[ipfire-2.x.git] / config / snort / snort.conf

#--------------------------------------------------
#   http://www.snort.org     Snort Ruleset
#     Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id$
#
###################################################
# This file contains a sample snort configuration. 
# You should take the following steps to create your own custom configuration:
#
#  1) Set the network variables.
#  2) Configure the decoder
#  3) Configure the base detection engine
#  4) Configure dynamic loaded libraries
#  5) Configure preprocessors
#  6) Configure output plugins
#  7) Customize your rule set
###################################################

###################################################
# Step #1: Set the network variables.  For more information, see README.variables
###################################################

# Setup the network addresses you are protecting
var HOME_NET any

# Set up the external network addresses.  A good start may be "any"
var EXTERNAL_NET any

# List of DNS servers on your network 
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of ports you run web servers on
portvar HTTP_PORTS  [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]

# List of ports you want to look for SHELLCODE on.
portvar SHELLCODE_PORTS !80

# List of ports you might see oracle attacks on
portvar ORACLE_PORTS 1521

# other variables, these should not be modified
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

###################################################
# Step #2: Configure the decoder.  For more information, see README.decode
###################################################

# Stop generic decode events:
#config disable_decode_alerts

# Stop Alerts on experimental TCP options
config disable_tcpopt_experimental_alerts

# Stop Alerts on obsolete TCP options
config disable_tcpopt_obsolete_alerts

# Stop Alerts on T/TCP alerts
#config disable_tcpopt_ttcp_alerts

# Stop Alerts on all other TCPOption type events:
#config disable_tcpopt_alerts

# Stop Alerts on invalid ip options
#config disable_ipopt_alerts

# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
# config enable_decode_oversized_alerts

# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
# config enable_decode_oversized_drops

# Configure IP / TCP checksum mode
config checksum_mode: all

# Configure maximum number of flowbit references.  For more information, see README.flowbits
# config flowbits_size: 64

# Configure ports to ignore 
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53


###################################################
# Step #3: Configure the base detection engine.  For more information, see  README.decode
###################################################

# Configure PCRE match limitations
config pcre_match_limit: 1500
config pcre_match_limit_recursion: 1500

# Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Config
config detection: search-method ac-bnfa max_queue_events 5

# Configure the event queue.  For more information, see README.event_queue
config event_queue: max_queue 8 log 3 order_events content_length

# Configure Inline Resets.  See README.INLINE
# config layer2resets: 00:06:76:DD:5F:E3


###################################################
# Step #4: Configure dynamic loaded libraries.  
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so


# path to dynamic rules libraries
# dynamicdetection directory /usr/lib/snort_dynamicrules

###################################################
# Step #5: Configure preprocessors
# For more information, see the Snort Manual, Configuring Snort - Preprocessors
###################################################

# Target-based IP defragmentation.  For more inforation, see README.frag3
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows timeout 180

# Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 111 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669 7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
# preprocessor stream5_udp: ignore_any_rules

# performance statistics.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

# HTTP normalization and anomaly detection.  For more information, see README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 

preprocessor http_inspect_server: server default \
    apache_whitespace no \
    ascii no \
	bare_byte no \
	chunk_length 500000 \
	flow_depth 1460 \
	directory no \
	double_decode no \
	iis_backslash no \
	iis_delimiter no \
	iis_unicode no \
	multi_slash no \
	non_strict \
	oversize_dir_length 500 \
	ports { 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 } \
	u_encode yes \
	non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
	webroot no

# ONC-RPC normalization and anomaly detection.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete

# Back Orifice detection.
preprocessor bo

# FTP / Telnet normalization and anomaly detection.  For more information, see README.ftptelnet
preprocessor ftp_telnet: global encrypted_traffic yes check_encrypted inspection_type stateful 
preprocessor ftp_telnet_protocol: telnet \
    ayt_attack_thresh 20 \
    normalize ports { 23 } \
    detect_anomalies
preprocessor ftp_telnet_protocol: ftp server default \
    def_max_param_len 100 \
    ports { 21 2100 } \
    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
    ftp_cmds { FEAT OPTS CEL CMD MACB } \
    ftp_cmds { MDTM REST SIZE MLST MLSD } \
    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
    alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
    alt_max_param_len 256 { RNTO CWD } \ 
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE } \
    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
    chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
    chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
    chk_str_fmt { FEAT OPTS CEL CMD } \
    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity STRU < char FRP > \
    cmd_validity ALLO < int [ char R int ] > \
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity PORT < host_port >
preprocessor ftp_telnet_protocol: ftp client default \
    max_resp_len 256 \
    bounce yes \
    telnet_cmds no


