config/snort/snort.conf

   1 ###################################################
   2 #
   3 # This file contains the default snort configuration.
   4 # for all IPFire Versions
   5 # Unless you are totally happy with this file, please
   6 # only change whats needed
   7 # This file is automatically changed by
   8 # the webinterface, too.
   9 #
  10 #  1) Set the network variables for your network
  11 #  2) Configure preprocessors
  12 #  3) Configure output plugins
  13 #  4) Customize your rule set
  14 #
  15 ###################################################
  16 # Only area a user needs to edit
  17 include /etc/snort/vars
  18 var EXTERNAL_NET    !$HOME_NET
  19 var SMTP_SERVERS    $HOME_NET
  20 var HTTP_SERVERS    $HOME_NET
  21 var SQL_SERVERS     $HOME_NET
  22 var TELNET_SERVERS  $HOME_NET
  23 var HTTP_PORTS      80
  24 var SSH_PORTS       22 222
  25 var SHELLCODE_PORTS !80
  26 var ORACLE_PORTS    1521
  27 var AIM_SERVERS     [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
  28 var RULE_PATH       /etc/snort/rules
  29 dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
  30 dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
  31
  32 ###################################################
  33 # Do NOT Edit past this line
  34 ###################################################
  35 config detection: search-method lowmem
  36 preprocessor flow: memcap 2097152, stats_interval 0, hash 2
  37 #preprocessor frag2: memcap 2097152
  38 preprocessor frag3_global: max_frags 65536
  39 preprocessor frag3_engine: policy first detect_anomalies
  40 preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts
  41 preprocessor stream4_reassemble: noalerts
  42 # preprocessor http_inspect: global iis_unicode_map unicode.map 1252
  43 # preprocessor http_inspect_server: server default profile all ports { 80 8080 }
  44 preprocessor rpc_decode: 111 32771
  45 preprocessor bo
  46 #preprocessor telnet_decode
  47 preprocessor ftp_telnet: global \
  48    encrypted_traffic yes \
  49    inspection_type stateful
  50 preprocessor ftp_telnet_protocol: telnet \
  51    normalize \
  52    ayt_attack_thresh 200
  53 preprocessor ftp_telnet_protocol: ftp server default \
  54    def_max_param_len 100 \
  55    alt_max_param_len 200 { CWD } \
  56    cmd_validity MODE < char ASBCZ > \
  57    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
  58    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
  59    telnet_cmds yes \
  60    data_chan
  61 preprocessor ftp_telnet_protocol: ftp client default \
  62    max_resp_len 256 \
  63    bounce yes \
  64    telnet_cmds yes
  65 preprocessor flow-portscan: \
  66         scoreboard-memcap-talker 1048576 \
  67         scoreboard-rows-talker 10000 \
  68         talker-sliding-scale-factor 0.50 \
  69         talker-fixed-threshold 30 \
  70         talker-sliding-threshold 30 \
  71         talker-sliding-window 20 \
  72         talker-fixed-window 30 \
  73         scoreboard-memcap-scanner 1048576 \
  74         scoreboard-rows-scanner 10000 \
  75         scanner-sliding-window 20 \
  76         scanner-sliding-scale-factor 0.50 \
  77         scanner-fixed-threshold 15 \
  78         scanner-sliding-threshold 40 \
  79         scanner-fixed-window 15 \
  80         unique-memcap 1048576 \
  81         unique-rows 10000 \
  82         server-memcap 1048576 \
  83         server-rows 10000 \
  84         server-watchnet $HOME_NET \
  85         server-ignore-limit 100 \
  86         server-learning-time 3600 \
  87         server-scanner-limit 4 \
  88         alert-mode once \
  89         output-mode msg \
  90         tcp-penalties on
  91 #=========================================
  92 include $RULE_PATH/classification.config
  93 include $RULE_PATH/reference.config
  94 #=========================================
  95 include $RULE_PATH/community-bot.rules
  96 include $RULE_PATH/community-deleted.rules
  97 include $RULE_PATH/community-dos.rules
  98 include $RULE_PATH/community-exploit.rules
  99 include $RULE_PATH/community-ftp.rules
 100 include $RULE_PATH/community-game.rules
 101 include $RULE_PATH/community-icmp.rules
 102 include $RULE_PATH/community-imap.rules
 103 include $RULE_PATH/community-inappropriate.rules
 104 include $RULE_PATH/community-mail-client.rules
 105 include $RULE_PATH/community-misc.rules
 106 include $RULE_PATH/community-nntp.rules
 107 include $RULE_PATH/community-oracle.rules
 108 include $RULE_PATH/community-policy.rules
 109 include $RULE_PATH/community-sip.rules
 110 include $RULE_PATH/community-smtp.rules
 111 include $RULE_PATH/community-sql-injection.rules
 112 include $RULE_PATH/community-virus.rules
 113 include $RULE_PATH/community-web-attacks.rules
 114 include $RULE_PATH/community-web-cgi.rules
 115 include $RULE_PATH/community-web-client.rules
 116 include $RULE_PATH/community-web-dos.rules
 117 include $RULE_PATH/community-web-iis.rules
 118 include $RULE_PATH/community-web-misc.rules
 119 include $RULE_PATH/community-web-php.rules