#--------------------------------------------------
-# http://www.snort.org Snort 2.8.3.2 Ruleset
+# http://www.snort.org Snort 2.8.4 Ruleset
# Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id$
# the form
# preprocessor <name_of_processor>: <configuration_options>
-# Configure Flow tracking module
-# -------------------------------
-#
-# The Flow tracking module is meant to start unifying the state keeping
-# mechanisms of snort into a single place. Right now, only a portscan detector
-# is implemented but in the long term, many of the stateful subsystems of
-# snort will be migrated over to becoming flow plugins. This must be enabled
-# for flow-portscan to work correctly.
-#
-# See README.flow for additional information
-#
-#preprocessor flow: stats_interval 0 hash 2
-
# frag3: Target-based IP defragmentation
# --------------------------------------
#
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
-
-# stream4: stateful inspection/stream reassembly for Snort
-#----------------------------------------------------------------------
-# Use in concert with the -z [all|est] command line switch to defeat stick/snot
-# against TCP rules. Also performs full TCP stream reassembly, stateful
-# inspection of TCP streams, etc. Can statefully detect various portscan
-# types, fingerprinting, ECN, etc.
-
-# stateful inspection directive
-# no arguments loads the defaults (timeout 30, memcap 8388608)
-# options (options are comma delimited):
-# detect_scans - stream4 will detect stealth portscans and generate alerts
-# when it sees them when this option is set
-# detect_state_problems - detect TCP state problems, this tends to be very
-# noisy because there are a lot of crappy ip stack
-# implementations out there
-#
-# disable_evasion_alerts - turn off the possibly noisy mitigation of
-# overlapping sequences.
-#
-# ttl_limit [number] - differential of the initial ttl on a session versus
-# the normal that someone may be playing games.
-# Routing flap may cause lots of false positives.
-#
-# keepstats [machine|binary] - keep session statistics, add "machine" to
-# get them in a flat format for machine reading, add
-# "binary" to get them in a unified binary output
-# format
-# noinspect - turn off stateful inspection only
-# timeout [number] - set the session timeout counter to [number] seconds,
-# default is 30 seconds
-# max_sessions [number] - limit the number of sessions stream4 keeps
-# track of
-# memcap [number] - limit stream4 memory usage to [number] bytes (does
-# not include session tracking, which is set by the
-# max_sessions option)
-# log_flushed_streams - if an event is detected on a stream this option will
-# cause all packets that are stored in the stream4
-# packet buffers to be flushed to disk. This only
-# works when logging in pcap mode!
-# server_inspect_limit [bytes] - Byte limit on server side inspection.
-# enable_udp_sessions - turn on tracking of "sessions" over UDP. Requires
-# configure --enable-stream4udp. UDP sessions are
-# only created when there is a rule for the sender or
-# responder that has a flow or flowbits keyword.
-# max_udp_sessions [number] - limit the number of simultaneous UDP sessions
-# to track
-# udp_ignore_any - Do not inspect UDP packets unless there is a port specific
-# rule for a given port. This is a performance improvement
-# and turns off inspection for udp xxx any -> xxx any rules
-# cache_clean_sessions [number] - Cleanup the session cache by number sessions
-# at a time. The larger the value, the
-# more sessions are purged from the cache when
-# the session limit or memcap is reached.
-# Defaults to 5.
-#
-#
-#
-# Stream4 uses Generator ID 111 and uses the following SIDS
-# for that GID:
-# SID Event description
-# ----- -------------------
-# 1 Stealth activity
-# 2 Evasive RST packet
-# 3 Evasive TCP packet retransmission
-# 4 TCP Window violation
-# 5 Data on SYN packet
-# 6 Stealth scan: full XMAS
-# 7 Stealth scan: SYN-ACK-PSH-URG
-# 8 Stealth scan: FIN scan
-# 9 Stealth scan: NULL scan
-# 10 Stealth scan: NMAP XMAS scan
-# 11 Stealth scan: Vecna scan
-# 12 Stealth scan: NMAP fingerprint scan stateful detect
-# 13 Stealth scan: SYN-FIN scan
-# 14 TCP forward overlap
-
-#preprocessor stream4: disable_evasion_alerts
-
-# tcp stream reassembly directive
-# no arguments loads the default configuration
-# Only reassemble the client,
-# Only reassemble the default list of ports (See below),
-# Give alerts for "bad" streams
-#
-# Available options (comma delimited):
-# clientonly - reassemble traffic for the client side of a connection only
-# serveronly - reassemble traffic for the server side of a connection only
-# both - reassemble both sides of a session
-# noalerts - turn off alerts from the stream reassembly stage of stream4
-# ports [list] - use the space separated list of ports in [list], "all"
-# will turn on reassembly for all ports, "default" will turn
-# on reassembly for ports 21, 23, 25, 42, 53, 80, 110,
-# 111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521,
-# 2401, and 3306
-# favor_old - favor an old segment (based on sequence number) over a new one.
-# This is the default.
-# favor_new - favor an new segment (based on sequence number) over an old one.
-# overlap_limit [number] - limit on overlaping segments for a session.
-# flush_on_alert - flushes stream when an alert is generated for a session.
-# flush_behavior [mode] -
-# default - use old static flushpoints (default)
-# large_window - use new larger static flushpoints
-# random - use random flushpoints defined by flush_base,
-# flush_seed and flush_range
-# flush_base [number] - lowest allowed random flushpoint (512 by default)
-# flush_range [number] - number is the space within which random flushpoints
-# are generated (default 1213)
-# flush_seed [number] - seed for the random number generator, defaults to
-# Snort PID + time
-#
-# Using the default random flushpoints, the smallest flushpoint is 512,
-# and the largest is 1725 bytes.
-#preprocessor stream4_reassemble
-
# stream5: Target Based stateful inspection/stream reassembly for Snort
# ---------------------------------------------------------------------
-# Stream5 is a target-based stream engine for Snort. Its functionality
-# replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
-# cannot be used simultaneously. Comment out the stream4 configurations
-# above to use Stream5.
+# Stream5 is a target-based stream engine for Snort. It handles both
+# TCP and UDP connection tracking as well as TCP reassembly.
#
# See README.stream5 for details on the configuration options.
#
-# Example config (that emulates Stream4 with UDP support compiled in)
+# Example config
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
+#
+#preprocessor dcerpc: \
+# autodetect \
+# max_frag_size 3000 \
+# memcap 100000
+
+
+# DCE/RPC 2
+#----------------------------------------
+# See doc/README.dcerpc2 for explanations of what the
+# preprocessor does and how to configure it.
+#
+preprocessor dcerpc2
+preprocessor dcerpc2_server: default
-preprocessor dcerpc: \
- autodetect \
- max_frag_size 3000 \
- memcap 100000
# DNS
#----------------------------------------
# inspected. Once the traffic is determined to be encrypted, no further
# inspection of the data on the connection is made.
#
-# Important note: Stream4 or Stream5 should be explicitly told to reassemble
+# If you don't necessarily trust all of the SSL capable servers on your
+# network, you should remove the "trustservers" option from the configuration.
+#
+# Important note: Stream5 should be explicitly told to reassemble
# traffic on the ports that you intend to inspect SSL
# encrypted traffic on.
#
# To add reassembly on port 443 to Stream5, use 'port both 443' in the
# Stream5 configuration.
-preprocessor ssl: noinspect_encrypted
+preprocessor ssl: noinspect_encrypted, trustservers
####################################################################
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
-
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-php.rules
-
#include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
-
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
-
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/spyware-put.rules
# include $RULE_PATH/specific-threats.rules
#include $RULE_PATH/experimental.rules
-
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules