]>
Commit | Line | Data |
---|---|---|
767cb737 SS |
1 | #-------------------------------------------------- |
2 | # http://www.snort.org Snort 2.8.3.2 Ruleset | |
3 | # Contact: snort-sigs@lists.sourceforge.net | |
4 | #-------------------------------------------------- | |
5 | # $Id$ | |
6 | # | |
7 | ################################################### | |
8 | # This file contains a sample snort configuration. | |
9 | # You can take the following steps to create your own custom configuration: | |
10 | # | |
11 | # 1) Set the variables for your network | |
12 | # 2) Configure dynamic loaded libraries | |
13 | # 3) Configure preprocessors | |
14 | # 4) Configure output plugins | |
15 | # 5) Add any runtime config directives | |
16 | # 6) Customize your rule set | |
17 | # | |
cd1a2927 | 18 | ################################################### |
767cb737 SS |
19 | # Step #1: Set the network variables: |
20 | # | |
21 | # You must change the following variables to reflect your local network. The | |
22 | # variable is currently setup for an RFC 1918 address space. | |
23 | # | |
24 | # You can specify it explicitly as: | |
25 | # | |
26 | # var HOME_NET 10.1.1.0/24 | |
27 | # | |
28 | # or use global variable $<interfacename>_ADDRESS which will be always | |
29 | # initialized to IP address and netmask of the network interface which you run | |
30 | # snort at. Under Windows, this must be specified as | |
31 | # $(<interfacename>_ADDRESS), such as: | |
32 | # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) | |
33 | # | |
34 | # var HOME_NET $eth0_ADDRESS | |
35 | # | |
36 | # You can specify lists of IP addresses for HOME_NET | |
37 | # by separating the IPs with commas like this: | |
38 | # | |
39 | # var HOME_NET [10.1.1.0/24,192.168.1.0/24] | |
40 | # | |
41 | # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! | |
42 | # | |
43 | # or you can specify the variable to be any IP address | |
44 | # like this: | |
45 | ||
46 | var HOME_NET any | |
47 | ||
48 | # Set up the external network addresses as well. A good start may be "any" | |
49 | var EXTERNAL_NET any | |
50 | ||
51 | # Configure your server lists. This allows snort to only look for attacks to | |
52 | # systems that have a service up. Why look for HTTP attacks if you are not | |
53 | # running a web server? This allows quick filtering based on IP addresses | |
54 | # These configurations MUST follow the same configuration scheme as defined | |
55 | # above for $HOME_NET. | |
56 | ||
57 | # List of DNS servers on your network | |
58 | var DNS_SERVERS $HOME_NET | |
59 | ||
60 | # List of SMTP servers on your network | |
61 | var SMTP_SERVERS $HOME_NET | |
62 | ||
63 | # List of web servers on your network | |
64 | var HTTP_SERVERS $HOME_NET | |
65 | ||
66 | # List of sql servers on your network | |
67 | var SQL_SERVERS $HOME_NET | |
68 | ||
69 | # List of telnet servers on your network | |
70 | var TELNET_SERVERS $HOME_NET | |
71 | ||
72 | # List of snmp servers on your network | |
73 | var SNMP_SERVERS $HOME_NET | |
74 | ||
75 | # Configure your service ports. This allows snort to look for attacks destined | |
76 | # to a specific application only on the ports that application runs on. For | |
77 | # example, if you run a web server on port 8081, set your HTTP_PORTS variable | |
78 | # like this: | |
79 | # | |
80 | # portvar HTTP_PORTS 8081 | |
81 | # | |
82 | # Ports you run web servers on | |
83 | portvar HTTP_PORTS 80 | |
84 | ||
85 | # NOTE: If you wish to define multiple HTTP ports, use the portvar | |
86 | # syntax to represent lists of ports and port ranges. Examples: | |
87 | ## portvar HTTP_PORTS [80,8080] | |
88 | ## portvar HTTP_PORTS [80,8000:8080] | |
89 | # And only include the rule that uses $HTTP_PORTS once. | |
90 | # | |
91 | # The pre-2.8.0 approach of redefining the variable to a different port and | |
92 | # including the rules file twice is obsolete. See README.variables for more | |
93 | # details. | |
94 | ||
95 | # Ports you want to look for SHELLCODE on. | |
96 | portvar SHELLCODE_PORTS !80 | |
97 | ||
98 | # Ports you might see oracle attacks on | |
99 | portvar ORACLE_PORTS 1521 | |
100 | ||
101 | # other variables | |
102 | # | |
103 | # AIM servers. AOL has a habit of adding new AIM servers, so instead of | |
104 | # modifying the signatures when they do, we add them to this list of servers. | |
105 | var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] | |
106 | ||
107 | # Path to your rules files (this can be a relative path) | |
108 | # Note for Windows users: You are advised to make this an absolute path, | |
109 | # such as: c:\snort\rules | |
110 | var RULE_PATH /etc/snort/rules | |
111 | var PREPROC_RULE_PATH /etc/snort/preproc_rules | |
112 | ||
113 | # Configure the snort decoder | |
114 | # ============================ | |
115 | # | |
116 | # Snort's decoder will alert on lots of things such as header | |
117 | # truncation or options of unusual length or infrequently used tcp options | |
118 | # | |
119 | # | |
120 | # Stop generic decode events: | |
121 | # | |
122 | # config disable_decode_alerts | |
123 | # | |
124 | # Stop Alerts on experimental TCP options | |
125 | # | |
126 | # config disable_tcpopt_experimental_alerts | |
127 | # | |
128 | # Stop Alerts on obsolete TCP options | |
129 | # | |
130 | # config disable_tcpopt_obsolete_alerts | |
131 | # | |
132 | # Stop Alerts on T/TCP alerts | |
133 | # | |
134 | # In snort 2.0.1 and above, this only alerts when a TCP option is detected | |
135 | # that shows T/TCP being actively used on the network. If this is normal | |
136 | # behavior for your network, disable the next option. | |
137 | # | |
138 | # config disable_tcpopt_ttcp_alerts | |
139 | # | |
140 | # Stop Alerts on all other TCPOption type events: | |
141 | # | |
142 | # config disable_tcpopt_alerts | |
143 | # | |
