1 #--------------------------------------------------
2 # http://www.snort.org Snort 2.8.3.2 Ruleset
3 # Contact: snort-sigs@lists.sourceforge.net
4 #--------------------------------------------------
7 ###################################################
8 # This file contains a sample snort configuration.
9 # You can take the following steps to create your own custom configuration:
11 # 1) Set the variables for your network
12 # 2) Configure dynamic loaded libraries
13 # 3) Configure preprocessors
14 # 4) Configure output plugins
15 # 5) Add any runtime config directives
16 # 6) Customize your rule set
18 ###################################################
19 # Step #1: Set the network variables:
21 # You must change the following variables to reflect your local network. The
22 # variable is currently setup for an RFC 1918 address space.
24 # You can specify it explicitly as:
26 # var HOME_NET 10.1.1.0/24
28 # or use global variable $<interfacename>_ADDRESS which will be always
29 # initialized to IP address and netmask of the network interface which you run
30 # snort at. Under Windows, this must be specified as
31 # $(<interfacename>_ADDRESS), such as:
32 # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
34 # var HOME_NET $eth0_ADDRESS
36 # You can specify lists of IP addresses for HOME_NET
37 # by separating the IPs with commas like this:
39 # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
41 # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
43 # or you can specify the variable to be any IP address
48 # Set up the external network addresses as well. A good start may be "any"
51 # Configure your server lists. This allows snort to only look for attacks to
52 # systems that have a service up. Why look for HTTP attacks if you are not
53 # running a web server? This allows quick filtering based on IP addresses
54 # These configurations MUST follow the same configuration scheme as defined
55 # above for $HOME_NET.
57 # List of DNS servers on your network
58 var DNS_SERVERS $HOME_NET
60 # List of SMTP servers on your network
61 var SMTP_SERVERS $HOME_NET
63 # List of web servers on your network
64 var HTTP_SERVERS $HOME_NET
66 # List of sql servers on your network
67 var SQL_SERVERS $HOME_NET
69 # List of telnet servers on your network
70 var TELNET_SERVERS $HOME_NET
72 # List of snmp servers on your network
73 var SNMP_SERVERS $HOME_NET
75 # Configure your service ports. This allows snort to look for attacks destined
76 # to a specific application only on the ports that application runs on. For
77 # example, if you run a web server on port 8081, set your HTTP_PORTS variable
80 # portvar HTTP_PORTS 8081
82 # Ports you run web servers on
85 # NOTE: If you wish to define multiple HTTP ports, use the portvar
86 # syntax to represent lists of ports and port ranges. Examples:
87 ## portvar HTTP_PORTS [80,8080]
88 ## portvar HTTP_PORTS [80,8000:8080]
89 # And only include the rule that uses $HTTP_PORTS once.
91 # The pre-2.8.0 approach of redefining the variable to a different port and
92 # including the rules file twice is obsolete. See README.variables for more
95 # Ports you want to look for SHELLCODE on.
96 portvar SHELLCODE_PORTS !80
98 # Ports you might see oracle attacks on
99 portvar ORACLE_PORTS 1521
103 # AIM servers. AOL has a habit of adding new AIM servers, so instead of
104 # modifying the signatures when they do, we add them to this list of servers.
105 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
107 # Path to your rules files (this can be a relative path)
108 # Note for Windows users: You are advised to make this an absolute path,
109 # such as: c:\snort\rules
110 var RULE_PATH /etc/snort/rules
111 var PREPROC_RULE_PATH /etc/snort/preproc_rules
113 # Configure the snort decoder
114 # ============================
116 # Snort's decoder will alert on lots of things such as header
117 # truncation or options of unusual length or infrequently used tcp options
120 # Stop generic decode events:
122 # config disable_decode_alerts
124 # Stop Alerts on experimental TCP options
126 # config disable_tcpopt_experimental_alerts
128 # Stop Alerts on obsolete TCP options
130 # config disable_tcpopt_obsolete_alerts
132 # Stop Alerts on T/TCP alerts
134 # In snort 2.0.1 and above, this only alerts when a TCP option is detected
135 # that shows T/TCP being actively used on the network. If this is normal
136 # behavior for your network, disable the next option.
