect: global \ | |
311 | iis_unicode_map unicode.map 1252 | |
312 | ||
313 | preprocessor http_inspect_server: server default \ | |
314 | profile all ports { 80 8080 8180 } oversize_dir_length 500 | |
315 | ||
316 | # | |
317 | # Example unique server configuration | |
318 | # | |
319 | #preprocessor http_inspect_server: server 1.1.1.1 \ | |
320 | # ports { 80 3128 8080 } \ | |
321 | # server_flow_depth 0 \ | |
322 | # ascii no \ | |
323 | # double_decode yes \ | |
324 | # non_rfc_char { 0x00 } \ | |
325 | # chunk_length 500000 \ | |
326 | # non_strict \ | |
327 | # oversize_dir_length 300 \ | |
328 | # no_alerts | |
329 | ||
330 | ||
331 | # rpc_decode: normalize RPC traffic | |
332 | # --------------------------------- | |
333 | # RPC may be sent in alternate encodings besides the usual 4-byte encoding | |
334 | # that is used by default. This plugin takes the port numbers that RPC | |
335 | # services are running on as arguments - it is assumed that the given ports | |
336 | # are actually running this type of service. If not, change the ports or turn | |
337 | # it off. | |
338 | # The RPC decode preprocessor uses generator ID 106 | |
339 | # | |
340 | # arguments: space separated list | |
341 | # alert_fragments - alert on any rpc fragmented TCP data | |
342 | # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet | |
343 | # no_alert_large_fragments - don't alert when the fragmented | |
344 | # sizes exceed the current packet size | |
345 | # no_alert_incomplete - don't alert when a single segment | |
346 | # exceeds the current packet size | |
347 | ||
cd1a2927 | 348 | preprocessor rpc_decode: 111 32771 |
767cb737 SS |
349 | |
350 | # bo: Back Orifice detector | |
351 | # ------------------------- | |
352 | # Detects Back Orifice traffic on the network. | |
353 | # | |
354 | # arguments: | |
355 | # syntax: | |
356 | # preprocessor bo: noalert { client | server | general | snort_attack } \ | |
357 | # drop { client | server | general | snort_attack } | |
358 | # example: | |
359 | # preprocessor bo: noalert { general server } drop { snort_attack } | |
360 | # | |
361 | # | |
362 | # The Back Orifice detector uses Generator ID 105 and uses the | |
363 | # following SIDS for that GID: | |
364 | # SID Event description | |
365 | # ----- ------------------- | |
366 | # 1 Back Orifice traffic detected | |
367 | # 2 Back Orifice Client Traffic Detected | |
368 | # 3 Back Orifice Server Traffic Detected | |
369 | # 4 Back Orifice Snort Buffer Attack | |
370 | ||
cd1a2927 | 371 | preprocessor bo |
767cb737 SS |
372 | |
373 | # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow | |
374 | # --------------------------------------------------------------------------- | |
375 | # This preprocessor normalizes telnet negotiation strings from telnet and | |
376 | # ftp traffic. It looks for traffic that breaks the normal data stream | |
377 | # of the protocol, replacing it with a normalized representation of that | |
378 | # traffic so that the "content" pattern matching keyword can work without | |
379 | # requiring modifications. | |
380 | # | |
381 | # It also performs protocol correctness checks for the FTP command channel, | |
382 | # and identifies open FTP data transfers. | |
383 | # | |
384 | # FTPTelnet has numerous options available, please read | |
385 | # README.ftptelnet for help configuring the options for the global | |
386 | # telnet, ftp server, and ftp client sections for the protocol. | |
387 | ||
388 | ##### | |
389 | # Per Step #2, set the following to load the ftptelnet preprocessor | |
390 | # dynamicpreprocessor file <full path to libsf_ftptelnet_preproc.so> | |
391 | # or use commandline option | |
392 | # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so> | |
393 | ||
4fba936c SS |
394 | preprocessor ftp_telnet: global \ |
395 | encrypted_traffic yes \ | |
396 | inspection_type stateful | |
767cb737 | 397 | |
4fba936c SS |
398 | preprocessor ftp_telnet_protocol: telnet \ |
399 | normalize \ | |
400 | ayt_attack_thresh 200 | |
767cb737 SS |
401 | |
402 | # This is consistent with the FTP rules as of 18 Sept 2004. | |
403 | # CWD can have param length of 200 | |
404 | # MODE has an additional mode of Z (compressed) | |
405 | # Check for string formats in USER & PASS commands | |
406 | # Check nDTM commands that set modification time on the file. | |
4fba936c SS |
407 | preprocessor ftp_telnet_protocol: ftp server default \ |