144 | # Stop Alerts on invalid ip options | |
145 | # | |
146 | # config disable_ipopt_alerts | |
147 | # | |
148 | # Alert if value in length field (IP, TCP, UDP) is greater than the | |
149 | # actual length of the captured portion of the packet that the length | |
150 | # is supposed to represent: | |
151 | # | |
152 | # config enable_decode_oversized_alerts | |
153 | # | |
154 | # Same as above, but drop packet if in Inline mode - | |
155 | # enable_decode_oversized_alerts must be enabled for this to work: | |
156 | # | |
157 | # config enable_decode_oversized_drops | |
cd1a2927 | 158 | # |
767cb737 SS |
159 | |
160 | # Configure the detection engine | |
161 | # =============================== | |
162 | # | |
163 | # Use a different pattern matcher in case you have a machine with very limited | |
164 | # resources: | |
cd1a2927 | 165 | # |
767cb737 SS |
166 | # config detection: search-method lowmem |
167 | ||
168 | # Configure Inline Resets | |
169 | # ======================== | |
170 | # | |
171 | # If running an iptables firewall with snort in InlineMode() we can now | |
172 | # perform resets via a physical device. We grab the indev from iptables | |
173 | # and use this for the interface on which to send resets. This config | |
174 | # option takes an argument for the src mac address you want to use in the | |
175 | # reset packet. This way the bridge can remain stealthy. If the src mac | |
176 | # option is not set we use the mac address of the indev device. If we | |
177 | # don't set this option we will default to sending resets via raw socket, | |
178 | # which needs an ipaddress to be assigned to the int. | |
cd1a2927 | 179 | # |
767cb737 SS |
180 | # config layer2resets: 00:06:76:DD:5F:E3 |
181 | ||
cd1a2927 | 182 | ################################################### |
767cb737 SS |
183 | # Step #2: Configure dynamic loaded libraries |
184 | # | |
185 | # If snort was configured to use dynamically loaded libraries, | |
186 | # those libraries can be loaded here. | |
187 | # | |
188 | # Each of the following configuration options can be done via | |
189 | # the command line as well. | |
190 | # | |
191 | # Load all dynamic preprocessors from the install path | |
192 | # (same as command line option --dynamic-preprocessor-lib-dir) | |
193 | # | |
4fba936c | 194 | dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ |
767cb737 SS |
195 | # |
196 | # Load a specific dynamic preprocessor library from the install path | |
197 | # (same as command line option --dynamic-preprocessor-lib) | |
198 | # | |
199 | # dynamicpreprocessor file /usr/lib/snort_dynamicpreprocessor/libdynamicexample.so | |
200 | # | |
201 | # Load a dynamic engine from the install path | |
202 | # (same as command line option --dynamic-engine-lib) | |
203 | # | |
204 | dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so | |
205 | # | |
206 | # Load all dynamic rules libraries from the install path | |
207 | # (same as command line option --dynamic-detection-lib-dir) | |
208 | # | |
209 | # dynamicdetection directory /usr/lib/snort_dynamicrule/ | |
210 | # | |
211 | # Load a specific dynamic rule library from the install path | |
212 | # (same as command line option --dynamic-detection-lib) | |
213 | # | |
214 | # dynamicdetection file /usr/lib/snort_dynamicrule/libdynamicexamplerule.so | |
215 | # | |
cd1a2927 MT |
216 | |
217 | ################################################### | |
767cb737 SS |
218 | # Step #3: Configure preprocessors |
219 | # | |
220 | # General configuration for preprocessors is of | |
221 | # the form | |
222 | # preprocessor <name_of_processor>: <configuration_options> | |
223 | ||
224 | # Configure Flow tracking module | |
225 | # ------------------------------- | |
226 | # | |
227 | # The Flow tracking module is meant to start unifying the state keeping | |
228 | # mechanisms of snort into a single place. Right now, only a portscan detector | |
229 | # is implemented but in the long term, many of the stateful subsystems of | |
230 | # snort will be migrated over to becoming flow plugins. This must be enabled | |
231 | # for flow-portscan to work correctly. | |
232 | # | |
233 | # See README.flow for additional information | |
234 | # | |
235 | #preprocessor flow: stats_interval 0 hash 2 | |
236 | ||
237 | # frag3: Target-based IP defragmentation | |
238 | # -------------------------------------- | |
239 | # | |
240 | # Frag3 is a brand new IP defragmentation preprocessor that is capable of | |
241 | # performing "target-based" processing of IP fragments. Check out the | |
242 | # README.frag3 file in the doc directory for more background and configuration | |
243 | # information. | |
244 | # | |
245 | # Frag3 configuration is a two step process, a global initialization phase | |
246 | # followed by the definition of a set of defragmentation engines. | |
247 | # | |
248 | # Global configuration defines the number of fragmented packets that Snort can | |
249 | # track at the same time and gives you options regarding the memory cap for the | |
250 | # subsystem or, optionally, allows you to preallocate all the memory for the | |
251 | # entire frag3 system. | |
252 | # | |
253 | # frag3_global options: | |
254 | # max_frags: Maximum number of frag trackers that may be active at once. | |
255 | # Default value is 8192. | |
256 | # memcap: Maximum amount of memory that frag3 may access at any given time. | |
257 | # Default value is 4MB. | |
258 | # prealloc_frags: Maximum number of individual fragments that may be processed | |
259 | # at once. This is instead of the memcap system, uses static | |
260 | # allocation to increase performance. No default value. Each | |
261 | # preallocated fragment typically eats ~1550 bytes. However, | |
262 | # the exact amount is determined by the snaplen, and this can | |
263 | # go as high as 64K so beware! | |
264 | # | |
265 | # Target-based behavior is attached to an engine as a "policy" for handling | |
266 | # overlaps and retransmissions as enumerated in the Paxson paper. There are | |
267 | # currently five policy types available: "BSD", "BSD-right", "First", "Linux" | |
268 | # and "Last". Engines can be bound to standard Snort CIDR blocks or | |
269 | # IP lists. | |
270 | # | |
271 | # frag3_engine options: | |
272 | # timeout: Amount of time a fragmented packet may be active before expiring. | |
273 | # Default value is 60 seconds. | |
274 | # ttl_limit: Limit of delta allowable for TTLs of packets in the fragments. | |
275 | # Based on the initial received fragment TTL. | |
276 | # min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this | |
277 | # value will be discarded. Default value is 0. | |
278 | # detect_anomalies: Activates frag3's anomaly detection mechanisms. | |
279 | # policy: Target-based policy to assign to this engine. Default is BSD. | |
280 | # bind_to: IP address set to bind this engine to. Default is all hosts. | |
281 | # | |
282 | # Frag3 configuration example: | |
283 | #preprocessor frag3_global: max_frags 65536, prealloc_frags 65536 | |
284 | #preprocessor frag3_engine: policy linux \ | |
285 | # bind_to [10.1.1.12/32,10.1.1.13/32] \ | |
286 | # detect_anomalies | |
287 | #preprocessor frag3_engine: policy first \ | |
288 | # bind_to 10.2.1.0/24 \ | |
289 | # detect_anomalies | |
290 | #preprocessor frag3_engine: policy last \ | |
291 | # bind_to 10.3.1.0/24 | |
292 | #preprocessor frag3_engine: policy bsd | |
293 | ||
4fba936c SS |
294 | preprocessor frag3_global: max_frags 65536 |
295 | preprocessor frag3_engine: policy first detect_anomalies | |
767cb737 SS |
296 | |
297 | ||
298 | # stream4: stateful inspection/stream reassembly for Snort | |
299 | #---------------------------------------------------------------------- | |
300 | # Use in concert with the -z [all|est] command line switch to defeat stick/snot | |
301 | # against TCP rules. Also performs full TCP stream reassembly, stateful | |
302 | # inspection of TCP streams, etc. Can statefully detect various portscan | |
303 | # types, fingerprinting, ECN, etc. | |
304 | ||
305 | # stateful inspection directive | |
306 | # no arguments loads the defaults (timeout 30, memcap 8388608) | |
307 | # options (options are comma delimited): | |
308 | # detect_scans - stream4 will detect stealth portscans and generate alerts | |
309 | # when it sees them when this option is set | |
310 | # detect_state_problems - detect TCP state problems, this tends to be very | |
311 | # noisy because there are a lot of crappy ip stack | |
312 | # implementations out there | |
313 | # | |
314 | # disable_evasion_alerts - turn off the possibly noisy mitigation of | |
315 | # overlapping sequences. | |
316 | # | |
317 | # ttl_limit [number] - differential of the initial ttl on a session versus | |
318 | # the normal that someone may be playing games. | |
319 | # Routing flap may cause lots of false positives. | |
320 | # | |
321 | # keepstats [machine|binary] - keep session statistics, add "machine" to | |
322 | # get them in a flat format for machine reading, add | |
323 | # "binary" to get them in a unified binary output | |
324 | # format | |
325 | # noinspect - turn off stateful inspection only | |
326 | # timeout [number] - set the session timeout counter to [number] seconds, | |
327 | # default is 30 seconds | |
328 | # max_sessions [number] - limit the number of sessions stream4 keeps | |
329 | # track of | |
330 | # memcap [number] - limit stream4 memory usage to [number] bytes (does | |
331 | # not include session tracking, which is set by the | |
332 | # max_sessions option) | |
333 | # log_flushed_streams - if an event is detected on a stream this option will | |
334 | # cause all packets that are stored in the stream4 | |
335 | # packet buffers to be flushed to disk. This only | |
336 | # works when logging in pcap mode! | |
337 | # server_inspect_limit [bytes] - Byte limit on server side inspection. | |
338 | # enable_udp_sessions - turn on tracking of "sessions" over UDP. Requires | |
339 | # configure --enable-stream4udp. UDP sessions are | |
340 | # only created when there is a rule for the sender or | |
341 | # responder that has a flow or flowbits keyword. | |
342 | # max_udp_sessions [number] - limit the number of simultaneous UDP sessions | |
343 | # to track | |
344 | # udp_ignore_any - Do not inspect UDP packets unless there is a port specific | |
345 | # rule for a given port. This is a performance improvement | |
346 | # and turns off inspection for udp xxx any -> xxx any rules | |
347 | # cache_clean_sessions [number] - Cleanup the session cache by number sessions | |
348 | # at a time. The larger the value, the | |
349 | # more sessions are purged from the cache when | |
350 | # the session limit or memcap is reached. | |
351 | # Defaults to 5. | |
352 | # | |
353 | # | |
354 | # | |
355 | # Stream4 uses Generator ID 111 and uses the following SIDS | |
356 | # for that GID: | |
357 | # SID Event description | |
358 | # ----- ------------------- | |
359 | # 1 Stealth activity | |
360 | # 2 Evasive RST packet | |
361 | # 3 Evasive TCP packet retransmission | |
362 | # 4 TCP Window violation | |
363 | # 5 Data on SYN packet | |
364 | # 6 Stealth scan: full XMAS | |
365 | # 7 Stealth scan: SYN-ACK-PSH-URG | |
366 | # 8 Stealth scan: FIN scan | |
367 | # 9 Stealth scan: NULL scan | |
368 | # 10 Stealth scan: NMAP XMAS scan | |
369 | # 11 Stealth scan: Vecna scan | |
370 | # 12 Stealth scan: NMAP fingerprint scan stateful detect | |
371 | # 13 Stealth scan: SYN-FIN scan | |
372 | # 14 TCP forward overlap | |
373 | ||
374 | #preprocessor stream4: disable_evasion_alerts | |
375 | ||
376 | # tcp stream reassembly directive | |
377 | # no arguments loads the default configuration | |
378 | # Only reassemble the client, | |
379 | # Only reassemble the default list of ports (See below), | |
380 | # Give alerts for "bad" streams | |
381 | # | |
382 | # Available options (comma delimited): | |
383 | # clientonly - reassemble traffic for the client side of a connection only | |
384 | # serveronly - reassemble traffic for the server side of a connection only | |
385 | # both - reassemble both sides of a session | |
386 | # noalerts - turn off alerts from the stream reassembly stage of stream4 | |
387 | # ports [list] - use the space separated list of ports in [list], "all" | |
388 | # will turn on reassembly for all ports, "default" will turn | |
389 | # on reassembly for ports 21, 23, 25, 42, 53, 80, 110, | |
390 | # 111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521, | |
391 | # 2401, and 3306 | |
392 | # favor_old - favor an old segment (based on sequence number) over a new one. | |
393 | # This is the default. | |
394 | # favor_new - favor an new segment (based on sequence number) over an old one. | |
395 | # overlap_limit [number] - limit on overlaping segments for a session. | |
396 | # flush_on_alert - flushes stream when an alert is generated for a session. | |
397 | # flush_behavior [mode] - | |
398 | # default - use old static flushpoints (default) | |
399 | # large_window - use new larger static flushpoints | |
400 | # random - use random flushpoints defined by flush_base, | |
401 | # flush_seed and flush_range | |
402 | # flush_base [number] - lowest allowed random flushpoint (512 by default) | |
403 | # flush_range [number] - number is the space within which random flushpoints | |
404 | # are generated (default 1213) | |
405 | # flush_seed [number] - seed for the random number generator, defaults to | |
406 | # Snort PID + time | |
407 | # | |
408 | # Using the default random flushpoints, the smallest flushpoint is 512, | |
409 | # and the largest is 1725 bytes. | |
410 | #preprocessor stream4_reassemble | |
411 | ||
412 | # stream5: Target Based stateful inspection/stream reassembly for Snort | |
413 | # --------------------------------------------------------------------- | |
414 | # Stream5 is a target-based stream engine for Snort. Its functionality | |
415 | # replaces that of Stream4. Consequently, BOTH Stream4 and Stream5 | |
416 | # cannot be used simultaneously. Comment out the stream4 configurations | |
417 | # above to use Stream5. | |
418 | # | |
419 | # See README.stream5 for details on the configuration options. | |
420 | # | |
421 | # Example config (that emulates Stream4 with UDP support compiled in) | |
422 | preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ | |
423 | track_udp no | |
424 | preprocessor stream5_tcp: policy first, use_static_footprint_sizes | |
425 | # preprocessor stream5_udp: ignore_any_rules | |
426 | ||
427 | ||
428 | # Performance Statistics | |
429 | # ---------------------- | |
430 | # Documentation for this is provided in the Snort Manual. You should read it. | |
431 | # It is included in the release distribution as doc/snort_manual.pdf | |
432 | # | |
433 | # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 | |
434 | ||
435 | # http_inspect: normalize and detect HTTP traffic and protocol anomalies | |
436 | # | |
437 | # lots of options available here. See doc/README.http_inspect. | |
438 | # unicode.map should be wherever your snort.conf lives, or given | |
439 | # a full path to where snort can find it. | |
440 | preprocessor http_inspect: global \ | |
441 | iis_unicode_map unicode.map 1252 | |
442 | ||
443 | preprocessor http_inspect_server: server default \ | |
444 | profile all ports { 80 8080 8180 } oversize_dir_length 500 | |
445 | ||
446 | # | |
447 | # Example unique server configuration | |
448 | # | |
449 | #preprocessor http_inspect_server: server 1.1.1.1 \ | |
450 | # ports { 80 3128 8080 } \ | |
451 | # server_flow_depth 0 \ | |
452 | # ascii no \ | |
453 | # double_decode yes \ | |
454 | # non_rfc_char { 0x00 } \ | |
455 | # chunk_length 500000 \ | |
456 | # non_strict \ | |
457 | # oversize_dir_length 300 \ | |
458 | # no_alerts | |
459 | ||
460 | ||
461 | # rpc_decode: normalize RPC traffic | |
462 | # --------------------------------- | |
463 | # RPC may be sent in alternate encodings besides the usual 4-byte encoding | |
464 | # that is used by default. This plugin takes the port numbers that RPC | |
465 | # services are running on as arguments - it is assumed that the given ports | |
466 | # are actually running this type of service. If not, change the ports or turn | |
467 | # it off. | |
468 | # The RPC decode preprocessor uses generator ID 106 | |
469 | # | |
470 | # arguments: space separated list | |
471 | # alert_fragments - alert on any rpc fragmented TCP data | |
472 | # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet | |
473 | # no_alert_large_fragments - don't alert when the fragmented | |
474 | # sizes exceed the current packet size | |
475 | # no_alert_incomplete - don't alert when a single segment | |
476 | # exceeds the current packet size | |
477 | ||
cd1a2927 | 478 | preprocessor rpc_decode: 111 32771 |
767cb737 SS |
479 | |
480 | # bo: Back Orifice detector | |
481 | # ------------------------- | |
482 | # Detects Back Orifice traffic on the network. | |
483 | # | |
484 | # arguments: | |
485 | # syntax: | |
486 | # preprocessor bo: noalert { client | server | general | snort_attack } \ | |
487 | # drop { client | server | general | snort_attack } | |
488 | # example: | |
489 | # preprocessor bo: noalert { general server } drop { snort_attack } | |
490 | # | |
491 | # | |
492 | # The Back Orifice detector uses Generator ID 105 and uses the | |
493 | # following SIDS for that GID: | |
494 | # SID Event description | |
495 | # ----- ------------------- | |
496 | # 1 Back Orifice traffic detected | |
497 | # 2 Back Orifice Client Traffic Detected | |
