+
+# smtp: SMTP normalizer, protocol enforcement and buffer overflow
+# ---------------------------------------------------------------------------
+# This preprocessor normalizes SMTP commands by removing extraneous spaces.
+# It looks for overly long command lines, response lines, and data header lines.
+# It can alert on invalid commands, or specific valid commands. It can optionally
+# ignore mail data, and can ignore TLS encrypted data.
+#
+# SMTP has numerous options available, please read README.SMTP for help
+# configuring options.
+
+#####
+# Per Step #2, set the following to load the smtp preprocessor
+# dynamicpreprocessor file <full path to libsf_smtp_preproc.so>
+# or use commandline option
+# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
+
+preprocessor smtp: \
+ ports { 25 587 691 } \
+ inspection_type stateful \
+ normalize cmds \
+ normalize_cmds { EXPN VRFY RCPT } \
+ alt_max_command_line_len 260 { MAIL } \
+ alt_max_command_line_len 300 { RCPT } \
+ alt_max_command_line_len 500 { HELP HELO ETRN } \
+ alt_max_command_line_len 255 { EXPN VRFY }
+
+# sfPortscan
+# ----------
+# Portscan detection module. Detects various types of portscans and
+# portsweeps. For more information on detection philosophy, alert types,
+# and detailed portscan information, please refer to the README.sfportscan.
+#
+# -configuration options-
+# proto { tcp udp icmp ip all }
+# The arguments to the proto option are the types of protocol scans that
+# the user wants to detect. Arguments should be separated by spaces and
+# not commas.
+# scan_type { portscan portsweep decoy_portscan distributed_portscan all }
+# The arguments to the scan_type option are the scan types that the
+# user wants to detect. Arguments should be separated by spaces and not
+# commas.
+# sense_level { low|medium|high }
+# There is only one argument to this option and it is the level of
+# sensitivity in which to detect portscans. The 'low' sensitivity
+# detects scans by the common method of looking for response errors, such
+# as TCP RSTs or ICMP unreachables. This level requires the least
+# tuning. The 'medium' sensitivity level detects portscans and
+# filtered portscans (portscans that receive no response). This
+# sensitivity level usually requires tuning out scan events from NATed
+# IPs, DNS cache servers, etc. The 'high' sensitivity level has
+# lower thresholds for portscan detection and a longer time window than
+# the 'medium' sensitivity level. Requires more tuning and may be noisy
+# on very active networks. However, this sensitivity levels catches the
+# most scans.
+# memcap { positive integer }
+# The maximum number of bytes to allocate for portscan detection. The
+# higher this number the more nodes that can be tracked.
+# logfile { filename }
+# This option specifies the file to log portscan and detailed portscan
+# values to. If there is not a leading /, then snort logs to the
+# configured log directory. Refer to README.sfportscan for details on
+# the logged values in the logfile.
+# watch_ip { Snort IP List }
+# ignore_scanners { Snort IP List }
+# ignore_scanned { Snort IP List }
+# These options take a snort IP list as the argument. The 'watch_ip'
+# option specifies the IP(s) to watch for portscan. The
+# 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
+# Note that these hosts are still watched as scanned hosts. The
+# 'ignore_scanners' option is used to tune alerts from very active
+# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
+# specifies the IP(s) to ignore as scanned hosts. Note that these hosts
+# are still watched as scanner hosts. The 'ignore_scanned' option is
+# used to tune alerts from very active hosts such as syslog servers, etc.
+# detect_ack_scans
+# This option will include sessions picked up in midstream by the stream
+# module, which is necessary to detect ACK scans. However, this can lead to
+# false alerts, especially under heavy load with dropped packets; which is why
+# the option is off by default.
+#
+preprocessor sfportscan: proto { all } \
+ memcap { 10000000 } \
+ sense_level { medium }
+
+# arpspoof
+#----------------------------------------
+# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
+# unicast ARP requests, and specific ARP mapping monitoring. To make use of
+# this preprocessor you must specify the IP and hardware address of hosts on
+# the same layer 2 segment as you. Specify one host IP MAC combo per line.
+# Also takes a "-unicast" option to turn on unicast ARP request detection.
+# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
+
+# SID Event description
+# ----- -------------------
+# 1 Unicast ARP request
+# 2 Etherframe ARP mismatch (src)
+# 3 Etherframe ARP mismatch (dst)
+# 4 ARP cache overwrite attack
+
+#preprocessor arpspoof
+#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
+
+# ssh
+#----------------------------------------
+# EXPERIMENTAL CODE!!!
+#
+# THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
+# USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS.
+# YOU HAVE BEEN WARNED.
+#
+# The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
+# Secure CRT, and the Protocol Mismatch exploit.
+#
+# Both Gobbles and CRC 32 attacks occur after the key exchange, and are
+# therefore encrypted. Both attacks involve sending a large payload
+# (20kb+) to the server immediately after the authentication challenge.
+# To detect the attacks, the SSH preprocessor counts the number of bytes
+# transmitted to the server. If those bytes exceed a pre-defined limit
+# within a pre-define number of packets, an alert is generated. Since
+# Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
+# version string exchange is used to distinguish the attacks.
+#
+# The Secure CRT and protocol mismatch exploits are observable before
+# the key exchange.
+#
+# SSH has numerous options available, please read README.ssh for help
+# configuring options.
+
+#####
+# Per Step #2, set the following to load the ssh preprocessor
+# dynamicpreprocessor file <full path to libsf_ssh_preproc.so>
+# or use commandline option
+# --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
+#
+#preprocessor ssh: server_ports { 22 } \
+# max_client_bytes 19600 \
+# max_encrypted_packets 20
+
+# DCE/RPC
+#----------------------------------------
+#
+# The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
+# It is primarily interested in DCE/RPC data, and only decodes SMB
+# to get at the DCE/RPC data carried by the SMB layer.
+#
+# Currently, the preprocessor only handles reassembly of fragmentation
+# at both the SMB and DCE/RPC layer. Snort rules can be evaded by
+# using both types of fragmentation; with the preprocessor enabled
+# the rules are given a buffer with a reassembled SMB or DCE/RPC
+# packet to examine.
+#
+# At the SMB layer, only fragmentation using WriteAndX is currently
+# reassembled. Other methods will be handled in future versions of
+# the preprocessor.
+#
+# Autodetection of SMB is done by looking for "\xFFSMB" at the start of
+# the SMB data, as well as checking the NetBIOS header (which is always
+# present for SMB) for the type "SMB Session".
+#
+# Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
+# checked in the packet. Assuming that the data is a DCE/RPC header,
+# one byte is checked for DCE/RPC version (5) and another for the type
+# "DCE/RPC Request". If both match, the preprocessor proceeds with that
+# assumption that it is looking at DCE/RPC data. If subsequent checks
+# are nonsensical, it ends processing.
+#
+# DCERPC has numerous options available, please read README.dcerpc for help
+# configuring options.
+
+#####
+# Per Step #2, set the following to load the dcerpc preprocessor
+# dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so>
+# or use commandline option
+# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
+
+preprocessor dcerpc: \
+ autodetect \
+ max_frag_size 3000 \
+ memcap 100000
+
+# DNS
+#----------------------------------------
+# The dns preprocessor (currently) decodes DNS Response traffic
+# and detects a few vulnerabilities.
+#
+# DNS has a few options available, please read README.dns for
+# help configuring options.
+
+#####
+# Per Step #2, set the following to load the dns preprocessor
+# dynamicpreprocessor file <full path to libsf_dns_preproc.so>
+# or use commandline option
+# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
+
+preprocessor dns: \
+ ports { 53 } \
+ enable_rdata_overflow
+
+# SSL
+#----------------------------------------
+# Encrypted traffic should be ignored by Snort for both performance reasons
+# and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP)
+# inspects SSL traffic and optionally determines if and when to stop
+# inspection of it.
+#
+# Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to
+# inspect port 443, only the SSL handshake of each connection will be
+# inspected. Once the traffic is determined to be encrypted, no further
+# inspection of the data on the connection is made.
+#
+# Important note: Stream4 or Stream5 should be explicitly told to reassemble
+# traffic on the ports that you intend to inspect SSL
+# encrypted traffic on.
+#
+# To add reassembly on port 443 to Stream5, use 'port both 443' in the
+# Stream5 configuration.
+
+preprocessor ssl: noinspect_encrypted
+
+
+####################################################################
+# Step #4: Configure output plugins
+#
+# Uncomment and configure the output plugins you decide to use. General
+# configuration for output plugins is of the form:
+#
+# output <name_of_plugin>: <configuration_options>
+#
+# alert_syslog: log alerts to syslog
+# ----------------------------------
+# Use one or more syslog facilities as arguments. Win32 can also optionally
+# specify a particular hostname/port. Under Win32, the default hostname is
+# '127.0.0.1', and the default port is 514.
+#
+# [Unix flavours should use this format...]
+# output alert_syslog: LOG_AUTH LOG_ALERT
+#
+# [Win32 can use any of these formats...]
+# output alert_syslog: LOG_AUTH LOG_ALERT
+# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
+# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
+
+# log_tcpdump: log packets in binary tcpdump format
+# -------------------------------------------------
+# The only argument is the output file name.
+#
+# output log_tcpdump: tcpdump.log
+
+# database: log to a variety of databases
+# ---------------------------------------
+# See the README.database file for more information about configuring
+# and using this plugin.
+#
+# output database: log, mysql, user=root password=test dbname=db host=localhost
+# output database: alert, postgresql, user=snort dbname=snort
+# output database: log, odbc, user=snort dbname=snort
+# output database: log, mssql, dbname=snort user=snort password=test
+# output database: log, oracle, dbname=snort user=snort password=test
+
+# unified: Snort unified binary format alerting and logging
+# -------------------------------------------------------------
+# The unified output plugin provides two new formats for logging and generating
+# alerts from Snort, the "unified" format. The unified format is a straight
+# binary format for logging data out of Snort that is designed to be fast and
+# efficient. Used with barnyard (the new alert/log processor), most of the
+# overhead for logging and alerting to various slow storage mechanisms such as
+# databases or the network can now be avoided.
+#
+# Check out the spo_unified.h file for the data formats.
+#
+# Two arguments are supported.
+# filename - base filename to write to (current time_t is appended)
+# limit - maximum size of spool file in MB (default: 128)
+#
+# output alert_unified: filename snort.alert, limit 128
+# output log_unified: filename snort.log, limit 128
+
+
+# prelude: log to the Prelude Hybrid IDS system
+# ---------------------------------------------
+#
+# profile = Name of the Prelude profile to use (default is snort).
+#
+# Snort priority to IDMEF severity mappings:
+# high < medium < low < info
+#
+# These are the default mapped from classification.config:
+# info = 4
+# low = 3
+# medium = 2
+# high = anything below medium
+#
+# output alert_prelude
+# output alert_prelude: profile=snort-profile-name
+
+
+# You can optionally define new rule types and associate one or more output
+# plugins specifically to that type.
+#
+# This example will create a type that will log to just tcpdump.
+# ruletype suspicious
+# {
+# type log
+# output log_tcpdump: suspicious.log
+# }
+#
+# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
+# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
+#
+# This example will create a rule type that will log to syslog and a mysql
+# database:
+# ruletype redalert
+# {
+# type alert
+# output alert_syslog: LOG_AUTH LOG_ALERT
+# output database: log, mysql, user=snort dbname=snort host=localhost
+# }
+#
+# EXAMPLE RULE FOR REDALERT RULETYPE:
+# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
+# (msg:"Someone is being LEET"; flags:A+;)
+
+#
+# Include classification & priority settings
+# Note for Windows users: You are advised to make this an absolute path,
+# such as: c:\snort\etc\classification.config
+#
+
+include /etc/snort/rules/classification.config
+
+#
+# Include reference systems
+# Note for Windows users: You are advised to make this an absolute path,
+# such as: c:\snort\etc\reference.config
+#
+
+include /etc/snort/rules/reference.config
+
+####################################################################
+# Step #5: Configure snort with config statements
+#
+# See the snort manual for a full set of configuration references
+#
+# config flowbits_size: 64
+#
+# New global ignore_ports config option from Andy Mullican
+#
+# config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
+# config ignore_ports: tcp 21 6667:6671 1356
+# config ignore_ports: udp 1:17 53
+
+
+####################################################################
+# Step #6: Customize your rule set
+#
+# Up to date snort rules are available at http://www.snort.org
+#
+# The snort web site has documentation about how to write your own custom snort
+# rules.
+