X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Fsnort%2Fsnort.conf;h=2008a5904b6835c50243cb39ee4dcfff248d8502;hp=55678e833ab84c3c25ba709577b0610972913677;hb=8581d1ef9e2378f4800a803708f3208a830d460f;hpb=4fafa702e8cfe55114230f350327b92c267156ff diff --git a/config/snort/snort.conf b/config/snort/snort.conf index 55678e833a..2008a5904b 100644 --- a/config/snort/snort.conf +++ b/config/snort/snort.conf @@ -1,5 +1,5 @@ #-------------------------------------------------- -# http://www.snort.org Snort 2.8.3.2 Ruleset +# http://www.snort.org Snort 2.8.4 Ruleset # Contact: snort-sigs@lists.sourceforge.net #-------------------------------------------------- # $Id$ @@ -221,19 +221,6 @@ dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so # the form # preprocessor : -# Configure Flow tracking module -# ------------------------------- -# -# The Flow tracking module is meant to start unifying the state keeping -# mechanisms of snort into a single place. Right now, only a portscan detector -# is implemented but in the long term, many of the stateful subsystems of -# snort will be migrated over to becoming flow plugins. This must be enabled -# for flow-portscan to work correctly. -# -# See README.flow for additional information -# -#preprocessor flow: stats_interval 0 hash 2 - # frag3: Target-based IP defragmentation # -------------------------------------- # @@ -294,131 +281,14 @@ dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies - -# stream4: stateful inspection/stream reassembly for Snort -#---------------------------------------------------------------------- -# Use in concert with the -z [all|est] command line switch to defeat stick/snot -# against TCP rules. Also performs full TCP stream reassembly, stateful -# inspection of TCP streams, etc. Can statefully detect various portscan -# types, fingerprinting, ECN, etc. - -# stateful inspection directive -# no arguments loads the defaults (timeout 30, memcap 8388608) -# options (options are comma delimited): -# detect_scans - stream4 will detect stealth portscans and generate alerts -# when it sees them when this option is set -# detect_state_problems - detect TCP state problems, this tends to be very -# noisy because there are a lot of crappy ip stack -# implementations out there -# -# disable_evasion_alerts - turn off the possibly noisy mitigation of -# overlapping sequences. -# -# ttl_limit [number] - differential of the initial ttl on a session versus -# the normal that someone may be playing games. -# Routing flap may cause lots of false positives. -# -# keepstats [machine|binary] - keep session statistics, add "machine" to -# get them in a flat format for machine reading, add -# "binary" to get them in a unified binary output -# format -# noinspect - turn off stateful inspection only -# timeout [number] - set the session timeout counter to [number] seconds, -# default is 30 seconds -# max_sessions [number] - limit the number of sessions stream4 keeps -# track of -# memcap [number] - limit stream4 memory usage to [number] bytes (does -# not include session tracking, which is set by the -# max_sessions option) -# log_flushed_streams - if an event is detected on a stream this option will -# cause all packets that are stored in the stream4 -# packet buffers to be flushed to disk. This only -# works when logging in pcap mode! -# server_inspect_limit [bytes] - Byte limit on server side inspection. -# enable_udp_sessions - turn on tracking of "sessions" over UDP. Requires -# configure --enable-stream4udp. UDP sessions are -# only created when there is a rule for the sender or -# responder that has a flow or flowbits keyword. -# max_udp_sessions [number] - limit the number of simultaneous UDP sessions -# to track -# udp_ignore_any - Do not inspect UDP packets unless there is a port specific -# rule for a given port. This is a performance improvement -# and turns off inspection for udp xxx any -> xxx any rules -# cache_clean_sessions [number] - Cleanup the session cache by number sessions -# at a time. The larger the value, the -# more sessions are purged from the cache when -# the session limit or memcap is reached. -# Defaults to 5. -# -# -# -# Stream4 uses Generator ID 111 and uses the following SIDS -# for that GID: -# SID Event description -# ----- ------------------- -# 1 Stealth activity -# 2 Evasive RST packet -# 3 Evasive TCP packet retransmission -# 4 TCP Window violation -# 5 Data on SYN packet -# 6 Stealth scan: full XMAS -# 7 Stealth scan: SYN-ACK-PSH-URG -# 8 Stealth scan: FIN scan -# 9 Stealth scan: NULL scan -# 10 Stealth scan: NMAP XMAS scan -# 11 Stealth scan: Vecna scan -# 12 Stealth scan: NMAP fingerprint scan stateful detect -# 13 Stealth scan: SYN-FIN scan -# 14 TCP forward overlap - -#preprocessor stream4: disable_evasion_alerts - -# tcp stream reassembly directive -# no arguments loads the default configuration -# Only reassemble the client, -# Only