################################################### # # This file contains the default snort configuration. # for all IPFire Versions # Unless you are totally happy with this file, please # only change whats needed # This file is automatically changed by # the webinterface, too. # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ################################################### # Only area a user needs to edit include /etc/snort/vars var EXTERNAL_NET !$HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules ################################################### # Do NOT Edit past this line ################################################### config detection: search-method lowmem preprocessor flow: memcap 2097152, stats_interval 0, hash 2 preprocessor frag2: memcap 2097152 preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts preprocessor stream4_reassemble: noalerts preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 } preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor flow-portscan: \ scoreboard-memcap-talker 1048576 \ scoreboard-rows-talker 10000 \ talker-sliding-scale-factor 0.50 \ talker-fixed-threshold 30 \ talker-sliding-threshold 30 \ talker-sliding-window 20 \ talker-fixed-window 30 \ scoreboard-memcap-scanner 1048576 \ scoreboard-rows-scanner 10000 \ scanner-sliding-window 20 \ scanner-sliding-scale-factor 0.50 \ scanner-fixed-threshold 15 \ scanner-sliding-threshold 40 \ scanner-fixed-window 15 \ unique-memcap 1048576 \ unique-rows 10000 \ server-memcap 1048576 \ server-rows 10000 \ server-watchnet $HOME_NET \ server-ignore-limit 100 \ server-learning-time 3600 \ server-scanner-limit 4 \ alert-mode once \ output-mode msg \ tcp-penalties on preprocessor xlink2state: ports { 25 691 } #========================================= include $RULE_PATH/classification.config include $RULE_PATH/reference.config #========================================= include $RULE_PATH/bleeding-attack_response.rules include $RULE_PATH/bleeding-botcc-BLOCK.rules include $RULE_PATH/bleeding-botcc.excluded include $RULE_PATH/bleeding-botcc.rules include $RULE_PATH/bleeding-botcc.rules.dragon.xml include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding-drop-BLOCK.rules include $RULE_PATH/bleeding-drop.rules include $RULE_PATH/bleeding-drop.rules.dragon.xml include $RULE_PATH/bleeding-dshield-BLOCK.rules include $RULE_PATH/bleeding-dshield.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-game.rules include $RULE_PATH/bleeding-inappropriate.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-p2p.rules include $RULE_PATH/bleeding-policy.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding-sid-msg.map include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-voip.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/bleeding.rules include $RULE_PATH/community-bot.rules include $RULE_PATH/community-deleted.rules include $RULE_PATH/community-dos.rules include $RULE_PATH/community-exploit.rules include $RULE_PATH/community-ftp.rules include $RULE_PATH/community-game.rules include $RULE_PATH/community-icmp.rules include $RULE_PATH/community-imap.rules include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/community-mail-client.rules include $RULE_PATH/community-misc.rules include $RULE_PATH/community-nntp.rules include $RULE_PATH/community-oracle.rules include $RULE_PATH/community-policy.rules include $RULE_PATH/community-sid-msg.map include $RULE_PATH/community-sip.rules include $RULE_PATH/community-smtp.rules include $RULE_PATH/community-sql-injection.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/community-web-attacks.rules include $RULE_PATH/community-web-cgi.rules include $RULE_PATH/community-web-client.rules include $RULE_PATH/community-web-dos.rules include $RULE_PATH/community-web-iis.rules include $RULE_PATH/community-web-misc.rules include $RULE_PATH/community-web-php.rules