138 # config disable_tcpopt_ttcp_alerts
140 # Stop Alerts on all other TCPOption type events:
142 # config disable_tcpopt_alerts
144 # Stop Alerts on invalid ip options
146 # config disable_ipopt_alerts
148 # Alert if value in length field (IP, TCP, UDP) is greater than the
149 # actual length of the captured portion of the packet that the length
150 # is supposed to represent:
152 # config enable_decode_oversized_alerts
154 # Same as above, but drop packet if in Inline mode -
155 # enable_decode_oversized_alerts must be enabled for this to work:
157 # config enable_decode_oversized_drops
160 # Configure the detection engine
161 # ===============================
163 # Use a different pattern matcher in case you have a machine with very limited
166 # config detection: search-method lowmem
168 # Configure Inline Resets
169 # ========================
171 # If running an iptables firewall with snort in InlineMode() we can now
172 # perform resets via a physical device. We grab the indev from iptables
173 # and use this for the interface on which to send resets. This config
174 # option takes an argument for the src mac address you want to use in the
175 # reset packet. This way the bridge can remain stealthy. If the src mac
176 # option is not set we use the mac address of the indev device. If we
177 # don't set this option we will default to sending resets via raw socket,
178 # which needs an ipaddress to be assigned to the int.
180 # config layer2resets: 00:06:76:DD:5F:E3
182 ###################################################
183 # Step #2: Configure dynamic loaded libraries
185 # If snort was configured to use dynamically loaded libraries,
186 # those libraries can be loaded here.
188 # Each of the following configuration options can be done via
189 # the command line as well.
191 # Load all dynamic preprocessors from the install path
192 # (same as command line option --dynamic-preprocessor-lib-dir)
194 dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
196 # Load a specific dynamic preprocessor library from the install path
197 # (same as command line option --dynamic-preprocessor-lib)
199 # dynamicpreprocessor file /usr/lib/snort_dynamicpreprocessor/libdynamicexample.so
201 # Load a dynamic engine from the install path
202 # (same as command line option --dynamic-engine-lib)
204 dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
206 # Load all dynamic rules libraries from the install path
207 # (same as command line option --dynamic-detection-lib-dir)
209 # dynamicdetection directory /usr/lib/snort_dynamicrule/
211 # Load a specific dynamic rule library from the install path
212 # (same as command line option --dynamic-detection-lib)
214 # dynamicdetection file /usr/lib/snort_dynamicrule/libdynamicexamplerule.so
217 ###################################################
218 # Step #3: Configure preprocessors
220 # General configuration for preprocessors is of
222 # preprocessor <name_of_processor>: <configuration_options>
224 # Configure Flow tracking module
225 # -------------------------------
227 # The Flow tracking module is meant to start unifying the state keeping
228 # mechanisms of snort into a single place. Right now, only a portscan detector
229 # is implemented but in the long term, many of the stateful subsystems of
230 # snort will be migrated over to becoming flow plugins. This must be enabled
231 # for flow-portscan to work correctly.
233 # See README.flow for additional information
235 #preprocessor flow: stats_interval 0 hash 2
237 # frag3: Target-based IP defragmentation
238 # --------------------------------------
240 # Frag3 is a brand new IP defragmentation preprocessor that is capable of
241 # performing "target-based" processing of IP fragments. Check out the
242 # README.frag3 file in the doc directory for more background and configuration
245 # Frag3 configuration is a two step process, a global initialization phase
246 # followed by the definition of a set of defragmentation engines.
248 # Global configuration defines the number of fragmented packets that Snort can
249 # track at the same time and gives you options regarding the memory cap for the
250 # subsystem or, optionally, allows you to preallocate all the memory for the
251 # entire frag3 system.
253 # frag3_global options:
254 # max_frags: Maximum number of frag trackers that may be active at once.
255 # Default value is 8192.
256 # memcap: Maximum amount of memory that frag3 may access at any given time.
257 # Default value is 4MB.
258 # prealloc_frags: Maximum number of individual fragments that may be processed
259 # at once. This is instead of the memcap system, uses static
260 # allocation to increase performance. No default value. Each
261 # preallocated fragment typically eats ~1550 bytes. However,
262 # the exact amount is determined by the snaplen, and this can
263 # go as high as 64K so beware!
265 # Target-based behavior is attached to an engine as a "policy" for handling
266 # overlaps and retransmissions as enumerated in the Paxson paper. There are
267 # currently five policy types available: "BSD", "BSD-right", "First", "Linux"
268 # and "Last". Engines can be bound to standard Snort CIDR blocks or
271 # frag3_engine options:
272 # timeout: Amount of time a fragmented packet may be active before expiring.
273 # Default value is 60 seconds.
274 # ttl_limit: Limit of delta allowable for TTLs of packets in the fragments.
275 # Based on the initial received fragment TTL.
276 # min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this
277 # value will be discarded. Default value is 0.
278 # detect_anomalies: Activates frag3's anomaly detection mechanisms.
279 # policy: Target-based policy to assign to this engine. Default is BSD.
280 # bind_to: IP address set to bind this engine to. Default is all hosts.
282 # Frag3 configuration example:
283 #preprocessor frag3_global: max_frags 65536, prealloc_frags 65536
284 #preprocessor frag3_engine: policy linux \
285 # bind_to [10.1.1.12/32,10.1.1.13/32] \
287 #preprocessor frag3_engine: policy first \
288 # bind_to 10.2.1.0/24 \
290 #preprocessor frag3_engine: policy last \
291 # bind_to 10.3.1.0/24
292 #preprocessor frag3_engine: policy bsd
294 preprocessor frag3_global: max_frags 65536
295 preprocessor frag3_engine: policy first detect_anomalies
298 # stream4: stateful inspection/stream reassembly for Snort
299 #----------------------------------------------------------------------
300 # Use in concert with the -z [all|est] command line switch to defeat stick/snot
301 # against TCP rules. Also performs full TCP stream reassembly, stateful
302 # inspection of TCP streams, etc. Can statefully detect various portscan
303 # types, fingerprinting, ECN, etc.
305 # stateful inspection directive
306 # no arguments loads the defaults (timeout 30, memcap 8388608)
307 # options (options are comma delimited):
308 # detect_scans - stream4 will detect stealth portscans and generate alerts
309 # when it sees them when this option is set
310 # detect_state_problems - detect TCP state problems, this tends to be very
311 # noisy because there are a lot of crappy ip stack
312 # implementations out there
314 # disable_evasion_alerts - turn off the possibly noisy mitigation of
315 # overlapping sequences.
317 # ttl_limit [number] - differential of the initial ttl on a session versus
318 # the normal that someone may be playing games.
319 # Routing flap may cause lots of false positives.
321 # keepstats [machine|binary] - keep session statistics, add "machine" to
322 # get them in a flat format for machine reading, add
323 # "binary" to get them in a unified binary output
325 # noinspect - turn off stateful inspection only
326 # timeout [number] - set the session timeout counter to [number] seconds,
327 # default is 30 seconds
328 # max_sessions [number] - limit the number of sessions stream4 keeps
330 # memcap [number] - limit stream4 memory usage to [number] bytes (does
331 # not include session tracking, which is set by the
332 # max_sessions option)
333 # log_flushed_streams - if an event is detected on a stream this option will
334 # cause all packets that are stored in the stream4
335 # packet buffers to be flushed to disk. This only
336 # works when logging in pcap mode!
337 # server_inspect_limit [bytes] - Byte limit on server side inspection.
338 # enable_udp_sessions - turn on tracking of "sessions" over UDP. Requires
339 # configure --enable-stream4udp. UDP sessions are
340 # only created when there is a rule for the sender or
341 # responder that has a flow or flowbits keyword.
342 # max_udp_sessions [number] - limit the number of simultaneous UDP sessions
344 # udp_ignore_any - Do not inspect UDP packets unless there is a port specific
345 # rule for a given port. This is a performance improvement
346 # and turns off inspection for udp xxx any -> xxx any rules
347 # cache_clean_sessions [number] - Cleanup the session cache by number sessions
348 # at a time. The larger the value, the
349 # more sessions are purged from the cache when
350 # the session limit or memcap is reached.