# SMTP normalization and anomaly detection.  For more information, see README.SMTP
preprocessor smtp: ports { 25 587 691 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }

# Portscan detection.  For more information, see README.sfportscan
 preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium }

# ARP spoof detection.  For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
# preprocessor arpspoof
# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

# SSH anomaly detection.  For more information, see README.ssh
preprocessor ssh: server_ports { 22 222 } \
                  max_client_bytes 19600 \
                  max_encrypted_packets 20 \
                  enable_respoverflow enable_ssh1crc32 \
                  enable_srvoverflow enable_protomismatch

# SMB / DCE-RPC normalization and anomaly detection.  For more information, see README.dcerpc2
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3

# DNS anomaly detection.  For more information, see README.dns
preprocessor dns: ports { 53 } enable_rdata_overflow

# SSL anomaly detection and traffic bypass.  For more information, see README.ssl
preprocessor ssl: ports { 443 444 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted


###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# database
# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>

# unified 
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128

# prelude
# output alert_prelude

# metadata reference data.  do not modify these lines
include /etc/snort/rules/classification.config
include /etc/snort/rules/reference.config


###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
###################################################

# site specific rules

# Event thresholding or suppression commands. See threshold.conf 
# include threshold.conf
Commit	Line	Data
767cb737	1	#--------------------------------------------------
75a786b6	2	# http://www.snort.org Snort Ruleset
767cb737 SS	3	# Contact: snort-sigs@lists.sourceforge.net
	4	#--------------------------------------------------
	5	# $Id$
	6	#
	7	###################################################
	8	# This file contains a sample snort configuration.
75a786b6 CS	9	# You should take the following steps to create your own custom configuration:
	10	#
	11	# 1) Set the network variables.
	12	# 2) Configure the decoder
	13	# 3) Configure the base detection engine
	14	# 4) Configure dynamic loaded libraries
	15	# 5) Configure preprocessors
	16	# 6) Configure output plugins
	17	# 7) Customize your rule set
cd1a2927	18	###################################################
767cb737	19
75a786b6 CS	20	###################################################
	21	# Step #1: Set the network variables. For more information, see README.variables
	22	###################################################
	23
	24	# Setup the network addresses you are protecting
767cb737 SS	25	var HOME_NET any
767cb737 SS	26
75a786b6	27	# Set up the external network addresses. A good start may be "any"
767cb737 SS	28	var EXTERNAL_NET any
767cb737 SS	29
767cb737 SS	30	# List of DNS servers on your network
	31	var DNS_SERVERS $HOME_NET
	32
	33	# List of SMTP servers on your network
	34	var SMTP_SERVERS $HOME_NET
	35
	36	# List of web servers on your network
	37	var HTTP_SERVERS $HOME_NET
	38
	39	# List of sql servers on your network
	40	var SQL_SERVERS $HOME_NET
	41
	42	# List of telnet servers on your network
	43	var TELNET_SERVERS $HOME_NET
	44
75a786b6 CS	45	# List of ports you run web servers on
75a786b6 CS	46	portvar HTTP_PORTS [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]
767cb737	47
75a786b6	48	# List of ports you want to look for SHELLCODE on.
767cb737 SS	49	portvar SHELLCODE_PORTS !80
767cb737 SS	50
75a786b6	51	# List of ports you might see oracle attacks on
767cb737 SS	52	portvar ORACLE_PORTS 1521
767cb737 SS	53
75a786b6	54	# other variables, these should not be modified
767cb737 SS	55	var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
	56
	57	# Path to your rules files (this can be a relative path)
	58	# Note for Windows users: You are advised to make this an absolute path,
	59	# such as: c:\snort\rules
	60	var RULE_PATH /etc/snort/rules
75a786b6	61	var SO_RULE_PATH /etc/snort/so_rules
767cb737 SS	62	var PREPROC_RULE_PATH /etc/snort/preproc_rules
767cb737 SS	63
75a786b6 CS	64	###################################################
	65	# Step #2: Configure the decoder. For more information, see README.decode
	66	###################################################
	67
767cb737	68	# Stop generic decode events:
75a786b6 CS	69	#config disable_decode_alerts
75a786b6 CS	70
767cb737	71	# Stop Alerts on experimental TCP options
75a786b6 CS	72	config disable_tcpopt_experimental_alerts
75a786b6 CS	73
767cb737	74	# Stop Alerts on obsolete TCP options