498 | # 3 Back Orifice Server Traffic Detected | |
499 | # 4 Back Orifice Snort Buffer Attack | |
500 | ||
cd1a2927 | 501 | preprocessor bo |
767cb737 SS |
502 | |
503 | # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow | |
504 | # --------------------------------------------------------------------------- | |
505 | # This preprocessor normalizes telnet negotiation strings from telnet and | |
506 | # ftp traffic. It looks for traffic that breaks the normal data stream | |
507 | # of the protocol, replacing it with a normalized representation of that | |
508 | # traffic so that the "content" pattern matching keyword can work without | |
509 | # requiring modifications. | |
510 | # | |
511 | # It also performs protocol correctness checks for the FTP command channel, | |
512 | # and identifies open FTP data transfers. | |
513 | # | |
514 | # FTPTelnet has numerous options available, please read | |
515 | # README.ftptelnet for help configuring the options for the global | |
516 | # telnet, ftp server, and ftp client sections for the protocol. | |
517 | ||
518 | ##### | |
519 | # Per Step #2, set the following to load the ftptelnet preprocessor | |
520 | # dynamicpreprocessor file <full path to libsf_ftptelnet_preproc.so> | |
521 | # or use commandline option | |
522 | # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so> | |
523 | ||
4fba936c SS |
524 | preprocessor ftp_telnet: global \ |
525 | encrypted_traffic yes \ | |
526 | inspection_type stateful | |
767cb737 | 527 | |
4fba936c SS |
528 | preprocessor ftp_telnet_protocol: telnet \ |
529 | normalize \ | |
530 | ayt_attack_thresh 200 | |
767cb737 SS |
531 | |
532 | # This is consistent with the FTP rules as of 18 Sept 2004. | |
533 | # CWD can have param length of 200 | |
534 | # MODE has an additional mode of Z (compressed) | |
535 | # Check for string formats in USER & PASS commands | |
536 | # Check nDTM commands that set modification time on the file. | |
4fba936c SS |
537 | preprocessor ftp_telnet_protocol: ftp server default \ |
538 | def_max_param_len 100 \ | |
539 | alt_max_param_len 200 { CWD } \ | |
540 | cmd_validity MODE < char ASBCZ > \ | |
541 | cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ | |
542 | chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ | |
543 | telnet_cmds yes \ | |
544 | data_chan | |
767cb737 | 545 | |
4fba936c SS |
546 | preprocessor ftp_telnet_protocol: ftp client default \ |
547 | max_resp_len 256 \ | |
548 | bounce yes \ | |
549 | telnet_cmds yes | |
767cb737 SS |
550 | |
551 | # smtp: SMTP normalizer, protocol enforcement and buffer overflow | |
552 | # --------------------------------------------------------------------------- | |
553 | # This preprocessor normalizes SMTP commands by removing extraneous spaces. | |
554 | # It looks for overly long command lines, response lines, and data header lines. | |
555 | # It can alert on invalid commands, or specific valid commands. It can optionally | |
556 | # ignore mail data, and can ignore TLS encrypted data. | |
557 | # | |
558 | # SMTP has numerous options available, please read README.SMTP for help | |
559 | # configuring options. | |
560 | ||
561 | ##### | |
562 | # Per Step #2, set the following to load the smtp preprocessor | |
563 | # dynamicpreprocessor file <full path to libsf_smtp_preproc.so> | |
564 | # or use commandline option | |
565 | # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so> | |
566 | ||
567 | preprocessor smtp: \ | |
568 | ports { 25 587 691 } \ | |
569 | inspection_type stateful \ | |
570 | normalize cmds \ | |
571 | normalize_cmds { EXPN VRFY RCPT } \ | |
572 | alt_max_command_line_len 260 { MAIL } \ | |
573 | alt_max_command_line_len 300 { RCPT } \ | |
574 | alt_max_command_line_len 500 { HELP HELO ETRN } \ | |
575 | alt_max_command_line_len 255 { EXPN VRFY } | |
576 | ||
577 | # sfPortscan | |
578 | # ---------- | |
579 | # Portscan detection module. Detects various types of portscans and | |
580 | # portsweeps. For more information on detection philosophy, alert types, | |
581 | # and detailed portscan information, please refer to the README.sfportscan. | |
582 | # | |
583 | # -configuration options- | |
584 | # proto { tcp udp icmp ip all } | |
585 | # The arguments to the proto option are the types of protocol scans that | |
586 | # the user wants to detect. Arguments should be separated by spaces and | |
587 | # not commas. | |
588 | # scan_type { portscan portsweep decoy_portscan distributed_portscan all } | |
589 | # The arguments to the scan_type option are the scan types that the | |
590 | # user wants to detect. Arguments should be separated by spaces and not | |
591 | # commas. | |
592 | # sense_level { low|medium|high } | |
593 | # There is only one argument to this option and it is the level of | |
594 | # sensitivity in which to detect portscans. The 'low' sensitivity | |
595 | # detects scans by the common method of looking for response errors, such | |
596 | # as TCP RSTs or ICMP unreachables. This level requires the least | |
597 | # tuning. The 'medium' sensitivity level detects portscans and | |
598 | # filtered portscans (portscans that receive no response). This | |
599 | # sensitivity level usually requires tuning out scan events from NATed | |
600 | # IPs, DNS cache servers, etc. The 'high' sensitivity level has | |
601 | # lower thresholds for portscan detection and a longer time window than | |
602 | # the 'medium' sensitivity level. Requires more tuning and may be noisy | |
603 | # on very active networks. However, this sensitivity levels catches the | |
604 | # most scans. | |
605 | # memcap { positive integer } | |
606 | # The maximum number of bytes to allocate for portscan detection. The | |
607 | # higher this number the more nodes that can be tracked. | |
608 | # logfile { filename } | |
609 | # This option specifies the file to log portscan and detailed portscan | |
