Snort scripts and config update.
[ipfire-2.x.git] / config / snort / snort.conf
CommitLineData
767cb737 1#--------------------------------------------------
75a786b6 2# http://www.snort.org Snort Ruleset
767cb737
SS
3# Contact: snort-sigs@lists.sourceforge.net
4#--------------------------------------------------
5# $Id$
6#
7###################################################
8# This file contains a sample snort configuration.
75a786b6
CS
9# You should take the following steps to create your own custom configuration:
10#
11# 1) Set the network variables.
12# 2) Configure the decoder
13# 3) Configure the base detection engine
14# 4) Configure dynamic loaded libraries
15# 5) Configure preprocessors
16# 6) Configure output plugins
17# 7) Customize your rule set
cd1a2927 18###################################################
767cb737 19
75a786b6
CS
20###################################################
21# Step #1: Set the network variables. For more information, see README.variables
22###################################################
23
8dc25f04
AF
24include /etc/snort/vars
25
75a786b6 26# Setup the network addresses you are protecting
8dc25f04
AF
27# taken from /etc/snort vars
28#var HOME_NET any
767cb737 29
75a786b6 30# Set up the external network addresses. A good start may be "any"
767cb737
SS
31var EXTERNAL_NET any
32
767cb737 33# List of DNS servers on your network
8dc25f04
AF
34# taken from /etc/snort vars
35#var DNS_SERVERS $HOME_NET
767cb737
SS
36
37# List of SMTP servers on your network
38var SMTP_SERVERS $HOME_NET
39
40# List of web servers on your network
41var HTTP_SERVERS $HOME_NET
42
43# List of sql servers on your network
44var SQL_SERVERS $HOME_NET
45
46# List of telnet servers on your network
47var TELNET_SERVERS $HOME_NET
48
75a786b6
CS
49# List of ports you run web servers on
50portvar HTTP_PORTS [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]
767cb737 51
8dc25f04
AF
52# List of ssh ports
53portvar SSH_PORTS [22,222]
54
75a786b6 55# List of ports you want to look for SHELLCODE on.
767cb737
SS
56portvar SHELLCODE_PORTS !80
57
75a786b6 58# List of ports you might see oracle attacks on
767cb737
SS
59portvar ORACLE_PORTS 1521
60
75a786b6 61# other variables, these should not be modified
767cb737
SS
62var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
63
64# Path to your rules files (this can be a relative path)
65# Note for Windows users: You are advised to make this an absolute path,
66# such as: c:\snort\rules
67var RULE_PATH /etc/snort/rules
75a786b6 68var SO_RULE_PATH /etc/snort/so_rules
767cb737
SS
69var PREPROC_RULE_PATH /etc/snort/preproc_rules
70
8dc25f04 71
75a786b6
CS
72###################################################
73# Step #2: Configure the decoder. For more information, see README.decode
74###################################################
75
767cb737 76# Stop generic decode events:
75a786b6
CS
77#config disable_decode_alerts
78
767cb737 79# Stop Alerts on experimental TCP options
75a786b6
CS
80config disable_tcpopt_experimental_alerts
81
767cb737 82# Stop Alerts on obsolete TCP options
75a786b6
CS
83config disable_tcpopt_obsolete_alerts
84
767cb737 85# Stop Alerts on T/TCP alerts
75a786b6
CS
86#config disable_tcpopt_ttcp_alerts
87
767cb737 88# Stop Alerts on all other TCPOption type events:
75a786b6
CS
89#config disable_tcpopt_alerts
90
767cb737 91# Stop Alerts on invalid ip options
75a786b6
CS
92#config disable_ipopt_alerts
93
94# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
767cb737 95# config enable_decode_oversized_alerts
75a786b6
CS
96
97# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
767cb737 98# config enable_decode_oversized_drops
767cb737 99
75a786b6
CS
100# Configure IP / TCP checksum mode
101config checksum_mode: all
102
103# Configure maximum number of flowbit references. For more information, see README.flowbits
104# config flowbits_size: 64
105
106# Configure ports to ignore
107# config ignore_ports: tcp 21 6667:6671 1356
108# config ignore_ports: udp 1:17 53
109
110
111###################################################
112# Step #3: Configure the base detection engine. For more information, see README.decode
113###################################################
114
115# Configure PCRE match limitations
116config pcre_match_limit: 1500
117config pcre_match_limit_recursion: 1500
118
119# Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config
120config detection: search-method ac-bnfa max_queue_events 5
121
122# Configure the event queue. For more information, see README.event_queue
123config event_queue: max_queue 8 log 3 order_events content_length
124
125# Configure Inline Resets. See README.INLINE
767cb737
SS
126# config layer2resets: 00:06:76:DD:5F:E3
127
75a786b6 128
cd1a2927 129###################################################
75a786b6
CS
130# Step #4: Configure dynamic loaded libraries.
131# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
132###################################################
133
134# path to dynamic preprocessor libraries
4fba936c 135dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
75a786b6
CS
136
137# path to base preprocessor engine
767cb737 138dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
cd1a2927 139
767cb737 140
767cb737 141
767cb737
SS
142
143
767cb737 144
767cb737 145
767cb737 146
767cb737 147
767cb737 148
75a786b6
CS
149# path to dynamic rules libraries
150# dynamicdetection directory /usr/lib/snort_dynamicrules
767cb737 151
75a786b6
CS
152###################################################
153# Step #5: Configure preprocessors
154# For more information, see the Snort Manual, Configuring Snort - Preprocessors
155###################################################
156
157# Target-based IP defragmentation. For more inforation, see README.frag3
158preprocessor frag3_global: max_frags 65536
159preprocessor frag3_engine: policy windows timeout 180
767cb737 160
75a786b6
CS
161# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
162preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
163preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 111 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669 7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
164# preprocessor stream5_udp: ignore_any_rules
165
166# performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
167# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
767cb737 168
75a786b6
CS
169# HTTP normalization and anomaly detection. For more information, see README.http_inspect
170preprocessor http_inspect: global iis_unicode_map unicode.map 1252
171
172preprocessor http_inspect_server: server default \
173 apache_whitespace no \
174 ascii no \
175 bare_byte no \
176 chunk_length 500000 \
177 flow_depth 1460 \
178 directory no \
179 double_decode no \
180 iis_backslash no \
181 iis_delimiter no \
182 iis_unicode no \
183 multi_slash no \
184 non_strict \
185 oversize_dir_length 500 \
186 ports { 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 } \
187 u_encode yes \
188 non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
189 webroot no
190
191# ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
192preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
193
194# Back Orifice detection.
195preprocessor bo
196
197# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet
198preprocessor ftp_telnet: global encrypted_traffic yes check_encrypted inspection_type stateful
4fba936c 199preprocessor ftp_telnet_protocol: telnet \
75a786b6
CS
200 ayt_attack_thresh 20 \
201 normalize ports { 23 } \
202 detect_anomalies
4fba936c 203preprocessor ftp_telnet_protocol: ftp server default \
75a786b6
CS
204 def_max_param_len 100 \
205 ports { 21 2100 } \
206 ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
207 ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
208 ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
209 ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
210 ftp_cmds { FEAT OPTS CEL CMD MACB } \
211 ftp_cmds { MDTM REST SIZE MLST MLSD } \
212 ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
213 alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
214 alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
215 alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
216 alt_max_param_len 256 { RNTO CWD } \
217 alt_max_param_len 400 { PORT } \
218 alt_max_param_len 512 { SIZE } \
219 chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
220 chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
221 chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
222 chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
223 chk_str_fmt { FEAT OPTS CEL CMD } \
224 chk_str_fmt { MDTM REST SIZE MLST MLSD } \
225 chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
226 cmd_validity MODE < char ASBCZ > \
227 cmd_validity STRU < char FRP > \
228 cmd_validity ALLO < int [ char R int ] > \
229 cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
230 cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
231 cmd_validity PORT < host_port >
4fba936c 232preprocessor ftp_telnet_protocol: ftp client default \
75a786b6
CS
233 max_resp_len 256 \
234 bounce yes \
235 telnet_cmds no
767cb737 236
767cb737 237
75a786b6
CS
238# SMTP normalization and anomaly detection. For more information, see README.SMTP
239preprocessor smtp: ports { 25 587 691 } \
767cb737
SS
240 inspection_type stateful \
241 normalize cmds \
242 normalize_cmds { EXPN VRFY RCPT } \
243 alt_max_command_line_len 260 { MAIL } \
244 alt_max_command_line_len 300 { RCPT } \
245 alt_max_command_line_len 500 { HELP HELO ETRN } \
246 alt_max_command_line_len 255 { EXPN VRFY }
247
75a786b6
CS
248# Portscan detection. For more information, see README.sfportscan
249 preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium }
767cb737 250
75a786b6
CS
251# ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
252# preprocessor arpspoof
253# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
8581d1ef 254
75a786b6
CS
255# SSH anomaly detection. For more information, see README.ssh
256preprocessor ssh: server_ports { 22 222 } \
257 max_client_bytes 19600 \
258 max_encrypted_packets 20 \
259 enable_respoverflow enable_ssh1crc32 \
260 enable_srvoverflow enable_protomismatch
8581d1ef 261
75a786b6
CS
262# SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2
263preprocessor dcerpc2: memcap 102400, events [co ]
264preprocessor dcerpc2_server: default, policy WinXP, \
265 detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
266 autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
267 smb_max_chain 3
767cb737 268
75a786b6
CS
269# DNS anomaly detection. For more information, see README.dns
270preprocessor dns: ports { 53 } enable_rdata_overflow
767cb737 271
75a786b6
CS
272# SSL anomaly detection and traffic bypass. For more information, see README.ssl
273preprocessor ssl: ports { 443 444 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
767cb737 274
767cb737 275
75a786b6
CS
276###################################################
277# Step #6: Configure output plugins
278# For more information, see Snort Manual, Configuring Snort - Output Modules
279###################################################
767cb737 280
75a786b6 281# syslog
767cb737 282# output alert_syslog: LOG_AUTH LOG_ALERT
767cb737 283
75a786b6 284# pcap
767cb737
SS
285# output log_tcpdump: tcpdump.log
286
75a786b6
CS
287# database
288# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
289# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
290
291# unified
767cb737
SS
292# output alert_unified: filename snort.alert, limit 128
293# output log_unified: filename snort.log, limit 128
294
75a786b6 295# prelude
767cb737 296# output alert_prelude
767cb737 297
75a786b6 298# metadata reference data. do not modify these lines
767cb737 299include /etc/snort/rules/classification.config
767cb737
SS
300include /etc/snort/rules/reference.config
301
767cb737 302
75a786b6
CS
303###################################################
304# Step #7: Customize your rule set
305# For more information, see Snort Manual, Writing Snort Rules
306###################################################
767cb737 307
75a786b6 308# site specific rules
75a786b6 309