#--------------------------------------------------
-# http://www.snort.org Snort 2.8.3.2 Ruleset
+# http://www.snort.org Snort 2.8.4 Ruleset
# Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id$
# the form
# preprocessor <name_of_processor>: <configuration_options>
-# Configure Flow tracking module
-# -------------------------------
-#
-# The Flow tracking module is meant to start unifying the state keeping
-# mechanisms of snort into a single place. Right now, only a portscan detector
-# is implemented but in the long term, many of the stateful subsystems of
-# snort will be migrated over to becoming flow plugins. This must be enabled
-# for flow-portscan to work correctly.
-#
-# See README.flow for additional information
-#
-#preprocessor flow: stats_interval 0 hash 2
-
# frag3: Target-based IP defragmentation
# --------------------------------------
#
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
-
-# stream4: stateful inspection/stream reassembly for Snort
-#----------------------------------------------------------------------
-# Use in concert with the -z [all|est] command line switch to defeat stick/snot
-# against TCP rules. Also performs full TCP stream reassembly, stateful
-# inspection of TCP streams, etc. Can statefully detect various portscan
-# types, fingerprinting, ECN, etc.
-
-# stateful inspection directive
-# no arguments loads the defaults (timeout 30, memcap 8388608)
-# options (options are comma delimited):
-# detect_scans - stream4 will detect stealth portscans and generate alerts
-# when it sees them when this option is set
-# detect_state_problems - detect TCP state problems, this tends to be very
-# noisy because there are a lot of crappy ip stack
-# implementations out there
-#
-# disable_evasion_alerts - turn off the possibly noisy mitigation of
-# overlapping sequences.
-#
-# ttl_limit [number] - differential of the initial ttl on a session versus
-# the normal that someone may be playing games.
-# Routing flap may cause lots of false positives.
-#
-# keepstats [machine|binary] - keep session statistics, add "machine" to
-# get them in a flat format for machine reading, add
-# "binary" to get them in a unified binary output
-# format
-# noinspect - turn off stateful inspection only
-# timeout [number] - set the session timeout counter to [number] seconds,
-# default is 30 seconds
-# max_sessions [number] - limit the number of sessions stream4 keeps
-# track of
-# memcap [number] - limit stream4 memory usage to [number] bytes (does
-# not include session tracking, which is set by the
-# max_sessions option)
-# log_flushed_streams - if an event is detected on a stream this option will
-# cause all packets that are stored in the stream4
-# packet buffers to be flushed to disk. This only
-# works when logging in pcap mode!
-# server_inspect_limit [bytes] - Byte limit on server side inspection.
-# enable_udp_sessions - turn on tracking of "sessions" over UDP. Requires
-# configure --enable-stream4udp. UDP sessions are
-# only created when there is a rule for the sender or
-# responder that has a flow or flowbits keyword.
-# max_udp_sessions [number] - limit the number of simultaneous UDP sessions
-# to track
-# udp_ignore_any - Do not inspect UDP packets unless there is a port specific
-# rule for a given port. This is a performance improvement
-# and turns off inspection for udp xxx any -> xxx any rules
-# cache_clean_sessions [number] - Cleanup the session cache by number sessions
-# at a time. The larger the value, the
-# more sessions are purged from the cache when
-# the session limit or memcap is reached.
-# Defaults to 5.
-#
-#
-#
-# Stream4 uses Generator ID 111 and uses the following SIDS
-# for that GID:
-# SID Event description
-# ----- -------------------
-# 1 Stealth activity
-# 2 Evasive RST packet
-# 3 Evasive TCP packet retransmission
-# 4 TCP Window violation
-# 5 Data on SYN packet
-# 6 Stealth scan: full XMAS
-# 7 Stealth scan: SYN-ACK-PSH-URG
-# 8 Stealth scan: FIN scan
-# 9 Stealth scan: NULL scan
-# 10 Stealth scan: NMAP XMAS scan
-# 11 Stealth scan: Vecna scan
-# 12 Stealth scan: NMAP fingerprint scan stateful detect
-# 13 Stealth scan: SYN-FIN scan
-# 14 TCP forward overlap
-
-#preprocessor stream4: disable_evasion_alerts
-
-# tcp stream reassembly directive
-# no arguments loads the default configuration
-# Only reassemble the client,
-# Only reassemble the default list of ports (See below),
-# Give alerts for "bad" streams
-#
-# Available options (comma delimited):
-# clientonly - reassemble traffic for the client side of a connection only
-# serveronly - reassemble traffic for the server side of a connection only
-# both - reassemble both sides of a session
-# noalerts - turn off alerts from the stream reassembly stage of stream4
-# ports [list] - use the space separated list of ports in [list], "all"
-# will turn on reassembly for all ports, "default" will turn
-# on reassembly for ports 21, 23, 25, 42, 53, 80, 110,
-# 111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521,
-# 2401, and 3306
-# favor_old - favor an old segment (based on sequence number) over a new one.
-# This is the default.
-# favor_new - favor an new segment (based on sequence number) over an old one.
-# overlap_limit [number] - limit on overlaping segments for a session.
-# flush_on_alert - flushes stream when an alert is generated for a session.
-# flush_behavior [mode] -
-# default - use old static flushpoints (default)
-# large_window - use new larger static flushpoints
-# random - use random flushpoints defined by flush_base,
-# flush_seed and flush_range
-# flush_base [number] - lowest allowed random flushpoint (512 by default)
-# flush_range [number] - number is the space within which random flushpoints
-# are generated (default 1213)
-# flush_seed [number] - seed for the random number generator, defaults to
-# Snort PID + time
-#
-# Using the default random flushpoints, the smallest flushpoint is 512,
-# and the largest is 1725 bytes.
