[people/pmueller/ipfire-2.x.git] / config / snort / snort.conf

###################################################
#
# This file contains the default snort configuration.
# for all IPFire Versions
# Unless you are totally happy with this file, please
# only change whats needed
# This file is automatically changed by 
# the webinterface, too.
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Only area a user needs to edit
include /etc/snort/vars
var EXTERNAL_NET    !$HOME_NET
var SMTP_SERVERS    $HOME_NET
var HTTP_SERVERS    $HOME_NET
var SQL_SERVERS     $HOME_NET
var TELNET_SERVERS  $HOME_NET
var HTTP_PORTS      80
var SSH_PORTS       22 222
var SHELLCODE_PORTS !80
var ORACLE_PORTS    1521
var AIM_SERVERS     [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH       /etc/snort/rules
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/

###################################################
# Do NOT Edit past this line
###################################################
config detection: search-method lowmem
preprocessor flow: memcap 2097152, stats_interval 0, hash 2
#preprocessor frag2: memcap 2097152
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble: noalerts
# preprocessor http_inspect: global iis_unicode_map unicode.map 1252
# preprocessor http_inspect_server: server default profile all ports { 80 8080 }
preprocessor rpc_decode: 111 32771
preprocessor bo
#preprocessor telnet_decode
preprocessor ftp_telnet: global \
   encrypted_traffic yes \
   inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
   def_max_param_len 100 \
   alt_max_param_len 200 { CWD } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
   telnet_cmds yes \
   data_chan
preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes
preprocessor flow-portscan: \
	scoreboard-memcap-talker 1048576 \
	scoreboard-rows-talker 10000 \
	talker-sliding-scale-factor 0.50 \
	talker-fixed-threshold 30 \
	talker-sliding-threshold 30 \
	talker-sliding-window 20 \
	talker-fixed-window 30 \
	scoreboard-memcap-scanner 1048576 \
	scoreboard-rows-scanner 10000 \
	scanner-sliding-window 20 \
	scanner-sliding-scale-factor 0.50 \
	scanner-fixed-threshold 15 \
	scanner-sliding-threshold 40 \
	scanner-fixed-window 15 \
	unique-memcap 1048576 \
	unique-rows 10000 \
	server-memcap 1048576 \
	server-rows 10000 \
	server-watchnet $HOME_NET \
	server-ignore-limit 100 \
	server-learning-time 3600 \
	server-scanner-limit 4 \
	alert-mode once \
	output-mode msg \
	tcp-penalties on
#=========================================
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
#=========================================
include $RULE_PATH/community-bot.rules
include $RULE_PATH/community-deleted.rules
include $RULE_PATH/community-dos.rules
include $RULE_PATH/community-exploit.rules
include $RULE_PATH/community-ftp.rules
include $RULE_PATH/community-game.rules
include $RULE_PATH/community-icmp.rules
include $RULE_PATH/community-imap.rules
include $RULE_PATH/community-inappropriate.rules
include $RULE_PATH/community-mail-client.rules
include $RULE_PATH/community-misc.rules
include $RULE_PATH/community-nntp.rules
include $RULE_PATH/community-oracle.rules
include $RULE_PATH/community-policy.rules
include $RULE_PATH/community-sip.rules
include $RULE_PATH/community-smtp.rules
include $RULE_PATH/community-sql-injection.rules
include $RULE_PATH/community-virus.rules
include $RULE_PATH/community-web-attacks.rules
include $RULE_PATH/community-web-cgi.rules
include $RULE_PATH/community-web-client.rules
include $RULE_PATH/community-web-dos.rules
include $RULE_PATH/community-web-iis.rules
include $RULE_PATH/community-web-misc.rules
include $RULE_PATH/community-web-php.rules
Commit	Line	Data
cd1a2927 MT	1	###################################################
	2	#
	3	# This file contains the default snort configuration.
46dff713 MT	4	# for all IPFire Versions
46dff713 MT	5	# Unless you are totally happy with this file, please
cd1a2927	6	# only change whats needed
46dff713 MT	7	# This file is automatically changed by
46dff713 MT	8	# the webinterface, too.
