[ipfire-2.x.git] / config / snort / snort.conf

#--------------------------------------------------
#   http://www.snort.org     Snort Ruleset
#     Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id$
#
###################################################
# This file contains a sample snort configuration. 
# You should take the following steps to create your own custom configuration:
#
#  1) Set the network variables.
#  2) Configure the decoder
#  3) Configure the base detection engine
#  4) Configure dynamic loaded libraries
#  5) Configure preprocessors
#  6) Configure output plugins
#  7) Customize your rule set
###################################################

###################################################
# Step #1: Set the network variables.  For more information, see README.variables
###################################################

include /etc/snort/vars

# Setup the network addresses you are protecting
# taken from /etc/snort vars
#var HOME_NET any

# Set up the external network addresses.  A good start may be "any"
var EXTERNAL_NET any

# List of DNS servers on your network 
# taken from /etc/snort vars
#var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of ports you run web servers on
portvar HTTP_PORTS  [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]

# List of ssh ports
portvar SSH_PORTS  [22,222]

# List of ports you want to look for SHELLCODE on.
portvar SHELLCODE_PORTS !80

# List of ports you might see oracle attacks on
portvar ORACLE_PORTS 1521

# other variables, these should not be modified
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules


###################################################
# Step #2: Configure the decoder.  For more information, see README.decode
###################################################

# Stop generic decode events:
#config disable_decode_alerts

# Stop Alerts on experimental TCP options
config disable_tcpopt_experimental_alerts

# Stop Alerts on obsolete TCP options
config disable_tcpopt_obsolete_alerts

# Stop Alerts on T/TCP alerts
#config disable_tcpopt_ttcp_alerts

# Stop Alerts on all other TCPOption type events:
#config disable_tcpopt_alerts

# Stop Alerts on invalid ip options
#config disable_ipopt_alerts

# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
# config enable_decode_oversized_alerts

# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
# config enable_decode_oversized_drops

# Configure IP / TCP checksum mode
config checksum_mode: all

# Configure maximum number of flowbit references.  For more information, see README.flowbits
# config flowbits_size: 64

# Configure ports to ignore 
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53


###################################################
# Step #3: Configure the base detection engine.  For more information, see  README.decode
###################################################

# Configure PCRE match limitations
config pcre_match_limit: 1500
config pcre_match_limit_recursion: 1500

# Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Config
config detection: search-method ac-bnfa max_queue_events 5

# Configure the event queue.  For more information, see README.event_queue
config event_queue: max_queue 8 log 3 order_events content_length

# Configure Inline Resets.  See README.INLINE
# config layer2resets: 00:06:76:DD:5F:E3


###################################################
# Step #4: Configure dynamic loaded libraries.  
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so


# path to dynamic rules libraries
# dynamicdetection directory /usr/lib/snort_dynamicrules

###################################################
# Step #5: Configure preprocessors
# For more information, see the Snort Manual, Configuring Snort - Preprocessors
###################################################

# Target-based IP defragmentation.  For more inforation, see README.frag3
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows timeout 180

# Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 111 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669 7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
# preprocessor stream5_udp: ignore_any_rules

# performance statistics.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

# HTTP normalization and anomaly detection.  For more information, see README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 

preprocessor http_inspect_server: server default \
    apache_whitespace no \
    ascii no \
	bare_byte no \
	chunk_length 500000 \
	flow_depth 1460 \
	directory no \
	double_decode no \
	iis_backslash no \
	iis_delimiter no \
	iis_unicode no \
	multi_slash no \
	non_strict \
	oversize_dir_length 500 \
	ports { 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 } \
	u_encode yes \
	non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
	webroot no

# ONC-RPC normalization and anomaly detection.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete

# Back Orifice detection.
preprocessor bo

# FTP / Telnet normalization and anomaly detection.  For more information, see README.ftptelnet
preprocessor ftp_telnet: global encrypted_traffic yes check_encrypted inspection_type stateful 
preprocessor ftp_telnet_protocol: telnet \
    ayt_attack_thresh 20 \
    normalize ports { 23 } \
    detect_anomalies
preprocessor ftp_telnet_protocol: ftp server default \
    def_max_param_len 100 \
    ports { 21 2100 } \
    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
    ftp_cmds { FEAT OPTS CEL CMD MACB } \
    ftp_cmds { MDTM REST SIZE MLST MLSD } \
    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
    alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
    alt_max_param_len 256 { RNTO CWD } \ 
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE } \
    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
    chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
    chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
    chk_str_fmt { FEAT OPTS CEL CMD } \
    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity STRU < char FRP > \
    cmd_validity ALLO < int [ char R int ] > \
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity PORT < host_port >
preprocessor ftp_telnet_protocol: ftp client default \
    max_resp_len 256 \
    bounce yes \
    telnet_cmds no