610 | # values to. If there is not a leading /, then snort logs to the | |
611 | # configured log directory. Refer to README.sfportscan for details on | |
612 | # the logged values in the logfile. | |
613 | # watch_ip { Snort IP List } | |
614 | # ignore_scanners { Snort IP List } | |
615 | # ignore_scanned { Snort IP List } | |
616 | # These options take a snort IP list as the argument. The 'watch_ip' | |
617 | # option specifies the IP(s) to watch for portscan. The | |
618 | # 'ignore_scanners' option specifies the IP(s) to ignore as scanners. | |
619 | # Note that these hosts are still watched as scanned hosts. The | |
620 | # 'ignore_scanners' option is used to tune alerts from very active | |
621 | # hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option | |
622 | # specifies the IP(s) to ignore as scanned hosts. Note that these hosts | |
623 | # are still watched as scanner hosts. The 'ignore_scanned' option is | |
624 | # used to tune alerts from very active hosts such as syslog servers, etc. | |
625 | # detect_ack_scans | |
626 | # This option will include sessions picked up in midstream by the stream | |
627 | # module, which is necessary to detect ACK scans. However, this can lead to | |
628 | # false alerts, especially under heavy load with dropped packets; which is why | |
629 | # the option is off by default. | |
630 | # | |
631 | preprocessor sfportscan: proto { all } \ | |
632 | memcap { 10000000 } \ | |
633 | sense_level { medium } | |
634 | ||
635 | # arpspoof | |
636 | #---------------------------------------- | |
637 | # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, | |
638 | # unicast ARP requests, and specific ARP mapping monitoring. To make use of | |
639 | # this preprocessor you must specify the IP and hardware address of hosts on | |
640 | # the same layer 2 segment as you. Specify one host IP MAC combo per line. | |
641 | # Also takes a "-unicast" option to turn on unicast ARP request detection. | |
642 | # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: | |
643 | ||
644 | # SID Event description | |
645 | # ----- ------------------- | |
646 | # 1 Unicast ARP request | |
647 | # 2 Etherframe ARP mismatch (src) | |
648 | # 3 Etherframe ARP mismatch (dst) | |
649 | # 4 ARP cache overwrite attack | |
650 | ||
651 | #preprocessor arpspoof | |
652 | #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 | |
653 | ||
654 | # ssh | |
655 | #---------------------------------------- | |
656 | # EXPERIMENTAL CODE!!! | |
657 | # | |
658 | # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE! | |
659 | # USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS. | |
660 | # YOU HAVE BEEN WARNED. | |
661 | # | |
662 | # The SSH preprocessor detects the following exploits: Gobbles, CRC 32, | |
663 | # Secure CRT, and the Protocol Mismatch exploit. | |
664 | # | |
665 | # Both Gobbles and CRC 32 attacks occur after the key exchange, and are | |
666 | # therefore encrypted. Both attacks involve sending a large payload | |
667 | # (20kb+) to the server immediately after the authentication challenge. | |
668 | # To detect the attacks, the SSH preprocessor counts the number of bytes | |
669 | # transmitted to the server. If those bytes exceed a pre-defined limit | |
670 | # within a pre-define number of packets, an alert is generated. Since | |
671 | # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH | |
672 | # version string exchange is used to distinguish the attacks. | |
673 | # | |
674 | # The Secure CRT and protocol mismatch exploits are observable before | |
675 | # the key exchange. | |
676 | # | |
677 | # SSH has numerous options available, please read README.ssh for help | |
678 | # configuring options. | |
679 | ||
680 | ##### | |
681 | # Per Step #2, set the following to load the ssh preprocessor | |
682 | # dynamicpreprocessor file <full path to libsf_ssh_preproc.so> | |
683 | # or use commandline option | |
684 | # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so> | |
685 | # | |
686 | #preprocessor ssh: server_ports { 22 } \ | |
687 | # max_client_bytes 19600 \ | |
688 | # max_encrypted_packets 20 | |
689 | ||
690 | # DCE/RPC | |
691 | #---------------------------------------- | |
692 | # | |
693 | # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic. | |
694 | # It is primarily interested in DCE/RPC data, and only decodes SMB | |
695 | # to get at the DCE/RPC data carried by the SMB layer. | |
696 | # | |
697 | # Currently, the preprocessor only handles reassembly of fragmentation | |
698 | # at both the SMB and DCE/RPC layer. Snort rules can be evaded by | |
699 | # using both types of fragmentation; with the preprocessor enabled | |
700 | # the rules are given a buffer with a reassembled SMB or DCE/RPC | |
701 | # packet to examine. | |
702 | # | |
703 | # At the SMB layer, only fragmentation using WriteAndX is currently | |
704 | # reassembled. Other methods will be handled in future versions of | |
705 | # the preprocessor. | |
706 | # | |
707 | # Autodetection of SMB is done by looking for "\xFFSMB" at the start of | |
708 | # the SMB data, as well as checking the NetBIOS header (which is always | |
709 | # present for SMB) for the type "SMB Session". | |
710 | # | |
711 | # Autodetection of DCE/RPC is not as reliable. Currently, two bytes are | |
712 | # checked in the packet. Assuming that the data is a DCE/RPC header, | |
713 | # one byte is checked for DCE/RPC version (5) and another for the type | |
714 | # "DCE/RPC Request". If both match, the preprocessor proceeds with that | |
715 | # assumption that it is looking at DCE/RPC data. If subsequent checks | |
716 | # are nonsensical, it ends processing. | |
717 | # | |
718 | # DCERPC has numerous options available, please read README.dcerpc for help | |
719 | # configuring options. | |
720 | ||
721 | ##### | |