408 | def_max_param_len 100 \ | |
409 | alt_max_param_len 200 { CWD } \ | |
410 | cmd_validity MODE < char ASBCZ > \ | |
411 | cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ | |
412 | chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ | |
413 | telnet_cmds yes \ | |
414 | data_chan | |
767cb737 | 415 | |
4fba936c SS |
416 | preprocessor ftp_telnet_protocol: ftp client default \ |
417 | max_resp_len 256 \ | |
418 | bounce yes \ | |
419 | telnet_cmds yes | |
767cb737 SS |
420 | |
421 | # smtp: SMTP normalizer, protocol enforcement and buffer overflow | |
422 | # --------------------------------------------------------------------------- | |
423 | # This preprocessor normalizes SMTP commands by removing extraneous spaces. | |
424 | # It looks for overly long command lines, response lines, and data header lines. | |
425 | # It can alert on invalid commands, or specific valid commands. It can optionally | |
426 | # ignore mail data, and can ignore TLS encrypted data. | |
427 | # | |
428 | # SMTP has numerous options available, please read README.SMTP for help | |
429 | # configuring options. | |
430 | ||
431 | ##### | |
432 | # Per Step #2, set the following to load the smtp preprocessor | |
433 | # dynamicpreprocessor file <full path to libsf_smtp_preproc.so> | |
434 | # or use commandline option | |
435 | # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so> | |
436 | ||
437 | preprocessor smtp: \ | |
438 | ports { 25 587 691 } \ | |
439 | inspection_type stateful \ | |
440 | normalize cmds \ | |
441 | normalize_cmds { EXPN VRFY RCPT } \ | |
442 | alt_max_command_line_len 260 { MAIL } \ | |
443 | alt_max_command_line_len 300 { RCPT } \ | |
444 | alt_max_command_line_len 500 { HELP HELO ETRN } \ | |
445 | alt_max_command_line_len 255 { EXPN VRFY } | |
446 | ||
447 | # sfPortscan | |
448 | # ---------- | |
449 | # Portscan detection module. Detects various types of portscans and | |
450 | # portsweeps. For more information on detection philosophy, alert types, | |
451 | # and detailed portscan information, please refer to the README.sfportscan. | |
452 | # | |
453 | # -configuration options- | |
454 | # proto { tcp udp icmp ip all } | |
455 | # The arguments to the proto option are the types of protocol scans that | |
456 | # the user wants to detect. Arguments should be separated by spaces and | |
457 | # not commas. | |
458 | # scan_type { portscan portsweep decoy_portscan distributed_portscan all } | |
459 | # The arguments to the scan_type option are the scan types that the | |
460 | # user wants to detect. Arguments should be separated by spaces and not | |
461 | # commas. | |
462 | # sense_level { low|medium|high } | |
463 | # There is only one argument to this option and it is the level of | |
464 | # sensitivity in which to detect portscans. The 'low' sensitivity | |
465 | # detects scans by the common method of looking for response errors, such | |
466 | # as TCP RSTs or ICMP unreachables. This level requires the least | |
467 | # tuning. The 'medium' sensitivity level detects portscans and | |
468 | # filtered portscans (portscans that receive no response). This | |
469 | # sensitivity level usually requires tuning out scan events from NATed | |
470 | # IPs, DNS cache servers, etc. The 'high' sensitivity level has | |
471 | # lower thresholds for portscan detection and a longer time window than | |
472 | # the 'medium' sensitivity level. Requires more tuning and may be noisy | |
473 | # on very active networks. However, this sensitivity levels catches the | |
474 | # most scans. | |
475 | # memcap { positive integer } | |
476 | # The maximum number of bytes to allocate for portscan detection. The | |
477 | # higher this number the more nodes that can be tracked. | |
478 | # logfile { filename } | |
479 | # This option specifies the file to log portscan and detailed portscan | |
480 | # values to. If there is not a leading /, then snort logs to the | |
481 | # configured log directory. Refer to README.sfportscan for details on | |
482 | # the logged values in the logfile. | |
483 | # watch_ip { Snort IP List } | |
484 | # ignore_scanners { Snort IP List } | |
485 | # ignore_scanned { Snort IP List } | |
486 | # These options take a snort IP list as the argument. The 'watch_ip' | |
487 | # option specifies the IP(s) to watch for portscan. The | |
488 | # 'ignore_scanners' option specifies the IP(s) to ignore as scanners. | |