# SMTP normalization and anomaly detection.  For more information, see README.SMTP
preprocessor smtp: ports { 25 587 691 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }

# Portscan detection.  For more information, see README.sfportscan
 preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium }

# ARP spoof detection.  For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
# preprocessor arpspoof
# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

# SSH anomaly detection.  For more information, see README.ssh
preprocessor ssh: server_ports { 22 222 } \
                  max_client_bytes 19600 \
                  max_encrypted_packets 20 \
                  enable_respoverflow enable_ssh1crc32 \
                  enable_srvoverflow enable_protomismatch

# SMB / DCE-RPC normalization and anomaly detection.  For more information, see README.dcerpc2
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3

# DNS anomaly detection.  For more information, see README.dns
preprocessor dns: ports { 53 } enable_rdata_overflow

# SSL anomaly detection and traffic bypass.  For more information, see README.ssl
preprocessor ssl: ports { 443 444 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted


###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# database
# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>

# unified 
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128

# prelude
# output alert_prelude

# metadata reference data.  do not modify these lines
include /etc/snort/rules/classification.config
include /etc/snort/rules/reference.config


###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
###################################################

# site specific rules
Commit	Line	Data
767cb737	1	#--------------------------------------------------
75a786b6	2	# http://www.snort.org Snort Ruleset
767cb737 SS	3	# Contact: snort-sigs@lists.sourceforge.net
	4	#--------------------------------------------------
	5	# $Id$
	6	#
	7	###################################################
	8	# This file contains a sample snort configuration.
75a786b6 CS	9	# You should take the following steps to create your own custom configuration:
	10	#
	11	# 1) Set the network variables.
	12	# 2) Configure the decoder
	13	# 3) Configure the base detection engine
	14	# 4) Configure dynamic loaded libraries
	15	# 5) Configure preprocessors
	16	# 6) Configure output plugins
	17	# 7) Customize your rule set
cd1a2927	18	###################################################
767cb737	19
75a786b6 CS	20	###################################################
	21	# Step #1: Set the network variables. For more information, see README.variables
	22	###################################################
	23
8dc25f04 AF	24	include /etc/snort/vars
8dc25f04 AF	25
75a786b6	26	# Setup the network addresses you are protecting
8dc25f04 AF	27	# taken from /etc/snort vars
8dc25f04 AF	28	#var HOME_NET any
767cb737	29
75a786b6	30	# Set up the external network addresses. A good start may be "any"
767cb737 SS	31	var EXTERNAL_NET any
767cb737 SS	32
767cb737	33	# List of DNS servers on your network
8dc25f04 AF	34	# taken from /etc/snort vars
8dc25f04 AF	35	#var DNS_SERVERS $HOME_NET
767cb737 SS	36
	37	# List of SMTP servers on your network
	38	var SMTP_SERVERS $HOME_NET
	39
	40	# List of web servers on your network
	41	var HTTP_SERVERS $HOME_NET
	42
	43	# List of sql servers on your network
	44	var SQL_SERVERS $HOME_NET
	45
	46	# List of telnet servers on your network
	47	var TELNET_SERVERS $HOME_NET
	48
75a786b6 CS	49	# List of ports you run web servers on
75a786b6 CS	50	portvar HTTP_PORTS [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]
767cb737	51
8dc25f04 AF	52	# List of ssh ports
	53	portvar SSH_PORTS [22,222]
	54
75a786b6	55	# List of ports you want to look for SHELLCODE on.
767cb737 SS	56	portvar SHELLCODE_PORTS !80
767cb737 SS	57
75a786b6	58	# List of ports you might see oracle attacks on
767cb737 SS	59	portvar ORACLE_PORTS 1521
767cb737 SS	60
75a786b6	61	# other variables, these should not be modified
767cb737 SS	62	var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
	63
	64	# Path to your rules files (this can be a relative path)
	65	# Note for Windows users: You are advised to make this an absolute path,
	66	# such as: c:\snort\rules
	67	var RULE_PATH /etc/snort/rules
75a786b6	68	var SO_RULE_PATH /etc/snort/so_rules
767cb737 SS	69	var PREPROC_RULE_PATH /etc/snort/preproc_rules
767cb737 SS	70
8dc25f04	71
75a786b6 CS	72	###################################################
	73	# Step #2: Configure the decoder. For more information, see README.decode
	74	###################################################
	75
767cb737	76	# Stop generic decode events:
75a786b6 CS	77	#config disable_decode_alerts
75a786b6 CS	78
767cb737	79	# Stop Alerts on experimental TCP options
