# Step #1: Set the network variables. For more information, see README.variables
###################################################
+include /etc/snort/vars
+
# Setup the network addresses you are protecting
-var HOME_NET any
+# taken from /etc/snort vars
+#var HOME_NET any
# Set up the external network addresses. A good start may be "any"
var EXTERNAL_NET any
# List of DNS servers on your network
-var DNS_SERVERS $HOME_NET
+# taken from /etc/snort vars
+#var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of ports you run web servers on
portvar HTTP_PORTS [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]
+# List of ssh ports
+portvar SSH_PORTS [22,222]
+
# List of ports you want to look for SHELLCODE on.
portvar SHELLCODE_PORTS !80
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
+
###################################################
# Step #2: Configure the decoder. For more information, see README.decode
###################################################
###################################################
# site specific rules
-# include $RULE_PATH/local.rules
-
-# include $RULE_PATH/exploit.rules
-# include $RULE_PATH/ftp.rules
-# include $RULE_PATH/telnet.rules
-# include $RULE_PATH/rpc.rules
-# include $RULE_PATH/rservices.rules
-# include $RULE_PATH/dos.rules
-# include $RULE_PATH/ddos.rules
-# include $RULE_PATH/dns.rules
-
-# include $RULE_PATH/web-cgi.rules
-# include $RULE_PATH/web-coldfusion.rules
-# include $RULE_PATH/web-iis.rules
-# include $RULE_PATH/web-frontpage.rules
-# include $RULE_PATH/web-misc.rules
-# include $RULE_PATH/web-client.rules
-# include $RULE_PATH/web-php.rules
-
-# include $RULE_PATH/sql.rules
-# include $RULE_PATH/x11.rules
-# include $RULE_PATH/netbios.rules
-# include $RULE_PATH/misc.rules
-# include $RULE_PATH/attack-responses.rules
-# include $RULE_PATH/oracle.rules
-# include $RULE_PATH/mysql.rules
-
-# include $RULE_PATH/smtp.rules
-# include $RULE_PATH/imap.rules
-# include $RULE_PATH/pop2.rules
-# include $RULE_PATH/pop3.rules
-
-# include $RULE_PATH/nntp.rules
-# include $RULE_PATH/backdoor.rules
-
-# include $RULE_PATH/snmp.rules
-# include $RULE_PATH/icmp.rules
-# include $RULE_PATH/tftp.rules
-# include $RULE_PATH/scan.rules
-# include $RULE_PATH/finger.rules
-# include $RULE_PATH/web-attacks.rules
-# include $RULE_PATH/shellcode.rules
-# include $RULE_PATH/policy.rules
-# include $RULE_PATH/info.rules
-# include $RULE_PATH/icmp-info.rules
-# include $RULE_PATH/virus.rules
-# include $RULE_PATH/chat.rules
-# include $RULE_PATH/multimedia.rules
-# include $RULE_PATH/p2p.rules
-# include $RULE_PATH/spyware-put.rules
-# include $RULE_PATH/specific-threats.rules
-# include $RULE_PATH/voip.rules
-# include $RULE_PATH/other-ids.rules
-# include $RULE_PATH/bad-traffic.rules
-
-# decoder and preprocessor event rules
-# include $PREPROC_RULE_PATH/preprocessor.rules
-# include $PREPROC_RULE_PATH/decoder.rules
-
-# dynamic library rules
-# include $SO_RULE_PATH/bad-traffic.rules
-# include $SO_RULE_PATH/chat.rules
-# include $SO_RULE_PATH/dos.rules
-# include $SO_RULE_PATH/exploit.rules
-# include $SO_RULE_PATH/imap.rules
-# include $SO_RULE_PATH/misc.rules
-# include $SO_RULE_PATH/multimedia.rules
-# include $SO_RULE_PATH/netbios.rules
-# include $SO_RULE_PATH/nntp.rules
-# include $SO_RULE_PATH/p2p.rules
-# include $SO_RULE_PATH/smtp.rules
-# include $SO_RULE_PATH/sql.rules
-# include $SO_RULE_PATH/web-activex.rules
-# include $SO_RULE_PATH/web-client.rules
-# include $SO_RULE_PATH/web-misc.rules
-
-# Event thresholding or suppression commands. See threshold.conf
-# include threshold.conf
\ No newline at end of file
+