489 | # Note that these hosts are still watched as scanned hosts. The | |
490 | # 'ignore_scanners' option is used to tune alerts from very active | |
491 | # hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option | |
492 | # specifies the IP(s) to ignore as scanned hosts. Note that these hosts | |
493 | # are still watched as scanner hosts. The 'ignore_scanned' option is | |
494 | # used to tune alerts from very active hosts such as syslog servers, etc. | |
495 | # detect_ack_scans | |
496 | # This option will include sessions picked up in midstream by the stream | |
497 | # module, which is necessary to detect ACK scans. However, this can lead to | |
498 | # false alerts, especially under heavy load with dropped packets; which is why | |
499 | # the option is off by default. | |
500 | # | |
501 | preprocessor sfportscan: proto { all } \ | |
502 | memcap { 10000000 } \ | |
503 | sense_level { medium } | |
504 | ||
505 | # arpspoof | |
506 | #---------------------------------------- | |
507 | # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, | |
508 | # unicast ARP requests, and specific ARP mapping monitoring. To make use of | |
509 | # this preprocessor you must specify the IP and hardware address of hosts on | |
510 | # the same layer 2 segment as you. Specify one host IP MAC combo per line. | |
511 | # Also takes a "-unicast" option to turn on unicast ARP request detection. | |
512 | # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: | |
513 | ||
514 | # SID Event description | |
515 | # ----- ------------------- | |
516 | # 1 Unicast ARP request | |
517 | # 2 Etherframe ARP mismatch (src) | |
518 | # 3 Etherframe ARP mismatch (dst) | |
519 | # 4 ARP cache overwrite attack | |
520 | ||
521 | #preprocessor arpspoof | |
522 | #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 | |
523 | ||
524 | # ssh | |
525 | #---------------------------------------- | |
526 | # EXPERIMENTAL CODE!!! | |
527 | # | |
528 | # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE! | |
529 | # USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS. | |
530 | # YOU HAVE BEEN WARNED. | |
531 | # | |
532 | # The SSH preprocessor detects the following exploits: Gobbles, CRC 32, | |
533 | # Secure CRT, and the Protocol Mismatch exploit. | |
534 | # | |
535 | # Both Gobbles and CRC 32 attacks occur after the key exchange, and are | |
536 | # therefore encrypted. Both attacks involve sending a large payload | |
537 | # (20kb+) to the server immediately after the authentication challenge. | |
538 | # To detect the attacks, the SSH preprocessor counts the number of bytes | |
539 | # transmitted to the server. If those bytes exceed a pre-defined limit | |
540 | # within a pre-define number of packets, an alert is generated. Since | |
541 | # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH | |
542 | # version string exchange is used to distinguish the attacks. | |
543 | # | |
544 | # The Secure CRT and protocol mismatch exploits are observable before | |
545 | # the key exchange. | |
546 | # | |
547 | # SSH has numerous options available, please read README.ssh for help | |
548 | # configuring options. | |
549 | ||
550 | ##### | |
551 | # Per Step #2, set the following to load the ssh preprocessor | |
552 | # dynamicpreprocessor file <full path to libsf_ssh_preproc.so> | |
553 | # or use commandline option | |
554 | # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so> | |
555 | # | |
556 | #preprocessor ssh: server_ports { 22 } \ | |
557 | # max_client_bytes 19600 \ | |
558 | # max_encrypted_packets 20 | |
559 | ||
560 | # DCE/RPC | |
561 | #---------------------------------------- | |
562 | # | |
563 | # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic. | |
564 | # It is primarily interested in DCE/RPC data, and only decodes SMB | |
565 | # to get at the DCE/RPC data carried by the SMB layer. | |
566 | # | |
567 | # Currently, the preprocessor only handles reassembly of fragmentation | |
568 | # at both the SMB and DCE/RPC layer. Snort rules can be evaded by | |
569 | # using both types of fragmentation; with the preprocessor enabled | |
570 | # the rules are given a buffer with a reassembled SMB or DCE/RPC | |
571 | # packet to examine. | |
572 | # | |
573 | # At the SMB layer, only fragmentation using WriteAndX is currently | |
574 | # reassembled. Other methods will be handled in future versions of | |