reassemble the default list of ports (See below), -# Give alerts for "bad" streams -# -# Available options (comma delimited): -# clientonly - reassemble traffic for the client side of a connection only -# serveronly - reassemble traffic for the server side of a connection only -# both - reassemble both sides of a session -# noalerts - turn off alerts from the stream reassembly stage of stream4 -# ports [list] - use the space separated list of ports in [list], "all" -# will turn on reassembly for all ports, "default" will turn -# on reassembly for ports 21, 23, 25, 42, 53, 80, 110, -# 111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521, -# 2401, and 3306 -# favor_old - favor an old segment (based on sequence number) over a new one. -# This is the default. -# favor_new - favor an new segment (based on sequence number) over an old one. -# overlap_limit [number] - limit on overlaping segments for a session. -# flush_on_alert - flushes stream when an alert is generated for a session. -# flush_behavior [mode] - -# default - use old static flushpoints (default) -# large_window - use new larger static flushpoints -# random - use random flushpoints defined by flush_base, -# flush_seed and flush_range -# flush_base [number] - lowest allowed random flushpoint (512 by default) -# flush_range [number] - number is the space within which random flushpoints -# are generated (default 1213) -# flush_seed [number] - seed for the random number generator, defaults to -# Snort PID + time -# -# Using the default random flushpoints, the smallest flushpoint is 512, -# and the largest is 1725 bytes. -#preprocessor stream4_reassemble - # stream5: Target Based stateful inspection/stream reassembly for Snort # --------------------------------------------------------------------- -# Stream5 is a target-based stream engine for Snort. Its functionality -# replaces that of Stream4. Consequently, BOTH Stream4 and Stream5 -# cannot be used simultaneously. Comment out the stream4 configurations -# above to use Stream5. +# Stream5 is a target-based stream engine for Snort. It handles both +# TCP and UDP connection tracking as well as TCP reassembly. # # See README.stream5 for details on the configuration options. # -# Example config (that emulates Stream4 with UDP support compiled in) +# Example config preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes @@ -723,11 +593,21 @@ preprocessor sfportscan: proto { all } \ # dynamicpreprocessor file # or use commandline option # --dynamic-preprocessor-lib +# +#preprocessor dcerpc: \ +# autodetect \ +# max_frag_size 3000 \ +# memcap 100000 + + +# DCE/RPC 2 +#---------------------------------------- +# See doc/README.dcerpc2 for explanations of what the +# preprocessor does and how to configure it. +# +preprocessor dcerpc2 +preprocessor dcerpc2_server: default -preprocessor dcerpc: \ - autodetect \ - max_frag_size 3000 \ - memcap 100000 # DNS #---------------------------------------- @@ -759,14 +639,17 @@ preprocessor dns: \ # inspected. Once the traffic is determined to be encrypted, no further # inspection of the data on the connection is made. # -# Important note: Stream4 or Stream5 should be explicitly told to reassemble +# If you don't necessarily trust all of the SSL capable servers on your +# network, you should remove the "trustservers" option from the configuration. +# +# Important note: Stream5 should be explicitly told to reassemble # traffic on the ports that you intend to inspect SSL # encrypted traffic on. # # To add reassembly on port 443 to Stream5, use 'port both 443' in the # Stream5 configuration. -preprocessor ssl: noinspect_encrypted +preprocessor ssl: noinspect_encrypted, trustservers #################################################################### @@ -937,7 +820,6 @@ include /etc/snort/rules/reference.config #include $RULE_PATH/ddos.rules #include $RULE_PATH/dns.rules #include $RULE_PATH/tftp.rules - #include $RULE_PATH/web-cgi.rules #include $RULE_PATH/web-coldfusion.rules #include $RULE_PATH/web-iis.rules @@ -945,7 +827,6 @@ include /etc/snort/rules/reference.config #include $RULE_PATH/web-misc.rules #include $RULE_PATH/web-client.rules #include $RULE_PATH/web-php.rules - #include $RULE_PATH/sql.rules #include $RULE_PATH/x11.rules #include $RULE_PATH/icmp.rules @@ -955,12 +836,10 @@ include /etc/snort/rules/reference.config #include $RULE_PATH/oracle.rules #include $RULE_PATH/mysql.rules #include $RULE_PATH/snmp.rules - #include $RULE_PATH/smtp.rules #include $RULE_PATH/imap.rules #include $RULE_PATH/pop2.rules #include $RULE_PATH/pop3.rules - #include $RULE_PATH/nntp.rules #include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules @@ -977,7 +856,6 @@ include /etc/snort/rules/reference.config # include $RULE_PATH/spyware-put.rules # include $RULE_PATH/specific-threats.rules #include $RULE_PATH/experimental.rules - # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules