[people/pmueller/ipfire-2.x.git] / config / snort / snort.conf

###################################################
#
# This file contains the default snort configuration.
# for all IPCop Versions
# Unless you are totally happy with this file,please
# only change whats needed
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
# $Id: snort.conf,v 1.6.2.1 2005/04/28 18:38:49 gespinasse Exp $
#
###################################################
# Only area a user needs to edit
include /etc/snort/vars
var EXTERNAL_NET    !$HOME_NET
var SMTP_SERVERS    $HOME_NET
var HTTP_SERVERS    $HOME_NET
var SQL_SERVERS     $HOME_NET
var TELNET_SERVERS  $HOME_NET
var HTTP_PORTS      80
var SHELLCODE_PORTS !80
var ORACLE_PORTS    1521
var AIM_SERVERS     [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH       /etc/snort

###################################################
# Do NOT Edit past this line
###################################################
config detection: search-method lowmem
preprocessor flow: memcap 2097152, stats_interval 0, hash 2
preprocessor frag2: memcap 2097152
preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble: noalerts
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 }
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: \
	scoreboard-memcap-talker 1048576 \
	scoreboard-rows-talker 10000 \
	talker-sliding-scale-factor 0.50 \
	talker-fixed-threshold 30 \
	talker-sliding-threshold 30 \
	talker-sliding-window 20 \
	talker-fixed-window 30 \
	scoreboard-memcap-scanner 1048576 \
	scoreboard-rows-scanner 10000 \
	scanner-sliding-window 20 \
	scanner-sliding-scale-factor 0.50 \
	scanner-fixed-threshold 15 \
	scanner-sliding-threshold 40 \
	scanner-fixed-window 15 \
	unique-memcap 1048576 \
	unique-rows 10000 \
	server-memcap 1048576 \
	server-rows 10000 \
	server-watchnet $HOME_NET \
	server-ignore-limit 100 \
	server-learning-time 3600 \
	server-scanner-limit 4 \
	alert-mode once \
	output-mode msg \
	tcp-penalties on
preprocessor xlink2state: ports { 25 691 }
#=========================================
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
#=========================================
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
Commit	Line	Data
cd1a2927 MT	1	###################################################
	2	#
	3	# This file contains the default snort configuration.
	4	# for all IPCop Versions
	5	# Unless you are totally happy with this file,please
	6	# only change whats needed
	7	#
	8	# 1) Set the network variables for your network
	9	# 2) Configure preprocessors
	10	# 3) Configure output plugins
	11	# 4) Customize your rule set
	12	#
	13	# $Id: snort.conf,v 1.6.2.1 2005/04/28 18:38:49 gespinasse Exp $
	14	#
	15	###################################################
	16	# Only area a user needs to edit
	17	include /etc/snort/vars
	18	var EXTERNAL_NET !$HOME_NET
	19	var SMTP_SERVERS $HOME_NET
	20	var HTTP_SERVERS $HOME_NET
	21	var SQL_SERVERS $HOME_NET
	22	var TELNET_SERVERS $HOME_NET
	23	var HTTP_PORTS 80
	24	var SHELLCODE_PORTS !80
	25	var ORACLE_PORTS 1521
	26	var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
	27	var RULE_PATH /etc/snort
	28
	29	###################################################
	30	# Do NOT Edit past this line
	31	###################################################
	32	config detection: search-method lowmem
	33	preprocessor flow: memcap 2097152, stats_interval 0, hash 2
	34	preprocessor frag2: memcap 2097152
	35	preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts
	36	preprocessor stream4_reassemble: noalerts
	37	preprocessor http_inspect: global iis_unicode_map unicode.map 1252
	38	preprocessor http_inspect_server: server default profile all ports { 80 8080 }
	39	preprocessor rpc_decode: 111 32771
	40	preprocessor bo
	41	preprocessor telnet_decode
	42	preprocessor flow-portscan: \
	43	scoreboard-memcap-talker 1048576 \
	44	scoreboard-rows-talker 10000 \
	45	talker-sliding-scale-factor 0.50 \
	46	talker-fixed-threshold 30 \
	47	talker-sliding-threshold 30 \
	48	talker-sliding-window 20 \
	49	talker-fixed-window 30 \
	50	scoreboard-memcap-scanner 1048576 \
	51	scoreboard-rows-scanner 10000 \
	52	scanner-sliding-window 20 \
	53	scanner-sliding-scale-factor 0.50 \
	54	scanner-fixed-threshold 15 \
	55	scanner-sliding-threshold 40 \
	56	scanner-fixed-window 15 \
	57	unique-memcap 1048576 \
	58	unique-rows 10000 \
	59	server-memcap 1048576 \
	60	server-rows 10000 \
	61	server-watchnet $HOME_NET \
	62	server-ignore-limit 100 \
	63	server-learning-time 3600 \
	64	server-scanner-limit 4 \
65	alert-mode once \
66	output-mode msg \
67	tcp-penalties on
68	preprocessor xlink2state: ports { 25 691 }
69	#=========================================
70	include $RULE_PATH/classification.config
71	include $RULE_PATH/reference.config
72	#=========================================
73	include $RULE_PATH/bad-traffic.rules
74	include $RULE_PATH/exploit.rules
75	include $RULE_PATH/scan.rules
76	include $RULE_PATH/finger.rules
77	include $RULE_PATH/ftp.rules
78	include $RULE_PATH/telnet.rules
79	include $RULE_PATH/rpc.rules
80	include $RULE_PATH/rservices.rules
81	include $RULE_PATH/dos.rules
82	include $RULE_PATH/ddos.rules
83	include $RULE_PATH/dns.rules
84	include $RULE_PATH/tftp.rules
85
86	include $RULE_PATH/web-cgi.rules
87	include $RULE_PATH/web-coldfusion.rules
88	include $RULE_PATH/web-iis.rules
89	include $RULE_PATH/web-frontpage.rules
90	include $RULE_PATH/web-misc.rules
91	include $RULE_PATH/web-client.rules
92	include $RULE_PATH/web-php.rules
93
94	include $RULE_PATH/sql.rules
95	include $RULE_PATH/x11.rules
96	include $RULE_PATH/icmp.rules
97	include $RULE_PATH/netbios.rules
98	include $RULE_PATH/misc.rules
99	include $RULE_PATH/attack-responses.rules
100	include $RULE_PATH/oracle.rules
101	include $RULE_PATH/mysql.rules
102	include $RULE_PATH/snmp.rules
103
104	include $RULE_PATH/smtp.rules
105	include $RULE_PATH/imap.rules
106	include $RULE_PATH/pop2.rules
107	include $RULE_PATH/pop3.rules
108
109	include $RULE_PATH/nntp.rules
110	include $RULE_PATH/other-ids.rules
111	# include $RULE_PATH/web-attacks.rules
112	# include $RULE_PATH/backdoor.rules
113	# include $RULE_PATH/shellcode.rules
114	# include $RULE_PATH/policy.rules
115	# include $RULE_PATH/porn.rules
116	# include $RULE_PATH/info.rules
117	# include $RULE_PATH/icmp-info.rules
118	# include $RULE_PATH/virus.rules
119	# include $RULE_PATH/chat.rules
120	# include $RULE_PATH/multimedia.rules
121	# include $RULE_PATH/p2p.rules
122	# include $RULE_PATH/experimental.rules
123	include $RULE_PATH/local.rules