575 | # the preprocessor. | |
576 | # | |
577 | # Autodetection of SMB is done by looking for "\xFFSMB" at the start of | |
578 | # the SMB data, as well as checking the NetBIOS header (which is always | |
579 | # present for SMB) for the type "SMB Session". | |
580 | # | |
581 | # Autodetection of DCE/RPC is not as reliable. Currently, two bytes are | |
582 | # checked in the packet. Assuming that the data is a DCE/RPC header, | |
583 | # one byte is checked for DCE/RPC version (5) and another for the type | |
584 | # "DCE/RPC Request". If both match, the preprocessor proceeds with that | |
585 | # assumption that it is looking at DCE/RPC data. If subsequent checks | |
586 | # are nonsensical, it ends processing. | |
587 | # | |
588 | # DCERPC has numerous options available, please read README.dcerpc for help | |
589 | # configuring options. | |
590 | ||
591 | ##### | |
592 | # Per Step #2, set the following to load the dcerpc preprocessor | |
593 | # dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so> | |
594 | # or use commandline option | |
595 | # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so> | |
8581d1ef SS |
596 | # |
597 | #preprocessor dcerpc: \ | |
598 | # autodetect \ | |
599 | # max_frag_size 3000 \ | |
600 | # memcap 100000 | |
601 | ||
602 | ||
603 | # DCE/RPC 2 | |
604 | #---------------------------------------- | |
605 | # See doc/README.dcerpc2 for explanations of what the | |
606 | # preprocessor does and how to configure it. | |
607 | # | |
608 | preprocessor dcerpc2 | |
609 | preprocessor dcerpc2_server: default | |
767cb737 | 610 | |
767cb737 SS |
611 | |
612 | # DNS | |
613 | #---------------------------------------- | |
614 | # The dns preprocessor (currently) decodes DNS Response traffic | |
615 | # and detects a few vulnerabilities. | |
616 | # | |
617 | # DNS has a few options available, please read README.dns for | |
618 | # help configuring options. | |
619 | ||
620 | ##### | |
621 | # Per Step #2, set the following to load the dns preprocessor | |
622 | # dynamicpreprocessor file <full path to libsf_dns_preproc.so> | |
623 | # or use commandline option | |
624 | # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so> | |
625 | ||
626 | preprocessor dns: \ | |
627 | ports { 53 } \ | |
628 | enable_rdata_overflow | |
629 | ||
630 | # SSL | |
631 | #---------------------------------------- | |
632 | # Encrypted traffic should be ignored by Snort for both performance reasons | |
633 | # and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP) | |
634 | # inspects SSL traffic and optionally determines if and when to stop | |
635 | # inspection of it. | |
636 | # | |
637 | # Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to | |
638 | # inspect port 443, only the SSL handshake of each connection will be | |
639 | # inspected. Once the traffic is determined to be encrypted, no further | |
640 | # inspection of the data on the connection is made. | |
641 | # | |
8581d1ef SS |
642 | # If you don't necessarily trust all of the SSL capable servers on your |
643 | # network, you should remove the "trustservers" option from the configuration. | |
644 | # | |
645 | # Important note: Stream5 should be explicitly told to reassemble | |
767cb737 SS |
646 | # traffic on the ports that you intend to inspect SSL |
647 | # encrypted traffic on. | |
648 | # | |
649 | # To add reassembly on port 443 to Stream5, use 'port both 443' in the | |
650 | # Stream5 configuration. | |
651 | ||
8581d1ef | 652 | preprocessor ssl: noinspect_encrypted, trustservers |
767cb737 SS |
653 | |
654 | ||
655 | #################################################################### | |
656 | # Step #4: Configure output plugins | |
657 | # | |
658 | # Uncomment and configure the output plugins you decide to use. General | |
659 | # configuration for output plugins is of the form: | |
660 | # | |
661 | # output <name_of_plugin>: <configuration_options> | |
662 | # | |
663 | # alert_syslog: log alerts to syslog | |
664 | # ---------------------------------- | |
665 | # Use one or more syslog facilities as arguments. Win32 can also optionally | |
666 | # specify a particular hostname/port. Under Win32, the default hostname is | |
667 | # '127.0.0.1', and the default port is 514. | |
668 | # | |
669 | # [Unix flavours should use this format...] | |
670 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
671 | # | |