cd1a2927 MT	9	#
	10	# 1) Set the network variables for your network
	11	# 2) Configure preprocessors
	12	# 3) Configure output plugins
	13	# 4) Customize your rule set
	14	#
cd1a2927 MT	15	###################################################
	16	# Only area a user needs to edit
	17	include /etc/snort/vars
	18	var EXTERNAL_NET !$HOME_NET
	19	var SMTP_SERVERS $HOME_NET
	20	var HTTP_SERVERS $HOME_NET
	21	var SQL_SERVERS $HOME_NET
	22	var TELNET_SERVERS $HOME_NET
	23	var HTTP_PORTS 80
83843a1c	24	var SSH_PORTS 22 222
cd1a2927 MT	25	var SHELLCODE_PORTS !80
	26	var ORACLE_PORTS 1521
	27	var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
46dff713	28	var RULE_PATH /etc/snort/rules
4fba936c SS	29	dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
4fba936c SS	30	dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
cd1a2927 MT	31
	32	###################################################
	33	# Do NOT Edit past this line
	34	###################################################
	35	config detection: search-method lowmem
	36	preprocessor flow: memcap 2097152, stats_interval 0, hash 2
4fba936c SS	37	#preprocessor frag2: memcap 2097152
	38	preprocessor frag3_global: max_frags 65536
	39	preprocessor frag3_engine: policy first detect_anomalies
cd1a2927 MT	40	preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts
cd1a2927 MT	41	preprocessor stream4_reassemble: noalerts
4fba936c SS	42	# preprocessor http_inspect: global iis_unicode_map unicode.map 1252
4fba936c SS	43	# preprocessor http_inspect_server: server default profile all ports { 80 8080 }
cd1a2927 MT	44	preprocessor rpc_decode: 111 32771
cd1a2927 MT	45	preprocessor bo
4fba936c SS	46	#preprocessor telnet_decode
	47	preprocessor ftp_telnet: global \
	48	encrypted_traffic yes \
	49	inspection_type stateful
	50	preprocessor ftp_telnet_protocol: telnet \
	51	normalize \
	52	ayt_attack_thresh 200
	53	preprocessor ftp_telnet_protocol: ftp server default \
	54	def_max_param_len 100 \
	55	alt_max_param_len 200 { CWD } \
	56	cmd_validity MODE < char ASBCZ > \
	57	cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
	58	chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
	59	telnet_cmds yes \
	60	data_chan
	61	preprocessor ftp_telnet_protocol: ftp client default \
	62	max_resp_len 256 \
	63	bounce yes \
	64	telnet_cmds yes
cd1a2927 MT	65	preprocessor flow-portscan: \
	66	scoreboard-memcap-talker 1048576 \
	67	scoreboard-rows-talker 10000 \
	68	talker-sliding-scale-factor 0.50 \
	69	talker-fixed-threshold 30 \
	70	talker-sliding-threshold 30 \
	71	talker-sliding-window 20 \
	72	talker-fixed-window 30 \
	73	scoreboard-memcap-scanner 1048576 \
	74	scoreboard-rows-scanner 10000 \
	75	scanner-sliding-window 20 \
	76	scanner-sliding-scale-factor 0.50 \
	77	scanner-fixed-threshold 15 \
	78	scanner-sliding-threshold 40 \
	79	scanner-fixed-window 15 \
	80	unique-memcap 1048576 \
	81	unique-rows 10000 \
	82	server-memcap 1048576 \
	83	server-rows 10000 \
	84	server-watchnet $HOME_NET \
	85	server-ignore-limit 100 \
	86	server-learning-time 3600 \
	87	server-scanner-limit 4 \
	88	alert-mode once \
	89	output-mode msg \
	90	tcp-penalties on
cd1a2927 MT	91	#=========================================
	92	include $RULE_PATH/classification.config
	93	include $RULE_PATH/reference.config
	94	#=========================================
46dff713 MT	95	include $RULE_PATH/community-bot.rules
	96	include $RULE_PATH/community-deleted.rules
	97	include $RULE_PATH/community-dos.rules
	98	include $RULE_PATH/community-exploit.rules
	99	include $RULE_PATH/community-ftp.rules
	100	include $RULE_PATH/community-game.rules
	101	include $RULE_PATH/community-icmp.rules
	102	include $RULE_PATH/community-imap.rules
	103	include $RULE_PATH/community-inappropriate.rules
	104	include $RULE_PATH/community-mail-client.rules
	105	include $RULE_PATH/community-misc.rules
	106	include $RULE_PATH/community-nntp.rules
	107	include $RULE_PATH/community-oracle.rules
	108	include $RULE_PATH/community-policy.rules
46dff713 MT	109	include $RULE_PATH/community-sip.rules
	110	include $RULE_PATH/community-smtp.rules
	111	include $RULE_PATH/community-sql-injection.rules
	112	include $RULE_PATH/community-virus.rules
	113	include $RULE_PATH/community-web-attacks.rules
	114	include $RULE_PATH/community-web-cgi.rules
	115	include $RULE_PATH/community-web-client.rules
	116	include $RULE_PATH/community-web-dos.rules
	117	include $RULE_PATH/community-web-iis.rules
	118	include $RULE_PATH/community-web-misc.rules
	119	include $RULE_PATH/community-web-php.rules