From 767cb7374a582183452e6ec65fbd4368f3875088 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 7 Apr 2009 18:45:45 +0200 Subject: [PATCH] Added new config file for snort --- config/snort/snort.conf | 1045 +++++++++++++++++++++++++++++++++++---- 1 file changed, 958 insertions(+), 87 deletions(-) diff --git a/config/snort/snort.conf b/config/snort/snort.conf index 3a498c62ec..55678e833a 100644 --- a/config/snort/snort.conf +++ b/config/snort/snort.conf @@ -1,55 +1,539 @@ +#-------------------------------------------------- +# http://www.snort.org Snort 2.8.3.2 Ruleset +# Contact: snort-sigs@lists.sourceforge.net +#-------------------------------------------------- +# $Id$ +# +################################################### +# This file contains a sample snort configuration. +# You can take the following steps to create your own custom configuration: +# +# 1) Set the variables for your network +# 2) Configure dynamic loaded libraries +# 3) Configure preprocessors +# 4) Configure output plugins +# 5) Add any runtime config directives +# 6) Customize your rule set +# ################################################### +# Step #1: Set the network variables: +# +# You must change the following variables to reflect your local network. The +# variable is currently setup for an RFC 1918 address space. +# +# You can specify it explicitly as: +# +# var HOME_NET 10.1.1.0/24 +# +# or use global variable $_ADDRESS which will be always +# initialized to IP address and netmask of the network interface which you run +# snort at. Under Windows, this must be specified as +# $(_ADDRESS), such as: +# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) +# +# var HOME_NET $eth0_ADDRESS +# +# You can specify lists of IP addresses for HOME_NET +# by separating the IPs with commas like this: +# +# var HOME_NET [10.1.1.0/24,192.168.1.0/24] +# +# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! +# +# or you can specify the variable to be any IP address +# like this: + +var HOME_NET any + +# Set up the external network addresses as well. A good start may be "any" +var EXTERNAL_NET any + +# Configure your server lists. This allows snort to only look for attacks to +# systems that have a service up. Why look for HTTP attacks if you are not +# running a web server? This allows quick filtering based on IP addresses +# These configurations MUST follow the same configuration scheme as defined +# above for $HOME_NET. + +# List of DNS servers on your network +var DNS_SERVERS $HOME_NET + +# List of SMTP servers on your network +var SMTP_SERVERS $HOME_NET + +# List of web servers on your network +var HTTP_SERVERS $HOME_NET + +# List of sql servers on your network +var SQL_SERVERS $HOME_NET + +# List of telnet servers on your network +var TELNET_SERVERS $HOME_NET + +# List of snmp servers on your network +var SNMP_SERVERS $HOME_NET + +# Configure your service ports. This allows snort to look for attacks destined +# to a specific application only on the ports that application runs on. For +# example, if you run a web server on port 8081, set your HTTP_PORTS variable +# like this: +# +# portvar HTTP_PORTS 8081 +# +# Ports you run web servers on +portvar HTTP_PORTS 80 + +# NOTE: If you wish to define multiple HTTP ports, use the portvar +# syntax to represent lists of ports and port ranges. Examples: +## portvar HTTP_PORTS [80,8080] +## portvar HTTP_PORTS [80,8000:8080] +# And only include the rule that uses $HTTP_PORTS once. +# +# The pre-2.8.0 approach of redefining the variable to a different port and +# including the rules file twice is obsolete. See README.variables for more +# details. + +# Ports you want to look for SHELLCODE on. +portvar SHELLCODE_PORTS !80 + +# Ports you might see oracle attacks on +portvar ORACLE_PORTS 1521 + +# other variables +# +# AIM servers. AOL has a habit of adding new AIM servers, so instead of +# modifying the signatures when they do, we add them to this list of servers. +var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] + +# Path to your rules files (this can be a relative path) +# Note for Windows users: You are advised to make this an absolute path, +# such as: c:\snort\rules +var RULE_PATH /etc/snort/rules +var PREPROC_RULE_PATH /etc/snort/preproc_rules + +# Configure the snort decoder +# ============================ +# +# Snort's decoder will alert on