75a786b6 CS	80	config disable_tcpopt_experimental_alerts
75a786b6 CS	81
767cb737	82	# Stop Alerts on obsolete TCP options
75a786b6 CS	83	config disable_tcpopt_obsolete_alerts
75a786b6 CS	84
767cb737	85	# Stop Alerts on T/TCP alerts
75a786b6 CS	86	#config disable_tcpopt_ttcp_alerts
75a786b6 CS	87
767cb737	88	# Stop Alerts on all other TCPOption type events:
75a786b6 CS	89	#config disable_tcpopt_alerts
75a786b6 CS	90
767cb737	91	# Stop Alerts on invalid ip options
75a786b6 CS	92	#config disable_ipopt_alerts
	93
	94	# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
767cb737	95	# config enable_decode_oversized_alerts
75a786b6 CS	96
75a786b6 CS	97	# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
767cb737	98	# config enable_decode_oversized_drops
767cb737	99
75a786b6 CS	100	# Configure IP / TCP checksum mode
	101	config checksum_mode: all
	102
	103	# Configure maximum number of flowbit references. For more information, see README.flowbits
	104	# config flowbits_size: 64
	105
	106	# Configure ports to ignore
	107	# config ignore_ports: tcp 21 6667:6671 1356
	108	# config ignore_ports: udp 1:17 53
	109
	110
	111	###################################################
	112	# Step #3: Configure the base detection engine. For more information, see README.decode
	113	###################################################
	114
	115	# Configure PCRE match limitations
	116	config pcre_match_limit: 1500
	117	config pcre_match_limit_recursion: 1500
	118
	119	# Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config
	120	config detection: search-method ac-bnfa max_queue_events 5
	121
	122	# Configure the event queue. For more information, see README.event_queue
	123	config event_queue: max_queue 8 log 3 order_events content_length
	124
	125	# Configure Inline Resets. See README.INLINE
767cb737 SS	126	# config layer2resets: 00:06:76:DD:5F:E3
767cb737 SS	127
75a786b6	128
cd1a2927	129	###################################################
75a786b6 CS	130	# Step #4: Configure dynamic loaded libraries.
	131	# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
	132	###################################################
	133
	134	# path to dynamic preprocessor libraries
4fba936c	135	dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
75a786b6 CS	136
75a786b6 CS	137	# path to base preprocessor engine
767cb737	138	dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
cd1a2927	139
767cb737	140
767cb737	141
767cb737 SS	142
767cb737 SS	143
767cb737	144
767cb737	145
767cb737	146
767cb737	147
767cb737	148
75a786b6 CS	149	# path to dynamic rules libraries
75a786b6 CS	150	# dynamicdetection directory /usr/lib/snort_dynamicrules
767cb737	151
75a786b6 CS	152	###################################################
	153	# Step #5: Configure preprocessors
	154	# For more information, see the Snort Manual, Configuring Snort - Preprocessors
	155	###################################################
	156
	157	# Target-based IP defragmentation. For more inforation, see README.frag3
	158	preprocessor frag3_global: max_frags 65536
	159	preprocessor frag3_engine: policy windows timeout 180
767cb737	160
75a786b6 CS	161	# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
	162	preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
	163	preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 111 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669 7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
	164	# preprocessor stream5_udp: ignore_any_rules
	165
	166	# performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
	167	# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
767cb737	168
75a786b6 CS	169	# HTTP normalization and anomaly detection. For more information, see README.http_inspect
	170	preprocessor http_inspect: global iis_unicode_map unicode.map 1252
	171
	172	preprocessor http_inspect_server: server default \
	173	apache_whitespace no \
	174	ascii no \
	175	bare_byte no \
	176	chunk_length 500000 \
	177	flow_depth 1460 \
	178	directory no \
	179	double_decode no \
	180	iis_backslash no \
	181	iis_delimiter no \
	182	iis_unicode no \
	183	multi_slash no \
	184	non_strict \
	185	oversize_dir_length 500 \
	186	ports { 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 } \
	187	u_encode yes \
	188	non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
	189	webroot no
	190
	191	# ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
	192	preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
	193
	194	# Back Orifice detection.
	195	preprocessor bo
	196
	197	# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet
	198	preprocessor ftp_telnet: global encrypted_traffic yes check_encrypted inspection_type stateful
4fba936c	199	preprocessor ftp_telnet_protocol: telnet \
75a786b6 CS	200	ayt_attack_thresh 20 \
	201	normalize ports { 23 } \
	202	detect_anomalies