722 | # Per Step #2, set the following to load the dcerpc preprocessor | |
723 | # dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so> | |
724 | # or use commandline option | |
725 | # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so> | |
726 | ||
727 | preprocessor dcerpc: \ | |
728 | autodetect \ | |
729 | max_frag_size 3000 \ | |
730 | memcap 100000 | |
731 | ||
732 | # DNS | |
733 | #---------------------------------------- | |
734 | # The dns preprocessor (currently) decodes DNS Response traffic | |
735 | # and detects a few vulnerabilities. | |
736 | # | |
737 | # DNS has a few options available, please read README.dns for | |
738 | # help configuring options. | |
739 | ||
740 | ##### | |
741 | # Per Step #2, set the following to load the dns preprocessor | |
742 | # dynamicpreprocessor file <full path to libsf_dns_preproc.so> | |
743 | # or use commandline option | |
744 | # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so> | |
745 | ||
746 | preprocessor dns: \ | |
747 | ports { 53 } \ | |
748 | enable_rdata_overflow | |
749 | ||
750 | # SSL | |
751 | #---------------------------------------- | |
752 | # Encrypted traffic should be ignored by Snort for both performance reasons | |
753 | # and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP) | |
754 | # inspects SSL traffic and optionally determines if and when to stop | |
755 | # inspection of it. | |
756 | # | |
757 | # Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to | |
758 | # inspect port 443, only the SSL handshake of each connection will be | |
759 | # inspected. Once the traffic is determined to be encrypted, no further | |
760 | # inspection of the data on the connection is made. | |
761 | # | |
762 | # Important note: Stream4 or Stream5 should be explicitly told to reassemble | |
763 | # traffic on the ports that you intend to inspect SSL | |
764 | # encrypted traffic on. | |
765 | # | |
766 | # To add reassembly on port 443 to Stream5, use 'port both 443' in the | |
767 | # Stream5 configuration. | |
768 | ||
769 | preprocessor ssl: noinspect_encrypted | |
770 | ||
771 | ||
772 | #################################################################### | |
773 | # Step #4: Configure output plugins | |
774 | # | |
775 | # Uncomment and configure the output plugins you decide to use. General | |
776 | # configuration for output plugins is of the form: | |
777 | # | |
778 | # output <name_of_plugin>: <configuration_options> | |
779 | # | |
780 | # alert_syslog: log alerts to syslog | |
781 | # ---------------------------------- | |
782 | # Use one or more syslog facilities as arguments. Win32 can also optionally | |
783 | # specify a particular hostname/port. Under Win32, the default hostname is | |
784 | # '127.0.0.1', and the default port is 514. | |
785 | # | |
786 | # [Unix flavours should use this format...] | |
787 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
788 | # | |
789 | # [Win32 can use any of these formats...] | |
790 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
791 | # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT | |
792 | # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT | |
793 | ||
794 | # log_tcpdump: log packets in binary tcpdump format | |
795 | # ------------------------------------------------- | |
796 | # The only argument is the output file name. | |
797 | # | |
798 | # output log_tcpdump: tcpdump.log | |
799 | ||
800 | # database: log to a variety of databases | |
801 | # --------------------------------------- | |
802 | # See the README.database file for more information about configuring | |
803 | # and using this plugin. | |
804 | # | |
805 | # output database: log, mysql, user=root password=test dbname=db host=localhost | |
806 | # output database: alert, postgresql, user=snort dbname=snort | |
807 | # output database: log, odbc, user=snort dbname=snort | |
808 | # output database: log, mssql, dbname=snort user=snort password=test | |
809 | # output database: log, oracle, dbname=snort user=snort password=test | |
810 | ||
811 | # unified: Snort unified binary format alerting and logging | |
812 | # ------------------------------------------------------------- | |
813 | # The unified output plugin provides two new formats for logging and generating | |
814 | # alerts from Snort, the "unified" format. The unified format is a straight | |
815 | # binary format for logging data out of Snort that is designed to be fast and | |
816 | # efficient. Used with barnyard (the new alert/log processor), most of the | |
817 | # overhead for logging and alerting to various slow storage mechanisms such as | |
818 | # databases or the network can now be avoided. | |
819 | # | |
820 | # Check out the spo_unified.h file for the data formats. | |
821 | # | |
822 | # Two arguments are supported. | |
823 | # filename - base filename to write to (current time_t is appended) | |
824 | # limit - maximum size of spool file in MB (default: 128) | |
825 | # | |
826 | # output alert_unified: filename snort.alert, limit 128 | |
827 | # output log_unified: filename snort.log, limit 128 | |
828 | ||
829 | ||
830 | # prelude: log to the Prelude Hybrid IDS system | |
831 | # --------------------------------------------- | |
832 | # | |
833 | # profile = Name of the Prelude profile to use (default is snort). | |
834 | # | |
835 | # Snort priority to IDMEF severity mappings: | |
836 | # high < medium < low < info | |
837 | # | |
838 | # These are the default mapped from classification.config: | |
839 | # info = 4 | |
840 | # low = 3 | |
841 | # medium = 2 | |
842 | # high = anything below medium | |
843 | # | |
844 | # output alert_prelude | |
845 | # output alert_prelude: profile=snort-profile-name | |
846 | ||
847 | ||
848 | # You can optionally define new rule types and associate one or more output | |
849 | # plugins specifically to that type. | |