lots of things such as header +# truncation or options of unusual length or infrequently used tcp options +# +# +# Stop generic decode events: +# +# config disable_decode_alerts +# +# Stop Alerts on experimental TCP options +# +# config disable_tcpopt_experimental_alerts +# +# Stop Alerts on obsolete TCP options +# +# config disable_tcpopt_obsolete_alerts +# +# Stop Alerts on T/TCP alerts +# +# In snort 2.0.1 and above, this only alerts when a TCP option is detected +# that shows T/TCP being actively used on the network. If this is normal +# behavior for your network, disable the next option. +# +# config disable_tcpopt_ttcp_alerts +# +# Stop Alerts on all other TCPOption type events: +# +# config disable_tcpopt_alerts +# +# Stop Alerts on invalid ip options +# +# config disable_ipopt_alerts +# +# Alert if value in length field (IP, TCP, UDP) is greater than the +# actual length of the captured portion of the packet that the length +# is supposed to represent: +# +# config enable_decode_oversized_alerts +# +# Same as above, but drop packet if in Inline mode - +# enable_decode_oversized_alerts must be enabled for this to work: +# +# config enable_decode_oversized_drops # -# This file contains the default snort configuration. -# for all IPFire Versions -# Unless you are totally happy with this file, please -# only change whats needed -# This file is automatically changed by -# the webinterface, too. + +# Configure the detection engine +# =============================== +# +# Use a different pattern matcher in case you have a machine with very limited +# resources: # -# 1) Set the network variables for your network -# 2) Configure preprocessors -# 3) Configure output plugins -# 4) Customize your rule set +# config detection: search-method lowmem + +# Configure Inline Resets +# ======================== +# +# If running an iptables firewall with snort in InlineMode() we can now +# perform resets via a physical device. We grab the indev from iptables +# and use this for the interface on which to send resets. This config +# option takes an argument for the src mac address you want to use in the +# reset packet. This way the bridge can remain stealthy. If the src mac +# option is not set we use the mac address of the indev device. If we +# don't set this option we will default to sending resets via raw socket, +# which needs an ipaddress to be assigned to the int. # +# config layer2resets: 00:06:76:DD:5F:E3 + ################################################### -# Only area a user needs to edit -include /etc/snort/vars -var EXTERNAL_NET !$HOME_NET -var SMTP_SERVERS $HOME_NET -var HTTP_SERVERS $HOME_NET -var SQL_SERVERS $HOME_NET -var TELNET_SERVERS $HOME_NET -var HTTP_PORTS 80 -var SSH_PORTS 22 222 -var SHELLCODE_PORTS !80 -var ORACLE_PORTS 1521 -var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] -var RULE_PATH /etc/snort/rules -dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so +# Step #2: Configure dynamic loaded libraries +# +# If snort was configured to use dynamically loaded libraries, +# those libraries can be loaded here. +# +# Each of the following configuration options can be done via +# the command line as well. +# +# Load all dynamic preprocessors from the install path +# (same as command line option --dynamic-preprocessor-lib-dir) +# dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ +# +# Load a specific dynamic preprocessor library from the install path +# (same as command line option --dynamic-preprocessor-lib) +# +# dynamicpreprocessor file /usr/lib/snort_dynamicpreprocessor/libdynamicexample.so +# +# Load a dynamic engine from the install path +# (same as command line option --dynamic-engine-lib) +# +dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so +# +# Load all dynamic rules libraries from the install path +# (same as command line option --dynamic-detection-lib-dir) +# +# dynamicdetection directory /usr/lib/snort_dynamicrule/ +# +# Load a specific dynamic rule library from the install path +# (same as command line option --dynamic-detection-lib) +# +# dynamicdetection file /usr/lib/snort_dynamicrule/libdynamicexamplerule.so +# ################################################### -# Do NOT Edit past this line -################################################### -config detection: search-method lowmem -preprocessor flow: memcap 2097152, stats_interval 