config/snort/snort.conf

   1 ###################################################
   2 #
   3 # This file contains the default snort configuration.
   4 # for all IPCop Versions
   5 # Unless you are totally happy with this file,please
   6 # only change whats needed
   7 #
   8 #  1) Set the network variables for your network
   9 #  2) Configure preprocessors
  10 #  3) Configure output plugins
  11 #  4) Customize your rule set
  12 #
  13 # $Id: snort.conf,v 1.6.2.1 2005/04/28 18:38:49 gespinasse Exp $
  14 #
  15 ###################################################
  16 # Only area a user needs to edit
  17 include /etc/snort/vars
  18 var EXTERNAL_NET    !$HOME_NET
  19 var SMTP_SERVERS    $HOME_NET
  20 var HTTP_SERVERS    $HOME_NET
  21 var SQL_SERVERS     $HOME_NET
  22 var TELNET_SERVERS  $HOME_NET
  23 var HTTP_PORTS      80
  24 var SHELLCODE_PORTS !80
  25 var ORACLE_PORTS    1521
  26 var AIM_SERVERS     [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
  27 var RULE_PATH       /etc/snort
  28
  29 ###################################################
  30 # Do NOT Edit past this line
  31 ###################################################
  32 config detection: search-method lowmem
  33 preprocessor flow: memcap 2097152, stats_interval 0, hash 2
  34 preprocessor frag2: memcap 2097152
  35 preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts
  36 preprocessor stream4_reassemble: noalerts
  37 preprocessor http_inspect: global iis_unicode_map unicode.map 1252
  38 preprocessor http_inspect_server: server default profile all ports { 80 8080 }
  39 preprocessor rpc_decode: 111 32771
  40 preprocessor bo
  41 preprocessor telnet_decode
  42 preprocessor flow-portscan: \
  43         scoreboard-memcap-talker 1048576 \
  44         scoreboard-rows-talker 10000 \
  45         talker-sliding-scale-factor 0.50 \
  46         talker-fixed-threshold 30 \
  47         talker-sliding-threshold 30 \
  48         talker-sliding-window 20 \
  49         talker-fixed-window 30 \
  50         scoreboard-memcap-scanner 1048576 \
  51         scoreboard-rows-scanner 10000 \
  52         scanner-sliding-window 20 \
  53         scanner-sliding-scale-factor 0.50 \
  54         scanner-fixed-threshold 15 \
  55         scanner-sliding-threshold 40 \
  56         scanner-fixed-window 15 \
  57         unique-memcap 1048576 \
  58         unique-rows 10000 \
  59         server-memcap 1048576 \
  60         server-rows 10000 \
  61         server-watchnet $HOME_NET \
  62         server-ignore-limit 100 \
  63         server-learning-time 3600 \
  64         server-scanner-limit 4 \
  65         alert-mode once \
  66         output-mode msg \
  67         tcp-penalties on
  68 preprocessor xlink2state: ports { 25 691 }
  69 #=========================================
  70 include $RULE_PATH/classification.config
  71 include $RULE_PATH/reference.config
  72 #=========================================
  73 include $RULE_PATH/bad-traffic.rules
  74 include $RULE_PATH/exploit.rules
  75 include $RULE_PATH/scan.rules
  76 include $RULE_PATH/finger.rules
  77 include $RULE_PATH/ftp.rules
  78 include $RULE_PATH/telnet.rules
  79 include $RULE_PATH/rpc.rules
  80 include $RULE_PATH/rservices.rules
  81 include $RULE_PATH/dos.rules
  82 include $RULE_PATH/ddos.rules
  83 include $RULE_PATH/dns.rules
  84 include $RULE_PATH/tftp.rules
  85
  86 include $RULE_PATH/web-cgi.rules
  87 include $RULE_PATH/web-coldfusion.rules
  88 include $RULE_PATH/web-iis.rules
  89 include $RULE_PATH/web-frontpage.rules
  90 include $RULE_PATH/web-misc.rules
  91 include $RULE_PATH/web-client.rules
  92 include $RULE_PATH/web-php.rules
  93
  94 include $RULE_PATH/sql.rules
  95 include $RULE_PATH/x11.rules
  96 include $RULE_PATH/icmp.rules
  97 include $RULE_PATH/netbios.rules
  98 include $RULE_PATH/misc.rules
  99 include $RULE_PATH/attack-responses.rules
 100 include $RULE_PATH/oracle.rules
 101 include $RULE_PATH/mysql.rules
 102 include $RULE_PATH/snmp.rules
 103
 104 include $RULE_PATH/smtp.rules
 105 include $RULE_PATH/imap.rules
 106 include $RULE_PATH/pop2.rules
 107 include $RULE_PATH/pop3.rules
 108
 109 include $RULE_PATH/nntp.rules
 110 include $RULE_PATH/other-ids.rules
 111 # include $RULE_PATH/web-attacks.rules
 112 # include $RULE_PATH/backdoor.rules
 113 # include $RULE_PATH/shellcode.rules
 114 # include $RULE_PATH/policy.rules
 115 # include $RULE_PATH/porn.rules
 116 # include $RULE_PATH/info.rules
 117 # include $RULE_PATH/icmp-info.rules
 118 # include $RULE_PATH/virus.rules
 119 # include $RULE_PATH/chat.rules
 120 # include $RULE_PATH/multimedia.rules
 121 # include $RULE_PATH/p2p.rules
 122 # include $RULE_PATH/experimental.rules
 123 include $RULE_PATH/local.rules