850 | # | |
851 | # This example will create a type that will log to just tcpdump. | |
852 | # ruletype suspicious | |
853 | # { | |
854 | # type log | |
855 | # output log_tcpdump: suspicious.log | |
856 | # } | |
857 | # | |
858 | # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: | |
859 | # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) | |
860 | # | |
861 | # This example will create a rule type that will log to syslog and a mysql | |
862 | # database: | |
863 | # ruletype redalert | |
864 | # { | |
865 | # type alert | |
866 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
867 | # output database: log, mysql, user=snort dbname=snort host=localhost | |
868 | # } | |
869 | # | |
870 | # EXAMPLE RULE FOR REDALERT RULETYPE: | |
871 | # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ | |
872 | # (msg:"Someone is being LEET"; flags:A+;) | |
873 | ||
874 | # | |
875 | # Include classification & priority settings | |
876 | # Note for Windows users: You are advised to make this an absolute path, | |
877 | # such as: c:\snort\etc\classification.config | |
878 | # | |
879 | ||
880 | include /etc/snort/rules/classification.config | |
881 | ||
882 | # | |
883 | # Include reference systems | |
884 | # Note for Windows users: You are advised to make this an absolute path, | |
885 | # such as: c:\snort\etc\reference.config | |
886 | # | |
887 | ||
888 | include /etc/snort/rules/reference.config | |
889 | ||
890 | #################################################################### | |
891 | # Step #5: Configure snort with config statements | |
892 | # | |
893 | # See the snort manual for a full set of configuration references | |
894 | # | |
895 | # config flowbits_size: 64 | |
896 | # | |
897 | # New global ignore_ports config option from Andy Mullican | |
898 | # | |
899 | # config ignore_ports: <tcp|udp> <list of ports separated by whitespace> | |
900 | # config ignore_ports: tcp 21 6667:6671 1356 | |
901 | # config ignore_ports: udp 1:17 53 | |
902 | ||
903 | ||
904 | #################################################################### | |
905 | # Step #6: Customize your rule set | |
906 | # | |
907 | # Up to date snort rules are available at http://www.snort.org | |
908 | # | |
909 | # The snort web site has documentation about how to write your own custom snort | |
910 | # rules. | |
911 | ||
cd1a2927 | 912 | #========================================= |
767cb737 SS |
913 | # Include all relevant rulesets here |
914 | # | |
915 | # The following rulesets are disabled by default: | |
916 | # | |
917 | # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus, | |
918 | # chat, multimedia, and p2p | |
919 | # | |
920 | # These rules are either site policy specific or require tuning in order to not | |
921 | # generate false positive alerts in most enviornments. | |
922 | # | |
923 | # Please read the specific include file for more information and | |
924 | # README.alert_order for how rule ordering affects how alerts are triggered. | |
cd1a2927 | 925 | #========================================= |
767cb737 SS |
926 | |
927 | #include $RULE_PATH/local.rules | |
928 | #include $RULE_PATH/bad-traffic.rules | |
929 | #include $RULE_PATH/exploit.rules | |
930 | #include $RULE_PATH/scan.rules | |
931 | #include $RULE_PATH/finger.rules | |
932 | #include $RULE_PATH/ftp.rules | |
933 | #include $RULE_PATH/telnet.rules | |
934 | #include $RULE_PATH/rpc.rules | |
935 | #include $RULE_PATH/rservices.rules | |
936 | #include $RULE_PATH/dos.rules | |
937 | #include $RULE_PATH/ddos.rules | |
938 | #include $RULE_PATH/dns.rules | |
939 | #include $RULE_PATH/tftp.rules | |
940 | ||
941 | #include $RULE_PATH/web-cgi.rules | |
942 | #include $RULE_PATH/web-coldfusion.rules | |
943 | #include $RULE_PATH/web-iis.rules | |
944 | #include $RULE_PATH/web-frontpage.rules | |
945 | #include $RULE_PATH/web-misc.rules | |
946 | #include $RULE_PATH/web-client.rules | |
947 | #include $RULE_PATH/web-php.rules | |
948 | ||
949 | #include $RULE_PATH/sql.rules | |
950 | #include $RULE_PATH/x11.rules | |
951 | #include $RULE_PATH/icmp.rules | |
952 | #include $RULE_PATH/netbios.rules | |
953 | #include $RULE_PATH/misc.rules | |
954 | #include $RULE_PATH/attack-responses.rules | |
955 | #include $RULE_PATH/oracle.rules | |
956 | #include $RULE_PATH/mysql.rules | |
957 | #include $RULE_PATH/snmp.rules | |
958 | ||
959 | #include $RULE_PATH/smtp.rules | |
960 | #include $RULE_PATH/imap.rules | |
961 | #include $RULE_PATH/pop2.rules | |
962 | #include $RULE_PATH/pop3.rules | |
963 | ||
964 | #include $RULE_PATH/nntp.rules | |
965 | #include $RULE_PATH/other-ids.rules | |
966 | # include $RULE_PATH/web-attacks.rules | |
967 | # include $RULE_PATH/backdoor.rules | |
968 | # include $RULE_PATH/shellcode.rules | |
969 | # include $RULE_PATH/policy.rules | |
970 | # include $RULE_PATH/porn.rules | |
971 | # include $RULE_PATH/info.rules | |
972 | # include $RULE_PATH/icmp-info.rules | |
973 | # include $RULE_PATH/virus.rules | |
974 | # include $RULE_PATH/chat.rules | |
975 | # include $RULE_PATH/multimedia.rules | |
976 | # include $RULE_PATH/p2p.rules | |
977 | # include $RULE_PATH/spyware-put.rules | |
978 | # include $RULE_PATH/specific-threats.rules | |
979 | #include $RULE_PATH/experimental.rules | |
980 | ||
981 | # include $PREPROC_RULE_PATH/preprocessor.rules | |
982 | # include $PREPROC_RULE_PATH/decoder.rules | |
983 | ||
984 | # Include any thresholding or suppression commands. See threshold.conf in the | |
985 | # <snort src>/etc directory for details. Commands don't necessarily need to be | |
986 | # contained in this conf, but a separate conf makes it easier to maintain them. | |
987 | # Note for Windows users: You are advised to make this an absolute path, | |
988 | # such as: c:\snort\etc\threshold.conf | |
989 | # Uncomment if needed. | |
990 | # include threshold.conf |