355 # Stream4 uses Generator ID 111 and uses the following SIDS
357 # SID Event description
358 # ----- -------------------
360 # 2 Evasive RST packet
361 # 3 Evasive TCP packet retransmission
362 # 4 TCP Window violation
363 # 5 Data on SYN packet
364 # 6 Stealth scan: full XMAS
365 # 7 Stealth scan: SYN-ACK-PSH-URG
366 # 8 Stealth scan: FIN scan
367 # 9 Stealth scan: NULL scan
368 # 10 Stealth scan: NMAP XMAS scan
369 # 11 Stealth scan: Vecna scan
370 # 12 Stealth scan: NMAP fingerprint scan stateful detect
371 # 13 Stealth scan: SYN-FIN scan
372 # 14 TCP forward overlap
374 #preprocessor stream4: disable_evasion_alerts
376 # tcp stream reassembly directive
377 # no arguments loads the default configuration
378 # Only reassemble the client,
379 # Only reassemble the default list of ports (See below),
380 # Give alerts for "bad" streams
382 # Available options (comma delimited):
383 # clientonly - reassemble traffic for the client side of a connection only
384 # serveronly - reassemble traffic for the server side of a connection only
385 # both - reassemble both sides of a session
386 # noalerts - turn off alerts from the stream reassembly stage of stream4
387 # ports [list] - use the space separated list of ports in [list], "all"
388 # will turn on reassembly for all ports, "default" will turn
389 # on reassembly for ports 21, 23, 25, 42, 53, 80, 110,
390 # 111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521,
392 # favor_old - favor an old segment (based on sequence number) over a new one.
393 # This is the default.
394 # favor_new - favor an new segment (based on sequence number) over an old one.
395 # overlap_limit [number] - limit on overlaping segments for a session.
396 # flush_on_alert - flushes stream when an alert is generated for a session.
397 # flush_behavior [mode] -
398 # default - use old static flushpoints (default)
399 # large_window - use new larger static flushpoints
400 # random - use random flushpoints defined by flush_base,
401 # flush_seed and flush_range
402 # flush_base [number] - lowest allowed random flushpoint (512 by default)
403 # flush_range [number] - number is the space within which random flushpoints
404 # are generated (default 1213)
405 # flush_seed [number] - seed for the random number generator, defaults to
408 # Using the default random flushpoints, the smallest flushpoint is 512,
409 # and the largest is 1725 bytes.
410 #preprocessor stream4_reassemble
412 # stream5: Target Based stateful inspection/stream reassembly for Snort
413 # ---------------------------------------------------------------------
414 # Stream5 is a target-based stream engine for Snort. Its functionality
415 # replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
416 # cannot be used simultaneously. Comment out the stream4 configurations
417 # above to use Stream5.
419 # See README.stream5 for details on the configuration options.
421 # Example config (that emulates Stream4 with UDP support compiled in)
422 preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
424 preprocessor stream5_tcp: policy first, use_static_footprint_sizes
425 # preprocessor stream5_udp: ignore_any_rules
428 # Performance Statistics
429 # ----------------------
430 # Documentation for this is provided in the Snort Manual. You should read it.
431 # It is included in the release distribution as doc/snort_manual.pdf
433 # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
435 # http_inspect: normalize and detect HTTP traffic and protocol anomalies
437 # lots of options available here. See doc/README.http_inspect.
438 # unicode.map should be wherever your snort.conf lives, or given
439 # a full path to where snort can find it.
440 preprocessor http_inspect: global \
441 iis_unicode_map unicode.map 1252
443 preprocessor http_inspect_server: server default \
444 profile all ports { 80 8080 8180 } oversize_dir_length 500
447 # Example unique server configuration
449 #preprocessor http_inspect_server: server 1.1.1.1 \
450 # ports { 80 3128 8080 } \
451 # server_flow_depth 0 \
453 # double_decode yes \
454 # non_rfc_char { 0x00 } \
455 # chunk_length 500000 \
457 # oversize_dir_length 300 \
461 # rpc_decode: normalize RPC traffic
462 # ---------------------------------
463 # RPC may be sent in alternate encodings besides the usual 4-byte encoding
464 # that is used by default. This plugin takes the port numbers that RPC
465 # services are running on as arguments - it is assumed that the given ports
466 # are actually running this type of service. If not, change the ports or turn
468 # The RPC decode preprocessor uses generator ID 106
470 # arguments: space separated list
471 # alert_fragments - alert on any rpc fragmented TCP data
472 # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
473 # no_alert_large_fragments - don't alert when the fragmented
474 # sizes exceed the current packet size
475 # no_alert_incomplete - don't alert when a single segment
476 # exceeds the current packet size
478 preprocessor rpc_decode: 111 32771
480 # bo: Back Orifice detector
481 # -------------------------
482 # Detects Back Orifice traffic on the network.
486 # preprocessor bo: noalert { client | server | general | snort_attack } \
487 # drop { client | server | general | snort_attack }
489 # preprocessor bo: noalert { general server } drop { snort_attack }
492 # The Back Orifice detector uses Generator ID 105 and uses the
493 # following SIDS for that GID:
494 # SID Event description
495 # ----- -------------------
496 # 1 Back Orifice traffic detected
497 # 2 Back Orifice Client Traffic Detected
498 # 3 Back Orifice Server Traffic Detected
499 # 4 Back Orifice Snort Buffer Attack
503 # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow
504 # ---------------------------------------------------------------------------
505 # This preprocessor normalizes telnet negotiation strings from telnet and
506 # ftp traffic. It looks for traffic that breaks the normal data stream
507 # of the protocol, replacing it with a normalized representation of that
508 # traffic so that the "content" pattern matching keyword can work without
509 # requiring modifications.
511 # It also performs protocol correctness checks for the FTP command channel,
512 # and identifies open FTP data transfers.
514 # FTPTelnet has numerous options available, please read
515 # README.ftptelnet for help configuring the options for the global
516 # telnet, ftp server, and ftp client sections for the protocol.
519 # Per Step #2, set the following to load the ftptelnet preprocessor
520 # dynamicpreprocessor file <full path to libsf_ftptelnet_preproc.so>
521 # or use commandline option
522 # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
524 preprocessor ftp_telnet: global \
525 encrypted_traffic yes \
526 inspection_type stateful
528 preprocessor ftp_telnet_protocol: telnet \
530 ayt_attack_thresh 200
532 # This is consistent with the FTP rules as of 18 Sept 2004.
533 # CWD can have param length of 200
534 # MODE has an additional mode of Z (compressed)
535 # Check for string formats in USER & PASS commands
536 # Check nDTM commands that set modification time on the file.
537 preprocessor ftp_telnet_protocol: ftp server default \
538 def_max_param_len 100 \
539 alt_max_param_len 200 { CWD } \
540 cmd_validity MODE < char ASBCZ > \
541 cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
542 chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
546 preprocessor ftp_telnet_protocol: ftp client default \
551 # smtp: SMTP normalizer, protocol enforcement and buffer overflow
552 # ---------------------------------------------------------------------------
553 # This preprocessor normalizes SMTP commands by removing extraneous spaces.
554 # It looks for overly long command lines, response lines, and data header lines.
555 # It can alert on invalid commands, or specific valid commands. It can optionally
556 # ignore mail data, and can ignore TLS encrypted data.
558 # SMTP has numerous options available, please read README.SMTP for help
559 # configuring options.
562 # Per Step #2, set the following to load the smtp preprocessor
563 # dynamicpreprocessor file <full path to libsf_smtp_preproc.so>
564 # or use commandline option
565 # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
568 ports { 25 587 691 } \
569 inspection_type stateful \
571 normalize_cmds { EXPN VRFY RCPT } \
572 alt_max_command_line_len 260 { MAIL } \
573 alt_max_command_line_len 300 { RCPT } \
574 alt_max_command_line_len 500 { HELP HELO ETRN } \
575 alt_max_command_line_len 255 { EXPN VRFY }
579 # Portscan detection module. Detects various types of portscans and
580 # portsweeps. For more information on detection philosophy, alert types,
581 # and detailed portscan information, please refer to the README.sfportscan.
583 # -configuration options-
584 # proto { tcp udp icmp ip all }
585 # The arguments to the proto option are the types of protocol scans that
586 # the user wants to detect. Arguments should be separated by spaces and
588 # scan_type { portscan portsweep decoy_portscan distributed_portscan all }
589 # The arguments to the scan_type option are the scan types that the
590 # user wants to detect. Arguments should be separated by spaces and not
592 # sense_level { low|medium|high }
593 # There is only one argument to this option and it is the level of
594 # sensitivity in which to detect portscans. The 'low' sensitivity
595 # detects scans by the common method of looking for response errors, such
596 # as TCP RSTs or ICMP unreachables. This level requires the least
597 # tuning. The 'medium' sensitivity level detects portscans and
598 # filtered portscans (portscans that receive no response). This
599 # sensitivity level usually requires tuning out scan events from NATed
600 # IPs, DNS cache servers, etc. The 'high' sensitivity level has
601 # lower thresholds for portscan detection and a longer time window than
602 # the 'medium' sensitivity level. Requires more tuning and may be noisy
603 # on very active networks. However, this sensitivity levels catches the
605 # memcap { positive integer }
606 # The maximum number of bytes to allocate for portscan detection. The
607 # higher this number the more nodes that can be tracked.