0, hash 2 -#preprocessor frag2: memcap 2097152 +# Step #3: Configure preprocessors +# +# General configuration for preprocessors is of +# the form +# preprocessor : + +# Configure Flow tracking module +# ------------------------------- +# +# The Flow tracking module is meant to start unifying the state keeping +# mechanisms of snort into a single place. Right now, only a portscan detector +# is implemented but in the long term, many of the stateful subsystems of +# snort will be migrated over to becoming flow plugins. This must be enabled +# for flow-portscan to work correctly. +# +# See README.flow for additional information +# +#preprocessor flow: stats_interval 0 hash 2 + +# frag3: Target-based IP defragmentation +# -------------------------------------- +# +# Frag3 is a brand new IP defragmentation preprocessor that is capable of +# performing "target-based" processing of IP fragments. Check out the +# README.frag3 file in the doc directory for more background and configuration +# information. +# +# Frag3 configuration is a two step process, a global initialization phase +# followed by the definition of a set of defragmentation engines. +# +# Global configuration defines the number of fragmented packets that Snort can +# track at the same time and gives you options regarding the memory cap for the +# subsystem or, optionally, allows you to preallocate all the memory for the +# entire frag3 system. +# +# frag3_global options: +# max_frags: Maximum number of frag trackers that may be active at once. +# Default value is 8192. +# memcap: Maximum amount of memory that frag3 may access at any given time. +# Default value is 4MB. +# prealloc_frags: Maximum number of individual fragments that may be processed +# at once. This is instead of the memcap system, uses static +# allocation to increase performance. No default value. Each +# preallocated fragment typically eats ~1550 bytes. However, +# the exact amount is determined by the snaplen, and this can +# go as high as 64K so beware! +# +# Target-based behavior is attached to an engine as a "policy" for handling +# overlaps and retransmissions as enumerated in the Paxson paper. There are +# currently five policy types available: "BSD", "BSD-right", "First", "Linux" +# and "Last". Engines can be bound to standard Snort CIDR blocks or +# IP lists. +# +# frag3_engine options: +# timeout: Amount of time a fragmented packet may be active before expiring. +# Default value is 60 seconds. +# ttl_limit: Limit of delta allowable for TTLs of packets in the fragments. +# Based on the initial received fragment TTL. +# min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this +# value will be discarded. Default value is 0. +# detect_anomalies: Activates frag3's anomaly detection mechanisms. +# policy: Target-based policy to assign to this engine. Default is BSD. +# bind_to: IP address set to bind this engine to. Default is all hosts. +# +# Frag3 configuration example: +#preprocessor frag3_global: max_frags 65536, prealloc_frags 65536 +#preprocessor frag3_engine: policy linux \ +# bind_to [10.1.1.12/32,10.1.1.13/32] \ +# detect_anomalies +#preprocessor frag3_engine: policy first \ +# bind_to 10.2.1.0/24 \ +# detect_anomalies +#preprocessor frag3_engine: policy last \ +# bind_to 10.3.1.0/24 +#preprocessor frag3_engine: policy bsd + preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies -preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts -preprocessor stream4_reassemble: noalerts -# preprocessor http_inspect: global iis_unicode_map unicode.map 1252 -# preprocessor http_inspect_server: server default profile all ports { 80 8080 } + + +# stream4: stateful inspection/stream reassembly for Snort +#---------------------------------------------------------------------- +# Use in concert with the -z [all|est] command line switch to defeat stick/snot +# against TCP rules. Also performs full TCP stream reassembly, stateful +# inspection of TCP streams, etc. Can statefully detect various portscan +# types, fingerprinting, ECN, etc. + +# stateful inspection directive +# no arguments loads the defaults (timeout 30, memcap 8388608) +# options (options are comma delimited): +# detect_scans - stream4 will detect stealth portscans and generate alerts +# when it sees them when this option is set +# detect_state_problems - detect TCP state