672 | # [Win32 can use any of these formats...] | |
673 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
674 | # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT | |
675 | # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT | |
676 | ||
677 | # log_tcpdump: log packets in binary tcpdump format | |
678 | # ------------------------------------------------- | |
679 | # The only argument is the output file name. | |
680 | # | |
681 | # output log_tcpdump: tcpdump.log | |
682 | ||
683 | # database: log to a variety of databases | |
684 | # --------------------------------------- | |
685 | # See the README.database file for more information about configuring | |
686 | # and using this plugin. | |
687 | # | |
688 | # output database: log, mysql, user=root password=test dbname=db host=localhost | |
689 | # output database: alert, postgresql, user=snort dbname=snort | |
690 | # output database: log, odbc, user=snort dbname=snort | |
691 | # output database: log, mssql, dbname=snort user=snort password=test | |
692 | # output database: log, oracle, dbname=snort user=snort password=test | |
693 | ||
694 | # unified: Snort unified binary format alerting and logging | |
695 | # ------------------------------------------------------------- | |
696 | # The unified output plugin provides two new formats for logging and generating | |
697 | # alerts from Snort, the "unified" format. The unified format is a straight | |
698 | # binary format for logging data out of Snort that is designed to be fast and | |
699 | # efficient. Used with barnyard (the new alert/log processor), most of the | |
700 | # overhead for logging and alerting to various slow storage mechanisms such as | |
701 | # databases or the network can now be avoided. | |
702 | # | |
703 | # Check out the spo_unified.h file for the data formats. | |
704 | # | |
705 | # Two arguments are supported. | |
706 | # filename - base filename to write to (current time_t is appended) | |
707 | # limit - maximum size of spool file in MB (default: 128) | |
708 | # | |
709 | # output alert_unified: filename snort.alert, limit 128 | |
710 | # output log_unified: filename snort.log, limit 128 | |
711 | ||
712 | ||
713 | # prelude: log to the Prelude Hybrid IDS system | |
714 | # --------------------------------------------- | |
715 | # | |
716 | # profile = Name of the Prelude profile to use (default is snort). | |
717 | # | |
718 | # Snort priority to IDMEF severity mappings: | |
719 | # high < medium < low < info | |
720 | # | |
721 | # These are the default mapped from classification.config: | |
722 | # info = 4 | |
723 | # low = 3 | |
724 | # medium = 2 | |
725 | # high = anything below medium | |
726 | # | |
727 | # output alert_prelude | |
728 | # output alert_prelude: profile=snort-profile-name | |
729 | ||
730 | ||
731 | # You can optionally define new rule types and associate one or more output | |
732 | # plugins specifically to that type. | |
733 | # | |
734 | # This example will create a type that will log to just tcpdump. | |
735 | # ruletype suspicious | |
736 | # { | |
737 | # type log | |
738 | # output log_tcpdump: suspicious.log | |
739 | # } | |
740 | # | |
741 | # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: | |
742 | # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) | |
743 | # | |
744 | # This example will create a rule type that will log to syslog and a mysql | |
745 | # database: | |
746 | # ruletype redalert | |
747 | # { | |
748 | # type alert | |
749 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
750 | # output database: log, mysql, user=snort dbname=snort host=localhost | |
751 | # } | |
752 | # | |
753 | # EXAMPLE RULE FOR REDALERT RULETYPE: | |
754 | # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ | |
755 | # (msg:"Someone is being LEET"; flags:A+;) | |
756 | ||
757 | # | |
758 | # Include classification & priority settings | |
759 | # Note for Windows users: You are advised to make this an absolute path, | |
760 | # such as: c:\snort\etc\classification.config | |
761 | # | |
762 | ||
763 | include /etc/snort/rules/classification.config | |
764 | ||
765 | # | |
766 | # Include reference systems | |
767 | # Note for Windows users: You are advised to make this an absolute path, | |
768 | # such as: c:\snort\etc\reference.config | |
769 | # | |
770 | ||
771 | include /etc/snort/rules/reference.config | |
772 | ||
773 | #################################################################### | |
774 | # Step #5: Configure snort with config statements | |
775 | # | |
776 | # See the snort manual for a full set of configuration references | |
777 | # | |
778 | # config flowbits_size: 64 | |
779 | # | |
780 | # New global ignore_ports config option from Andy Mullican | |
781 | # | |
782 | # config ignore_ports: <tcp|udp> <list of ports separated by whitespace> | |
783 | # config ignore_ports: tcp 21 6667:6671 1356 | |
784 | # config ignore_ports: udp 1:17 53 | |
785 | ||
786 | ||
787 | #################################################################### | |
788 | # Step #6: Customize your rule set | |
789 | # | |
790 | # Up to date snort rules are available at http://www.snort.org | |
791 | # | |
792 | # The snort web site has documentation about how to write your own custom snort | |
793 | # rules. | |
794 | ||
cd1a2927 | 795 | #========================================= |
767cb737 SS |
796 | # Include all relevant rulesets here |
797 | # | |
798 | # The following rulesets are disabled by default: | |
799 | # | |
800 | # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus, | |
801 | # chat, multimedia, and p2p | |
802 | # | |
803 | # These rules are either site policy specific or require tuning in order to not | |
804 | # generate false positive alerts in most enviornments. | |
805 | # | |
806 | # Please read the specific include file for more information and | |
807 | # README.alert_order for how rule ordering affects how alerts are triggered. | |
cd1a2927 | 808 | #========================================= |
767cb737 SS |
809 | |
810 | #include $RULE_PATH/local.rules | |
811 | #include $RULE_PATH/bad-traffic.rules | |
812 | #include $RULE_PATH/exploit.rules | |
813 | #include $RULE_PATH/scan.rules | |
814 | #include $RULE_PATH/finger.rules | |
815 | #include $RULE_PATH/ftp.rules | |
816 | #include $RULE_PATH/telnet.rules | |
817 | #include $RULE_PATH/rpc.rules | |
818 | #include $RULE_PATH/rservices.rules | |
819 | #include $RULE_PATH/dos.rules | |
820 | #include $RULE_PATH/ddos.rules | |
821 | #include $RULE_PATH/dns.rules | |
822 | #include $RULE_PATH/tftp.rules | |
767cb737 SS |
823 | #include $RULE_PATH/web-cgi.rules |
824 | #include $RULE_PATH/web-coldfusion.rules | |
825 | #include $RULE_PATH/web-iis.rules | |
826 | #include $RULE_PATH/web-frontpage.rules | |
827 | #include $RULE_PATH/web-misc.rules | |
828 | #include $RULE_PATH/web-client.rules | |
829 | #include $RULE_PATH/web-php.rules | |
767cb737 SS |
830 | #include $RULE_PATH/sql.rules |
831 | #include $RULE_PATH/x11.rules | |
832 | #include $RULE_PATH/icmp.rules | |
833 | #include $RULE_PATH/netbios.rules | |
834 | #include $RULE_PATH/misc.rules | |
835 | #include $RULE_PATH/attack-responses.rules | |
836 | #include $RULE_PATH/oracle.rules | |
837 | #include $RULE_PATH/mysql.rules | |
838 | #include $RULE_PATH/snmp.rules | |
767cb737 SS |
839 | #include $RULE_PATH/smtp.rules |
840 | #include $RULE_PATH/imap.rules | |
841 | #include $RULE_PATH/pop2.rules | |
842 | #include $RULE_PATH/pop3.rules | |
767cb737 SS |
843 | #include $RULE_PATH/nntp.rules |
844 | #include $RULE_PATH/other-ids.rules | |
845 | # include $RULE_PATH/web-attacks.rules | |
846 | # include $RULE_PATH/backdoor.rules | |
847 | # include $RULE_PATH/shellcode.rules | |
848 | # include $RULE_PATH/policy.rules | |
849 | # include $RULE_PATH/porn.rules | |
850 | # include $RULE_PATH/info.rules | |
851 | # include $RULE_PATH/icmp-info.rules | |
852 | # include $RULE_PATH/virus.rules | |
853 | # include $RULE_PATH/chat.rules | |
854 | # include $RULE_PATH/multimedia.rules | |
855 | # include $RULE_PATH/p2p.rules | |
856 | # include $RULE_PATH/spyware-put.rules | |
857 | # include $RULE_PATH/specific-threats.rules | |
858 | #include $RULE_PATH/experimental.rules | |
767cb737 SS |
859 | # include $PREPROC_RULE_PATH/preprocessor.rules |
860 | # include $PREPROC_RULE_PATH/decoder.rules | |
861 | ||
862 | # Include any thresholding or suppression commands. See threshold.conf in the | |
863 | # <snort src>/etc directory for details. Commands don't necessarily need to be | |
864 | # contained in this conf, but a separate conf makes it easier to maintain them. | |
865 | # Note for Windows users: You are advised to make this an absolute path, | |
866 | # such as: c:\snort\etc\threshold.conf | |
867 | # Uncomment if needed. | |
868 | # include threshold.conf |