4fba936c	203	preprocessor ftp_telnet_protocol: ftp server default \
75a786b6 CS	204	def_max_param_len 100 \
	205	ports { 21 2100 } \
	206	ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
	207	ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
	208	ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
	209	ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
	210	ftp_cmds { FEAT OPTS CEL CMD MACB } \
	211	ftp_cmds { MDTM REST SIZE MLST MLSD } \
	212	ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
	213	alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
	214	alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
	215	alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
	216	alt_max_param_len 256 { RNTO CWD } \
	217	alt_max_param_len 400 { PORT } \
	218	alt_max_param_len 512 { SIZE } \
	219	chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
	220	chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
	221	chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
	222	chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
	223	chk_str_fmt { FEAT OPTS CEL CMD } \
	224	chk_str_fmt { MDTM REST SIZE MLST MLSD } \
	225	chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
	226	cmd_validity MODE < char ASBCZ > \
	227	cmd_validity STRU < char FRP > \
	228	cmd_validity ALLO < int [ char R int ] > \
	229	cmd_validity TYPE < { char AE [ char NTC ] \| char I \| char L [ number ] } > \
	230	cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
	231	cmd_validity PORT < host_port >
4fba936c	232	preprocessor ftp_telnet_protocol: ftp client default \
75a786b6 CS	233	max_resp_len 256 \
	234	bounce yes \
	235	telnet_cmds no
767cb737	236
767cb737	237
75a786b6 CS	238	# SMTP normalization and anomaly detection. For more information, see README.SMTP
75a786b6 CS	239	preprocessor smtp: ports { 25 587 691 } \
767cb737 SS	240	inspection_type stateful \
	241	normalize cmds \
	242	normalize_cmds { EXPN VRFY RCPT } \
	243	alt_max_command_line_len 260 { MAIL } \
	244	alt_max_command_line_len 300 { RCPT } \
	245	alt_max_command_line_len 500 { HELP HELO ETRN } \
	246	alt_max_command_line_len 255 { EXPN VRFY }
	247
75a786b6 CS	248	# Portscan detection. For more information, see README.sfportscan
75a786b6 CS	249	preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium }
767cb737	250
75a786b6 CS	251	# ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
	252	# preprocessor arpspoof
	253	# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
8581d1ef	254
75a786b6 CS	255	# SSH anomaly detection. For more information, see README.ssh
	256	preprocessor ssh: server_ports { 22 222 } \
	257	max_client_bytes 19600 \
	258	max_encrypted_packets 20 \
	259	enable_respoverflow enable_ssh1crc32 \
	260	enable_srvoverflow enable_protomismatch
8581d1ef	261
75a786b6 CS	262	# SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2
	263	preprocessor dcerpc2: memcap 102400, events [co ]
	264	preprocessor dcerpc2_server: default, policy WinXP, \
	265	detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
	266	autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
	267	smb_max_chain 3
767cb737	268
75a786b6 CS	269	# DNS anomaly detection. For more information, see README.dns
75a786b6 CS	270	preprocessor dns: ports { 53 } enable_rdata_overflow
767cb737	271
75a786b6 CS	272	# SSL anomaly detection and traffic bypass. For more information, see README.ssl
75a786b6 CS	273	preprocessor ssl: ports { 443 444 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
767cb737	274
767cb737	275
75a786b6 CS	276	###################################################
	277	# Step #6: Configure output plugins
	278	# For more information, see Snort Manual, Configuring Snort - Output Modules
	279	###################################################
767cb737	280
75a786b6	281	# syslog
767cb737	282	# output alert_syslog: LOG_AUTH LOG_ALERT
767cb737	283
75a786b6	284	# pcap
767cb737 SS	285	# output log_tcpdump: tcpdump.log
767cb737 SS	286
75a786b6 CS	287	# database
	288	# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
	289	# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
	290
	291	# unified
767cb737 SS	292	# output alert_unified: filename snort.alert, limit 128
	293	# output log_unified: filename snort.log, limit 128
	294
75a786b6	295	# prelude
767cb737	296	# output alert_prelude
767cb737	297
75a786b6	298	# metadata reference data. do not modify these lines
767cb737	299	include /etc/snort/rules/classification.config
767cb737 SS	300	include /etc/snort/rules/reference.config
767cb737 SS	301
767cb737	302
75a786b6 CS	303	###################################################
	304	# Step #7: Customize your rule set
	305	# For more information, see Snort Manual, Writing Snort Rules
	306	###################################################
767cb737	307
75a786b6	308	# site specific rules
75a786b6	309