-#preprocessor stream4_reassemble
-
# stream5: Target Based stateful inspection/stream reassembly for Snort
# ---------------------------------------------------------------------
-# Stream5 is a target-based stream engine for Snort. Its functionality
-# replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
-# cannot be used simultaneously. Comment out the stream4 configurations
-# above to use Stream5.
+# Stream5 is a target-based stream engine for Snort. It handles both
+# TCP and UDP connection tracking as well as TCP reassembly.
#
# See README.stream5 for details on the configuration options.
#
-# Example config (that emulates Stream4 with UDP support compiled in)
+# Example config
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
+#
+#preprocessor dcerpc: \
+# autodetect \
+# max_frag_size 3000 \
+# memcap 100000
+
+
+# DCE/RPC 2
+#----------------------------------------
+# See doc/README.dcerpc2 for explanations of what the
+# preprocessor does and how to configure it.
+#
+preprocessor dcerpc2
+preprocessor dcerpc2_server: default
-preprocessor dcerpc: \
- autodetect \
- max_frag_size 3000 \
- memcap 100000
# DNS
#----------------------------------------
# inspected. Once the traffic is determined to be encrypted, no further
# inspection of the data on the connection is made.
#
-# Important note: Stream4 or Stream5 should be explicitly told to reassemble
+# If you don't necessarily trust all of the SSL capable servers on your
+# network, you should remove the "trustservers" option from the configuration.
+#
+# Important note: Stream5 should be explicitly told to reassemble
# traffic on the ports that you intend to inspect SSL
# encrypted traffic on.
#
# To add reassembly on port 443 to Stream5, use 'port both 443' in the
# Stream5 configuration.
-preprocessor ssl: noinspect_encrypted
+preprocessor ssl: noinspect_encrypted, trustservers
####################################################################
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
-
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-php.rules
-
#include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
-
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
-
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/spyware-put.rules
# include $RULE_PATH/specific-threats.rules
#include $RULE_PATH/experimental.rules
-
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
CHANNEL="05"
TXPOWER="auto"
INTERFACE="blue0"
+MACMODE="0"
+DRIVER="MADWIFI"
+
eval $(/usr/local/bin/readhash /var/ipfire/wlanap/settings)
case "${1}" in
start)
mkdir -p /var/run/hostapd
- if [ "$(/usr/sbin/iwconfig $INTERFACE | /bin/grep "Mode:Master")" == "" ]; then
-
- boot_mesg "Setting wlan $INTERFACE to Master mode... "
- # Set Atheros Cards to master mode
- if [ -d /proc/net/madwifi/ath0/ ]; then
- /usr/bin/wlanconfig ath0 destroy > /dev/null
+ if [ "$DRIVER" == "MADWIFI" ]; then
+ if [ "$(/usr/sbin/iwconfig $INTERFACE | /bin/grep "Mode:Master")" == "" ]; then
+ boot_mesg "Setting MADWIFI wlan $INTERFACE to Master mode... "
+ # Set Atheros Cards to master mode
+ /usr/bin/wlanconfig $INTERFACE destroy > /dev/null
+ /usr/bin/wlanconfig $INTERFACE create wlandev wifi0 wlanmode ap > /dev/null
+ fi
fi
- /usr/bin/wlanconfig $INTERFACE destroy > /dev/null
- /usr/bin/wlanconfig $INTERFACE create wlandev wifi0 wlanmode ap > /dev/null
+ boot_mesg "Starting hostapd... "
+ /usr/sbin/iwconfig $INTERFACE channel $CHANNEL
+ /usr/sbin/iwconfig $INTERFACE txpower $TXPOWER
+ /usr/bin/hostapd -P /var/run/hostapd /etc/hostapd.conf </dev/tty12 >/dev/tty12 2>&1 &
+
+ if [ $DRIVER == "MADWIFI" ]; then
+
+ iwpriv $INTERFACE maccmd 3
+ if [ $MACMODE != 0 ]; then
+ FILE="/var/ipfire/wlanap/macfile"
+ exec < $FILE
+ while read LINE
+ do
+ iwpriv $INTERFACE addmac $LINE
+ done
- # Set other cards to master mode
- #/usr/sbin/iwconfig blue0 mode master
+ iwpriv $INTERFACE maccmd $MACMODE
+ fi
+ # Disable background scann
+ iwpriv $INTERFACE bgscan 0
+ # Set beacon interval to 500
+ iwpriv $INTERFACE bintval 500
fi
if [ "$(/usr/sbin/iwconfig $INTERFACE | /bin/grep "Mode:Master")" == "" ]; then
boot_mesg "Error! Can't set wlan master mode"
echo_failure;
- exit 1;
+ exit 0;
else
# enable wlan module of collectd
sed -i -e "s|#LoadPlugin wireless|LoadPlugin wireless|g" /etc/collectd.conf
-
- boot_mesg "Starting hostapd... "
- /usr/sbin/iwconfig $INTERFACE channel $CHANNEL
- /usr/sbin/iwconfig $INTERFACE txpower $TXPOWER
- /usr/bin/hostapd -P /var/run/hostapd /etc/hostapd.conf </dev/tty12 >/dev/tty12 2>&1 &
- evaluate_retval
- fi
-
- iwpriv $INTERFACE maccmd 3
- if [ $MACMODE != 0 ]; then
- FILE="/var/ipfire/wlanap/macfile"
- exec < $FILE
- while read LINE
- do
- iwpriv $INTERFACE addmac $LINE
- done
-
- iwpriv $INTERFACE maccmd $MACMODE
+ echo_ok
fi
;;