problems, this tends to be very +# noisy because there are a lot of crappy ip stack +# implementations out there +# +# disable_evasion_alerts - turn off the possibly noisy mitigation of +# overlapping sequences. +# +# ttl_limit [number] - differential of the initial ttl on a session versus +# the normal that someone may be playing games. +# Routing flap may cause lots of false positives. +# +# keepstats [machine|binary] - keep session statistics, add "machine" to +# get them in a flat format for machine reading, add +# "binary" to get them in a unified binary output +# format +# noinspect - turn off stateful inspection only +# timeout [number] - set the session timeout counter to [number] seconds, +# default is 30 seconds +# max_sessions [number] - limit the number of sessions stream4 keeps +# track of +# memcap [number] - limit stream4 memory usage to [number] bytes (does +# not include session tracking, which is set by the +# max_sessions option) +# log_flushed_streams - if an event is detected on a stream this option will +# cause all packets that are stored in the stream4 +# packet buffers to be flushed to disk. This only +# works when logging in pcap mode! +# server_inspect_limit [bytes] - Byte limit on server side inspection. +# enable_udp_sessions - turn on tracking of "sessions" over UDP. Requires +# configure --enable-stream4udp. UDP sessions are +# only created when there is a rule for the sender or +# responder that has a flow or flowbits keyword. +# max_udp_sessions [number] - limit the number of simultaneous UDP sessions +# to track +# udp_ignore_any - Do not inspect UDP packets unless there is a port specific +# rule for a given port. This is a performance improvement +# and turns off inspection for udp xxx any -> xxx any rules +# cache_clean_sessions [number] - Cleanup the session cache by number sessions +# at a time. The larger the value, the +# more sessions are purged from the cache when +# the session limit or memcap is reached. +# Defaults to 5. +# +# +# +# Stream4 uses Generator ID 111 and uses the following SIDS +# for that GID: +# SID Event description +# ----- ------------------- +# 1 Stealth activity +# 2 Evasive RST packet +# 3 Evasive TCP packet retransmission +# 4 TCP Window violation +# 5 Data on SYN packet +# 6 Stealth scan: full XMAS +# 7 Stealth scan: SYN-ACK-PSH-URG +# 8 Stealth scan: FIN scan +# 9 Stealth scan: NULL scan +# 10 Stealth scan: NMAP XMAS scan +# 11 Stealth scan: Vecna scan +# 12 Stealth scan: NMAP fingerprint scan stateful detect +# 13 Stealth scan: SYN-FIN scan +# 14 TCP forward overlap + +#preprocessor stream4: disable_evasion_alerts + +# tcp stream reassembly directive +# no arguments loads the default configuration +# Only reassemble the client, +# Only reassemble the default list of ports (See below), +# Give alerts for "bad" streams +# +# Available options (comma delimited): +# clientonly - reassemble traffic for the client side of a connection only +# serveronly - reassemble traffic for the server side of a connection only +# both - reassemble both sides of a session +# noalerts - turn off alerts from the stream reassembly stage of stream4 +# ports [list] - use the space separated list of ports in [list], "all" +# will turn on reassembly for all ports, "default" will turn +# on reassembly for ports 21, 23, 25, 42, 53, 80, 110, +# 111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521, +# 2401, and 3306 +# favor_old - favor an old segment (based on sequence number) over a new one. +# This is the default. +# favor_new - favor an new segment (based on sequence number) over an old one. +# overlap_limit [number] - limit on overlaping segments for a session. +# flush_on_alert - flushes stream when an alert is generated for a session. +# flush_behavior [mode] - +# default - use old static flushpoints (default) +# large_window - use new larger static flushpoints +# random - use random flushpoints defined by flush_base, +# flush_seed and flush_range +# flush_base [number] - lowest allowed random flushpoint (512 by default) +# flush_range [number] - number is the space within which random flushpoints +# are generated (default 1213) +# flush_seed [number] - seed for the random number generator, defaults to +# Snort PID + time +# +# Using the default random flushpoints, the smallest flushpoint is 512, +# and the largest is 1725 bytes. +#preprocessor stream4_reassemble + +# stream5: Target Based stateful inspection/stream reassembly for Snort +# --------------------------------------------------------------------- +# Stream5 is a target-based stream engine for Snort. Its functionality +# replaces that of Stream4. Consequently, BOTH Stream4 and Stream5 +# cannot be used simultaneously. Comment out the stream4 configurations +# above to use Stream5. +# +# See README.stream5 for details on the configuration options. +# +# Example config (that emulates Stream4 with UDP support compiled in) +preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ + track_udp no +preprocessor stream5_tcp: policy first, use_static_footprint_sizes +# preprocessor stream5_udp: ignore_any_rules + + +# Performance Statistics +# ---------------------- +# Documentation for this is provided in the Snort Manual. You should read it. +# It is included in the release distribution as doc/snort_manual.pdf +# +# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 + +# http_inspect: normalize and detect HTTP traffic and protocol anomalies +# +# lots of options available here. See doc/README.http_inspect. +# unicode.map should be wherever your snort.conf lives, or given +# a full path to where snort can find it. +preprocessor http_inspect: global \ + iis_unicode_map unicode.map 1252 + +preprocessor http_inspect_server: server default \ + profile all ports { 80 8080 8180 } oversize_dir_length 500 + +# +# Example unique server configuration +# +#preprocessor http_inspect_server: server 1.1.1.1 \ +# ports { 80 3128 8080 } \ +# server_flow_depth 0 \ +# ascii no \ +# double_decode yes \ +# non_rfc_char { 0x00 } \ +# chunk_length 500000 \ +# non_strict \ +# oversize_dir_length 300 \ +# no_alerts + + +# rpc_decode: normalize RPC traffic +# --------------------------------- +# RPC may be sent in alternate encodings besides the usual 4-byte encoding +# that is used by default. This plugin takes the port numbers that RPC +# services are running on as arguments - it is assumed that the given ports +# are actually running this type of service. If not, change the ports or turn +# it off. +# The RPC decode preprocessor uses generator ID 106 +# +# arguments: space separated list +# alert_fragments - alert on any rpc fragmented TCP data +# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet +# no_alert_large_fragments - don't alert when the fragmented +# sizes exceed the current packet size +# no_alert_incomplete - don't alert when a single segment +# exceeds the current packet size + preprocessor rpc_decode: 111 32771 + +# bo: Back Orifice detector +# ------------------------- +# Detects Back Orifice traffic on the network. +# +# arguments: +# syntax: +# preprocessor bo: noalert { client | server | general | snort_attack } \ +# drop { client | server | general | snort_attack } +# example: +# preprocessor bo: noalert { general server } drop { snort_attack } +# +# +# The Back Orifice detector uses Generator ID 105 and uses the +# following SIDS for that GID: +# SID Event description +# ----- ------------------- +# 1 Back Orifice traffic detected +# 2 Back Orifice Client Traffic Detected +# 3 Back Orifice Server Traffic Detected +# 4 Back Orifice Snort Buffer Attack + preprocessor bo -#preprocessor telnet_decode + +# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow +# --------------------------------------------------------------------------- +# This preprocessor normalizes telnet negotiation strings from telnet and +# ftp traffic. It looks for traffic that breaks the normal data stream +# of the protocol, replacing it with a normalized representation of that +# traffic so that the "content" pattern matching keyword can work without +# requiring modifications. +# +# It also performs protocol correctness checks for the FTP command channel, +# and identifies open FTP data transfers. +# +# FTPTelnet has numerous options available, please read +# README.ftptelnet for help configuring the options for the global +# telnet, ftp server, and ftp client sections for the protocol. + +##### +# Per Step #2, set the following to load the ftptelnet preprocessor +# dynamicpreprocessor file +# or use commandline option +# --dynamic-preprocessor-lib + preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful + preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 + +# This is consistent with the FTP rules as of 18 Sept 2004. +# CWD can have param length of 200 +# MODE has an additional mode of Z (compressed) +# Check for string formats in USER & PASS commands +# Check nDTM commands that set modification time on the file. preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ @@ -58,62 +542,449 @@ preprocessor ftp_telnet_protocol: ftp server default \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan + preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes -preprocessor flow-portscan: \ - scoreboard-memcap-talker 1048576 \ - scoreboard-rows-talker 10000 \ - talker-sliding-scale-factor 0.50 \ - talker-fixed-threshold 30 \ - talker-sliding-threshold 30 \ - talker-sliding-window 20 \ - talker-fixed-window 30 \ - scoreboard-memcap-scanner 1048576 \ - scoreboard-rows-scanner 10000 \ - scanner-sliding-window 20 \ - scanner-sliding-scale-factor 0.50 \ - scanner-fixed-threshold 15 \ - scanner-sliding-threshold 40 \ - scanner-fixed-window 15 \ - unique-memcap 1048576 \ - unique-rows 10000 \ - server-memcap 1048576 \ - server-rows 10000 \ - server-watchnet $HOME_NET \ - server-ignore-limit 100 \ - server-learning-time 3600 \ - server-scanner-limit 4 \ - alert-mode once \ - output-mode msg \ - tcp-penalties on + +# smtp: SMTP normalizer, protocol enforcement and buffer overflow +# --------------------------------------------------------------------------- +# This preprocessor normalizes SMTP commands by removing extraneous spaces. +# It looks for overly long command lines, response lines, and data header lines. +# It can alert on invalid commands, or specific valid commands. It can optionally +# ignore mail data, and can ignore TLS encrypted data. +# +# SMTP has numerous options available, please read README.SMTP for help +# configuring options. + +##### +# Per Step #2, set the following to load the smtp preprocessor +# dynamicpreprocessor file +# or use commandline option +# --dynamic-preprocessor-lib + +preprocessor smtp: \ + ports { 25 587 691 } \ + inspection_type stateful \ + normalize cmds \ + normalize_cmds { EXPN VRFY RCPT } \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN } \ + alt_max_command_line_len 255 { EXPN VRFY } + +# sfPortscan +# ---------- +# Portscan detection module. Detects various types of portscans and +# portsweeps. For more information on detection philosophy, alert types, +# and detailed portscan information, please refer to the README.sfportscan. +# +# -configuration options- +# proto { tcp udp icmp ip all } +# The arguments to the proto option are the types of protocol scans that +# the user wants to detect. Arguments should be separated by spaces and +# not commas. +# scan_type { portscan portsweep decoy_portscan distributed_portscan all } +# The arguments to the scan_type option are the scan types that the +# user wants to detect. Arguments should be separated by spaces and not +# commas. +# sense_level { low|medium|high } +# There is only one argument to this option and it is the level of +# sensitivity in which to detect portscans. The 'low' sensitivity +# detects scans by the common method of looking for response errors, such +# as TCP RSTs or ICMP unreachables. This level requires the least +# tuning. The 'medium' sensitivity level detects portscans and +# filtered portscans (portscans that receive no response). This +# sensitivity level usually requires tuning out scan events from NATed +# IPs, DNS cache servers, etc. The 'high' sensitivity level has +# lower thresholds for portscan detection and a longer time window than +# the 'medium' sensitivity level. Requires more tuning and may be noisy +# on very active networks. However, this sensitivity levels catches the +# most scans. +# memcap { positive integer } +# The maximum number of bytes to allocate for portscan detection. The +# higher this number the more nodes that can be tracked. +# logfile { filename } +# This option specifies the file to log portscan and detailed portscan +# values to. If there is not a leading /, then snort logs to the +# configured log directory. Refer to README.sfportscan for details on +# the logged values in the logfile. +# watch_ip { Snort IP List } +# ignore_scanners { Snort IP List } +# ignore_scanned { Snort IP List } +# These options take a snort IP list as the argument. The 'watch_ip' +# option specifies the IP(s) to watch for portscan. The +# 'ignore_scanners' option specifies the IP(s) to ignore as scanners. +# Note that these hosts are still watched as scanned hosts. The +# 'ignore_scanners' option is used to tune alerts from very active +# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option +# specifies the IP(s) to ignore as scanned hosts. Note that these hosts +# are still watched as scanner hosts. The 'ignore_scanned' option is +# used to tune alerts from very active hosts such as syslog servers, etc. +# detect_ack_scans +# This option will include sessions picked up in midstream by the stream +# module, which is necessary to detect ACK scans. However, this can lead to +# false alerts, especially under heavy load with dropped packets; which is why +# the option is off by default. +# +preprocessor sfportscan: proto { all } \ + memcap { 10000000 } \ + sense_level { medium } + +# arpspoof +#---------------------------------------- +# Experimental ARP detection code from Jeff Nathan, detects ARP attacks, +# unicast ARP requests, and specific ARP mapping monitoring. To make use of +# this preprocessor you must specify the IP and hardware address of hosts on +# the same layer 2 segment as you. Specify one host IP MAC combo per line. +# Also takes a "-unicast" option to turn on unicast ARP request detection. +# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: + +# SID Event description +# ----- ------------------- +# 1 Unicast ARP request +# 2 Etherframe ARP mismatch (src) +# 3 Etherframe ARP mismatch (dst) +# 4 ARP cache overwrite attack + +#preprocessor arpspoof +#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 + +# ssh +#---------------------------------------- +# EXPERIMENTAL CODE!!! +# +# THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE! +# USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS. +# YOU HAVE BEEN WARNED. +# +# The SSH preprocessor detects the following exploits: Gobbles, CRC 32, +# Secure CRT, and the Protocol Mismatch exploit. +# +# Both Gobbles and CRC 32 attacks occur after the key exchange, and are +# therefore encrypted. Both attacks involve sending a large payload +# (20kb+) to the server immediately after the authentication challenge. +# To detect the attacks, the SSH preprocessor counts the number of bytes +# transmitted to the server. If those bytes exceed a pre-defined limit +# within a pre-define number of packets, an alert is generated. Since +# Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH +# version string exchange is used to distinguish the attacks. +# +# The Secure CRT and protocol mismatch exploits are observable before +# the key exchange. +# +# SSH has numerous options available, please read README.ssh for help +# configuring options. + +##### +# Per Step #2, set the following to load the ssh preprocessor +# dynamicpreprocessor file +# or use commandline option +# --dynamic-preprocessor-lib +# +#preprocessor ssh: server_ports { 22 } \ +# max_client_bytes 19600 \ +# max_encrypted_packets 20 + +# DCE/RPC +#---------------------------------------- +# +# The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic. +# It is primarily interested in DCE/RPC data, and only decodes SMB +# to get at the DCE/RPC data carried by the SMB layer. +# +# Currently, the preprocessor only handles reassembly of fragmentation +# at both the SMB and DCE/RPC layer. Snort rules can be evaded by +# using both types of fragmentation; with the preprocessor enabled +# the rules are given a buffer with a reassembled SMB or DCE/RPC +# packet to examine. +# +# At the SMB layer, only fragmentation using WriteAndX is currently +# reassembled. Other methods will be handled in future versions of +# the preprocessor. +# +# Autodetection of SMB is done by looking for "\xFFSMB" at the start of +# the SMB data, as well as checking the NetBIOS header (which is always +# present for SMB) for the type "SMB Session". +# +# Autodetection of DCE/RPC is not as reliable. Currently, two bytes are +# checked in the packet. Assuming that the data is a DCE/RPC header, +# one byte is checked for DCE/RPC version (5) and another for the type +# "DCE/RPC Request". If both match, the preprocessor proceeds with that +# assumption that it is looking at DCE/RPC data. If subsequent checks +# are nonsensical, it ends processing. +# +# DCERPC has numerous