608 # logfile { filename }
609 # This option specifies the file to log portscan and detailed portscan
610 # values to. If there is not a leading /, then snort logs to the
611 # configured log directory. Refer to README.sfportscan for details on
612 # the logged values in the logfile.
613 # watch_ip { Snort IP List }
614 # ignore_scanners { Snort IP List }
615 # ignore_scanned { Snort IP List }
616 # These options take a snort IP list as the argument. The 'watch_ip'
617 # option specifies the IP(s) to watch for portscan. The
618 # 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
619 # Note that these hosts are still watched as scanned hosts. The
620 # 'ignore_scanners' option is used to tune alerts from very active
621 # hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
622 # specifies the IP(s) to ignore as scanned hosts. Note that these hosts
623 # are still watched as scanner hosts. The 'ignore_scanned' option is
624 # used to tune alerts from very active hosts such as syslog servers, etc.
626 # This option will include sessions picked up in midstream by the stream
627 # module, which is necessary to detect ACK scans. However, this can lead to
628 # false alerts, especially under heavy load with dropped packets; which is why
629 # the option is off by default.
631 preprocessor sfportscan: proto { all } \
632 memcap { 10000000 } \
633 sense_level { medium }
636 #----------------------------------------
637 # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
638 # unicast ARP requests, and specific ARP mapping monitoring. To make use of
639 # this preprocessor you must specify the IP and hardware address of hosts on
640 # the same layer 2 segment as you. Specify one host IP MAC combo per line.
641 # Also takes a "-unicast" option to turn on unicast ARP request detection.
642 # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
644 # SID Event description
645 # ----- -------------------
646 # 1 Unicast ARP request
647 # 2 Etherframe ARP mismatch (src)
648 # 3 Etherframe ARP mismatch (dst)
649 # 4 ARP cache overwrite attack
651 #preprocessor arpspoof
652 #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
655 #----------------------------------------
656 # EXPERIMENTAL CODE!!!
658 # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
659 # USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS.
660 # YOU HAVE BEEN WARNED.
662 # The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
663 # Secure CRT, and the Protocol Mismatch exploit.
665 # Both Gobbles and CRC 32 attacks occur after the key exchange, and are
666 # therefore encrypted. Both attacks involve sending a large payload
667 # (20kb+) to the server immediately after the authentication challenge.
668 # To detect the attacks, the SSH preprocessor counts the number of bytes
669 # transmitted to the server. If those bytes exceed a pre-defined limit
670 # within a pre-define number of packets, an alert is generated. Since
671 # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
672 # version string exchange is used to distinguish the attacks.
674 # The Secure CRT and protocol mismatch exploits are observable before
677 # SSH has numerous options available, please read README.ssh for help
678 # configuring options.
681 # Per Step #2, set the following to load the ssh preprocessor
682 # dynamicpreprocessor file <full path to libsf_ssh_preproc.so>
683 # or use commandline option
684 # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
686 #preprocessor ssh: server_ports { 22 } \
687 # max_client_bytes 19600 \
688 # max_encrypted_packets 20
691 #----------------------------------------
693 # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
694 # It is primarily interested in DCE/RPC data, and only decodes SMB
695 # to get at the DCE/RPC data carried by the SMB layer.
697 # Currently, the preprocessor only handles reassembly of fragmentation
698 # at both the SMB and DCE/RPC layer. Snort rules can be evaded by
699 # using both types of fragmentation; with the preprocessor enabled
700 # the rules are given a buffer with a reassembled SMB or DCE/RPC
703 # At the SMB layer, only fragmentation using WriteAndX is currently
704 # reassembled. Other methods will be handled in future versions of
707 # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
708 # the SMB data, as well as checking the NetBIOS header (which is always
709 # present for SMB) for the type "SMB Session".
711 # Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
712 # checked in the packet. Assuming that the data is a DCE/RPC header,
713 # one byte is checked for DCE/RPC version (5) and another for the type
714 # "DCE/RPC Request". If both match, the preprocessor proceeds with that
715 # assumption that it is looking at DCE/RPC data. If subsequent checks
716 # are nonsensical, it ends processing.
718 # DCERPC has numerous options available, please read README.dcerpc for help
719 # configuring options.
722 # Per Step #2, set the following to load the dcerpc preprocessor
723 # dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so>
724 # or use commandline option
725 # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
727 preprocessor dcerpc: \
733 #----------------------------------------
734 # The dns preprocessor (currently) decodes DNS Response traffic
735 # and detects a few vulnerabilities.
737 # DNS has a few options available, please read README.dns for
738 # help configuring options.
741 # Per Step #2, set the following to load the dns preprocessor
742 # dynamicpreprocessor file <full path to libsf_dns_preproc.so>
743 # or use commandline option
744 # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
748 enable_rdata_overflow
751 #----------------------------------------
752 # Encrypted traffic should be ignored by Snort for both performance reasons
753 # and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP)
754 # inspects SSL traffic and optionally determines if and when to stop
757 # Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to
758 # inspect port 443, only the SSL handshake of each connection will be
759 # inspected. Once the traffic is determined to be encrypted, no further
760 # inspection of the data on the connection is made.
762 # Important note: Stream4 or Stream5 should be explicitly told to reassemble
763 # traffic on the ports that you intend to inspect SSL
764 # encrypted traffic on.
766 # To add reassembly on port 443 to Stream5, use 'port both 443' in the
767 # Stream5 configuration.
769 preprocessor ssl: noinspect_encrypted
772 ####################################################################
773 # Step #4: Configure output plugins
775 # Uncomment and configure the output plugins you decide to use. General
776 # configuration for output plugins is of the form:
778 # output <name_of_plugin>: <configuration_options>
780 # alert_syslog: log alerts to syslog
781 # ----------------------------------
782 # Use one or more syslog facilities as arguments. Win32 can also optionally
783 # specify a particular hostname/port. Under Win32, the default hostname is
784 # '127.0.0.1', and the default port is 514.
786 # [Unix flavours should use this format...]
787 # output alert_syslog: LOG_AUTH LOG_ALERT
789 # [Win32 can use any of these formats...]
790 # output alert_syslog: LOG_AUTH LOG_ALERT
791 # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
792 # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
794 # log_tcpdump: log packets in binary tcpdump format
795 # -------------------------------------------------
796 # The only argument is the output file name.
798 # output log_tcpdump: tcpdump.log
800 # database: log to a variety of databases
801 # ---------------------------------------
802 # See the README.database file for more information about configuring
803 # and using this plugin.
805 # output database: log, mysql, user=root password=test dbname=db host=localhost
806 # output database: alert, postgresql, user=snort dbname=snort
807 # output database: log, odbc, user=snort dbname=snort
808 # output database: log, mssql, dbname=snort user=snort password=test
809 # output database: log, oracle, dbname=snort user=snort password=test
811 # unified: Snort unified binary format alerting and logging
812 # -------------------------------------------------------------
813 # The unified output plugin provides two new formats for logging and generating
814 # alerts from Snort, the "unified" format. The unified format is a straight
815 # binary format for logging data out of Snort that is designed to be fast and
816 # efficient. Used with barnyard (the new alert/log processor), most of the
817 # overhead for logging and alerting to various slow storage mechanisms such as
818 # databases or the network can now be avoided.
820 # Check out the spo_unified.h file for the data formats.
822 # Two arguments are supported.
823 # filename - base filename to write to (current time_t is appended)
824 # limit - maximum size of spool file in MB (default: 128)
826 # output alert_unified: filename snort.alert, limit 128
827 # output log_unified: filename snort.log, limit 128
830 # prelude: log to the Prelude Hybrid IDS system
831 # ---------------------------------------------
833 # profile = Name of the Prelude profile to use (default is snort).
835 # Snort priority to IDMEF severity mappings:
836 # high < medium < low < info
838 # These are the default mapped from classification.config:
842 # high = anything below medium
844 # output alert_prelude
845 # output alert_prelude: profile=snort-profile-name
848 # You can optionally define new rule types and associate one or more output
849 # plugins specifically to that type.
851 # This example will create a type that will log to just tcpdump.
852 # ruletype suspicious
855 # output log_tcpdump: suspicious.log
858 # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
859 # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
861 # This example will create a rule type that will log to syslog and a mysql
866 # output alert_syslog: LOG_AUTH LOG_ALERT
867 # output database: log, mysql, user=snort dbname=snort host=localhost
870 # EXAMPLE RULE FOR REDALERT RULETYPE:
871 # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
872 # (msg:"Someone is being LEET"; flags:A+;)
875 # Include classification & priority settings
876 # Note for Windows users: You are advised to make this an absolute path,
877 # such as: c:\snort\etc\classification.config
880 include /etc/snort/rules/classification.config
883 # Include reference systems
884 # Note for Windows users: You are advised to make this an absolute path,
885 # such as: c:\snort\etc\reference.config
888 include /etc/snort/rules/reference.config
890 ####################################################################
891 # Step #5: Configure snort with config statements
893 # See the snort manual for a full set of configuration references
895 # config flowbits_size: 64
897 # New global ignore_ports config option from Andy Mullican
899 # config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
900 # config ignore_ports: tcp 21 6667:6671 1356
901 # config ignore_ports: udp 1:17 53
904 ####################################################################
905 # Step #6: Customize your rule set
907 # Up to date snort rules are available at http://www.snort.org
909 # The snort web site has documentation about how to write your own custom snort
912 #=========================================
913 # Include all relevant rulesets here
915 # The following rulesets are disabled by default:
917 # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
918 # chat, multimedia, and p2p
920 # These rules are either site policy specific or require tuning in order to not
921 # generate false positive alerts in most enviornments.
923 # Please read the specific include file for more information and
924 # README.alert_order for how rule ordering affects how alerts are triggered.
925 #=========================================
927 #include $RULE_PATH/local.rules
928 #include $RULE_PATH/bad-traffic.rules
929 #include $RULE_PATH/exploit.rules
930 #include $RULE_PATH/scan.rules
931 #include $RULE_PATH/finger.rules
932 #include $RULE_PATH/ftp.rules
933 #include $RULE_PATH/telnet.rules
934 #include $RULE_PATH/rpc.rules
935 #include $RULE_PATH/rservices.rules
936 #include $RULE_PATH/dos.rules
937 #include $RULE_PATH/ddos.rules
938 #include $RULE_PATH/dns.rules
939 #include $RULE_PATH/tftp.rules
941 #include $RULE_PATH/web-cgi.rules
942 #include $RULE_PATH/web-coldfusion.rules
943 #include $RULE_PATH/web-iis.rules
944 #include $RULE_PATH/web-frontpage.rules
945 #include $RULE_PATH/web-misc.rules
946 #include $RULE_PATH/web-client.rules
947 #include $RULE_PATH/web-php.rules
949 #include $RULE_PATH/sql.rules
950 #include $RULE_PATH/x11.rules
951 #include $RULE_PATH/icmp.rules
952 #include $RULE_PATH/netbios.rules
953 #include $RULE_PATH/misc.rules
954 #include $RULE_PATH/attack-responses.rules
955 #include $RULE_PATH/oracle.rules
956 #include $RULE_PATH/mysql.rules
957 #include $RULE_PATH/snmp.rules
959 #include $RULE_PATH/smtp.rules
960 #include $RULE_PATH/imap.rules
961 #include $RULE_PATH/pop2.rules
962 #include $RULE_PATH/pop3.rules
964 #include $RULE_PATH/nntp.rules
965 #include $RULE_PATH/other-ids.rules
966 # include $RULE_PATH/web-attacks.rules
967 # include $RULE_PATH/backdoor.rules
968 # include $RULE_PATH/shellcode.rules
969 # include $RULE_PATH/policy.rules
970 # include $RULE_PATH/porn.rules
971 # include $RULE_PATH/info.rules
972 # include $RULE_PATH/icmp-info.rules
973 # include $RULE_PATH/virus.rules
974 # include $RULE_PATH/chat.rules
975 # include $RULE_PATH/multimedia.rules
976 # include $RULE_PATH/p2p.rules
977 # include $RULE_PATH/spyware-put.rules
978 # include $RULE_PATH/specific-threats.rules
979 #include $RULE_PATH/experimental.rules
981 # include $PREPROC_RULE_PATH/preprocessor.rules
982 # include $PREPROC_RULE_PATH/decoder.rules
984 # Include any thresholding or suppression commands. See threshold.conf in the
985 # <snort src>/etc directory for details. Commands don't necessarily need to be
986 # contained in this conf, but a separate conf makes it easier to maintain them.
987 # Note for Windows users: You are advised to make this an absolute path,
988 # such as: c:\snort\etc\threshold.conf
989 # Uncomment if needed.
990 # include threshold.conf