-# sfPortscan
-# ----------
-# Portscan detection module. Detects various types of portscans and
-# portsweeps. For more information on detection philosophy, alert types,
-# and detailed portscan information, please refer to the README.sfportscan.
-#
-# -configuration options-
-# proto { tcp udp icmp ip all }
-# The arguments to the proto option are the types of protocol scans that
-# the user wants to detect. Arguments should be separated by spaces and
-# not commas.
-# scan_type { portscan portsweep decoy_portscan distributed_portscan all }
-# The arguments to the scan_type option are the scan types that the
-# user wants to detect. Arguments should be separated by spaces and not
-# commas.
-# sense_level { low|medium|high }
-# There is only one argument to this option and it is the level of
-# sensitivity in which to detect portscans. The 'low' sensitivity
-# detects scans by the common method of looking for response errors, such
-# as TCP RSTs or ICMP unreachables. This level requires the least
-# tuning. The 'medium' sensitivity level detects portscans and
-# filtered portscans (portscans that receive no response). This
-# sensitivity level usually requires tuning out scan events from NATed
-# IPs, DNS cache servers, etc. The 'high' sensitivity level has
-# lower thresholds for portscan detection and a longer time window than
-# the 'medium' sensitivity level. Requires more tuning and may be noisy
-# on very active networks. However, this sensitivity levels catches the
-# most scans.
-# memcap { positive integer }
-# The maximum number of bytes to allocate for portscan detection. The
-# higher this number the more nodes that can be tracked.
-# logfile { filename }
-# This option specifies the file to log portscan and detailed portscan
-# values to. If there is not a leading /, then snort logs to the
-# configured log directory. Refer to README.sfportscan for details on
-# the logged values in the logfile.
-# watch_ip { Snort IP List }
-# ignore_scanners { Snort IP List }
-# ignore_scanned { Snort IP List }
-# These options take a snort IP list as the argument. The 'watch_ip'
-# option specifies the IP(s) to watch for portscan. The
-# 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
-# Note that these hosts are still watched as scanned hosts. The
-# 'ignore_scanners' option is used to tune alerts from very active
-# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
-# specifies the IP(s) to ignore as scanned hosts. Note that these hosts
-# are still watched as scanner hosts. The 'ignore_scanned' option is
-# used to tune alerts from very active hosts such as syslog servers, etc.
-# detect_ack_scans
-# This option will include sessions picked up in midstream by the stream
-# module, which is necessary to detect ACK scans. However, this can lead to
-# false alerts, especially under heavy load with dropped packets; which is why
-# the option is off by default.
-#
-preprocessor sfportscan: proto { all } \
- memcap { 10000000 } \
- sense_level { medium }
-
-# arpspoof
-#----------------------------------------
-# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
-# unicast ARP requests, and specific ARP mapping monitoring. To make use of
-# this preprocessor you must specify the IP and hardware address of hosts on
-# the same layer 2 segment as you. Specify one host IP MAC combo per line.
-# Also takes a "-unicast" option to turn on unicast ARP request detection.
-# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
-
-# SID Event description
-# ----- -------------------
-# 1 Unicast ARP request
-# 2 Etherframe ARP mismatch (src)
-# 3 Etherframe ARP mismatch (dst)
-# 4 ARP cache overwrite attack
-
-#preprocessor arpspoof
-#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
-
-# ssh
-#----------------------------------------
-# EXPERIMENTAL CODE!!!
-#
-# THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
-# USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS.
-# YOU HAVE BEEN WARNED.
-#
-# The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
-# Secure CRT, and the Protocol Mismatch exploit.
-#
-# Both Gobbles and CRC 32 attacks occur after the key exchange, and are
-# therefore encrypted. Both attacks involve sending a large payload
-# (20kb+) to the server immediately after the authentication challenge.
-# To detect the attacks, the SSH preprocessor counts the number of bytes
-# transmitted to the server. If those bytes exceed a pre-defined limit
-# within a pre-define number of packets, an alert is generated. Since
-# Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
-# version string exchange is used to distinguish the attacks.
-#
-# The Secure CRT and protocol mismatch exploits are observable before
-# the key exchange.
-#
-# SSH has numerous options available, please read README.ssh for help
-# configuring options.
-
-#####
-# Per Step #2, set the following to load the ssh preprocessor
-# dynamicpreprocessor file <full path to libsf_ssh_preproc.so>
-# or use commandline option
-# --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
-#
-#preprocessor ssh: server_ports { 22 } \
-# max_client_bytes 19600 \
-# max_encrypted_packets 20
projects / people / pmueller / ipfire-2.x.git / commitdiff