75a786b6 CS	75	config disable_tcpopt_obsolete_alerts
75a786b6 CS	76
767cb737	77	# Stop Alerts on T/TCP alerts
75a786b6 CS	78	#config disable_tcpopt_ttcp_alerts
75a786b6 CS	79
767cb737	80	# Stop Alerts on all other TCPOption type events:
75a786b6 CS	81	#config disable_tcpopt_alerts
75a786b6 CS	82
767cb737	83	# Stop Alerts on invalid ip options
75a786b6 CS	84	#config disable_ipopt_alerts
	85
	86	# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
767cb737	87	# config enable_decode_oversized_alerts
75a786b6 CS	88
75a786b6 CS	89	# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
767cb737	90	# config enable_decode_oversized_drops
767cb737	91
75a786b6 CS	92	# Configure IP / TCP checksum mode
	93	config checksum_mode: all
	94
	95	# Configure maximum number of flowbit references. For more information, see README.flowbits
	96	# config flowbits_size: 64
	97
	98	# Configure ports to ignore
	99	# config ignore_ports: tcp 21 6667:6671 1356
	100	# config ignore_ports: udp 1:17 53
	101
	102
	103	###################################################
	104	# Step #3: Configure the base detection engine. For more information, see README.decode
	105	###################################################
	106
	107	# Configure PCRE match limitations
	108	config pcre_match_limit: 1500
	109	config pcre_match_limit_recursion: 1500
	110
	111	# Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config
	112	config detection: search-method ac-bnfa max_queue_events 5
	113
	114	# Configure the event queue. For more information, see README.event_queue
	115	config event_queue: max_queue 8 log 3 order_events content_length
	116
	117	# Configure Inline Resets. See README.INLINE
767cb737 SS	118	# config layer2resets: 00:06:76:DD:5F:E3
767cb737 SS	119
75a786b6	120
cd1a2927	121	###################################################
75a786b6 CS	122	# Step #4: Configure dynamic loaded libraries.
	123	# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
	124	###################################################
	125
	126	# path to dynamic preprocessor libraries
4fba936c	127	dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
75a786b6 CS	128
75a786b6 CS	129	# path to base preprocessor engine
767cb737	130	dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
cd1a2927	131
767cb737	132
767cb737	133
767cb737 SS	134
767cb737 SS	135
767cb737	136
767cb737	137
767cb737	138
767cb737	139
767cb737	140
75a786b6 CS	141	# path to dynamic rules libraries
75a786b6 CS	142	# dynamicdetection directory /usr/lib/snort_dynamicrules
767cb737	143
75a786b6 CS	144	###################################################
	145	# Step #5: Configure preprocessors
	146	# For more information, see the Snort Manual, Configuring Snort - Preprocessors
	147	###################################################
	148
	149	# Target-based IP defragmentation. For more inforation, see README.frag3
	150	preprocessor frag3_global: max_frags 65536
	151	preprocessor frag3_engine: policy windows timeout 180
767cb737	152
75a786b6 CS	153	# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
	154	preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
	155	preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 111 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669 7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
	156	# preprocessor stream5_udp: ignore_any_rules
	157
	158	# performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
	159	# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
767cb737	160
75a786b6 CS	161	# HTTP normalization and anomaly detection. For more information, see README.http_inspect
	162	preprocessor http_inspect: global iis_unicode_map unicode.map 1252
	163
	164	preprocessor http_inspect_server: server default \
	165	apache_whitespace no \
	166	ascii no \
	167	bare_byte no \
	168	chunk_length 500000 \
	169	flow_depth 1460 \
	170	directory no \
	171	double_decode no \
	172	iis_backslash no \
	173	iis_delimiter no \
	174	iis_unicode no \
	175	multi_slash no \
	176	non_strict \
	177	oversize_dir_length 500 \
	178	ports { 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 } \
	179	u_encode yes \
	180	non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
	181	webroot no
	182
	183	# ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
	184	preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
	185
	186	# Back Orifice detection.
	187	preprocessor bo
	188
	189	# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet
	190	preprocessor ftp_telnet: global encrypted_traffic yes check_encrypted inspection_type stateful
4fba936c	191	preprocessor ftp_telnet_protocol: telnet \
75a786b6 CS	192	ayt_attack_thresh 20 \
	193	normalize ports { 23 } \
	194	detect_anomalies
4fba936c	195	preprocessor ftp_telnet_protocol: ftp server default \
75a786b6 CS	196	def_max_param_len 100 \
	197	ports { 21 2100 } \
	198	ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
	199	ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
	200	ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
	201	ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
	202	ftp_cmds { FEAT OPTS CEL CMD MACB } \
	203	ftp_cmds { MDTM REST SIZE MLST MLSD } \
	204	ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
	205	alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
	206	alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
	207	alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
	208	alt_max_param_len 256 { RNTO CWD } \
	209	alt_max_param_len 400 { PORT } \
	210	alt_max_param_len 512 { SIZE } \
	211	chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
	212	chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
	213	chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
	214	chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
	215	chk_str_fmt { FEAT OPTS CEL CMD } \
	216	chk_str_fmt { MDTM REST SIZE MLST MLSD } \
	217	chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
	218	cmd_validity MODE < char ASBCZ > \
	219	cmd_validity STRU < char FRP > \
	220	cmd_validity ALLO < int [ char R int ] > \
	221	cmd_validity TYPE < { char AE [ char NTC ] \| char I \| char L [ number ] } > \
	222	cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
	223	cmd_validity PORT < host_port >
4fba936c	224	preprocessor ftp_telnet_protocol: ftp client default \
75a786b6 CS	225	max_resp_len 256 \
	226	bounce yes \
	227	telnet_cmds no
767cb737	228
767cb737	229
75a786b6 CS	230	# SMTP normalization and anomaly detection. For more information, see README.SMTP
75a786b6 CS	231	preprocessor smtp: ports { 25 587 691 } \
767cb737 SS	232	inspection_type stateful \
	233	normalize cmds \
	234	normalize_cmds { EXPN VRFY RCPT } \
	235	alt_max_command_line_len 260 { MAIL } \
	236	alt_max_command_line_len 300 { RCPT } \
	237	alt_max_command_line_len 500 { HELP HELO ETRN } \
	238	alt_max_command_line_len 255 { EXPN VRFY }
	239
75a786b6 CS	240	# Portscan detection. For more information, see README.sfportscan
75a786b6 CS	241	preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium }
767cb737	242
75a786b6 CS	243	# ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
	244	# preprocessor arpspoof
	245	# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
8581d1ef	246
75a786b6 CS	247	# SSH anomaly detection. For more information, see README.ssh
	248	preprocessor ssh: server_ports { 22 222 } \
	249	max_client_bytes 19600 \
	250	max_encrypted_packets 20 \
	251	enable_respoverflow enable_ssh1crc32 \
	252	enable_srvoverflow enable_protomismatch
8581d1ef	253
75a786b6 CS	254	# SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2
	255	preprocessor dcerpc2: memcap 102400, events [co ]
	256	preprocessor dcerpc2_server: default, policy WinXP, \
	257	detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
	258	autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
	259	smb_max_chain 3
767cb737	260
75a786b6 CS	261	# DNS anomaly detection. For more information, see README.dns
75a786b6 CS	262	preprocessor dns: ports { 53 } enable_rdata_overflow
767cb737	263
75a786b6 CS	264	# SSL anomaly detection and traffic bypass. For more information, see README.ssl
75a786b6 CS	265	preprocessor ssl: ports { 443 444 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
767cb737	266
767cb737	267
75a786b6 CS	268	###################################################
	269	# Step #6: Configure output plugins
	270	# For more information, see Snort Manual, Configuring Snort - Output Modules
	271	###################################################
767cb737	272
75a786b6	273	# syslog
767cb737	274	# output alert_syslog: LOG_AUTH LOG_ALERT
767cb737	275
75a786b6	276	# pcap
767cb737 SS	277	# output log_tcpdump: tcpdump.log
767cb737 SS	278
75a786b6 CS	279	# database
	280	# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
	281	# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
	282
	283	# unified
767cb737 SS	284	# output alert_unified: filename snort.alert, limit 128
	285	# output log_unified: filename snort.log, limit 128
	286
75a786b6	287	# prelude
767cb737	288	# output alert_prelude
767cb737	289
75a786b6	290	# metadata reference data. do not modify these lines
767cb737	291	include /etc/snort/rules/classification.config
767cb737 SS	292	include /etc/snort/rules/reference.config
767cb737 SS	293
767cb737	294
75a786b6 CS	295	###################################################
	296	# Step #7: Customize your rule set
	297	# For more information, see Snort Manual, Writing Snort Rules
	298	###################################################
767cb737	299
75a786b6	300	# site specific rules
75a786b6 CS	301
	302	# Event thresholding or suppression commands. See threshold.conf
	303	# include threshold.conf