options available, please read README.dcerpc for help +# configuring options. + +##### +# Per Step #2, set the following to load the dcerpc preprocessor +# dynamicpreprocessor file +# or use commandline option +# --dynamic-preprocessor-lib + +preprocessor dcerpc: \ + autodetect \ + max_frag_size 3000 \ + memcap 100000 + +# DNS +#---------------------------------------- +# The dns preprocessor (currently) decodes DNS Response traffic +# and detects a few vulnerabilities. +# +# DNS has a few options available, please read README.dns for +# help configuring options. + +##### +# Per Step #2, set the following to load the dns preprocessor +# dynamicpreprocessor file +# or use commandline option +# --dynamic-preprocessor-lib + +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +# SSL +#---------------------------------------- +# Encrypted traffic should be ignored by Snort for both performance reasons +# and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP) +# inspects SSL traffic and optionally determines if and when to stop +# inspection of it. +# +# Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to +# inspect port 443, only the SSL handshake of each connection will be +# inspected. Once the traffic is determined to be encrypted, no further +# inspection of the data on the connection is made. +# +# Important note: Stream4 or Stream5 should be explicitly told to reassemble +# traffic on the ports that you intend to inspect SSL +# encrypted traffic on. +# +# To add reassembly on port 443 to Stream5, use 'port both 443' in the +# Stream5 configuration. + +preprocessor ssl: noinspect_encrypted + + +#################################################################### +# Step #4: Configure output plugins +# +# Uncomment and configure the output plugins you decide to use. General +# configuration for output plugins is of the form: +# +# output : +# +# alert_syslog: log alerts to syslog +# ---------------------------------- +# Use one or more syslog facilities as arguments. Win32 can also optionally +# specify a particular hostname/port. Under Win32, the default hostname is +# '127.0.0.1', and the default port is 514. +# +# [Unix flavours should use this format...] +# output alert_syslog: LOG_AUTH LOG_ALERT +# +# [Win32 can use any of these formats...] +# output alert_syslog: LOG_AUTH LOG_ALERT +# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT +# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT + +# log_tcpdump: log packets in binary tcpdump format +# ------------------------------------------------- +# The only argument is the output file name. +# +# output log_tcpdump: tcpdump.log + +# database: log to a variety of databases +# --------------------------------------- +# See the README.database file for more information about configuring +# and using this plugin. +# +# output database: log, mysql, user=root password=test dbname=db host=localhost +# output database: alert, postgresql, user=snort dbname=snort +# output database: log, odbc, user=snort dbname=snort +# output database: log, mssql, dbname=snort user=snort password=test +# output database: log, oracle, dbname=snort user=snort password=test + +# unified: Snort unified binary format alerting and logging +# ------------------------------------------------------------- +# The unified output plugin provides two new formats for logging and generating +# alerts from Snort, the "unified" format. The unified format is a straight +# binary format for logging data out of Snort that is designed to be fast and +# efficient. Used with barnyard (the new alert/log processor), most of the +# overhead for logging and alerting to various slow storage mechanisms such as +# databases or the network can now be avoided. +# +# Check out the spo_unified.h file for the data formats. +# +# Two arguments are supported. +# filename - base filename to write to (current time_t is appended) +# limit - maximum size of spool file in MB (default: 128) +# +# output alert_unified: filename snort.alert, limit 128 +# output log_unified: filename snort.log, limit 128 + + +# prelude: log to the Prelude Hybrid IDS system +# --------------------------------------------- +# +# profile = Name of the Prelude profile to use (default is snort). +# +# Snort priority to IDMEF severity mappings: +# high < medium < low < info +# +# These are the default mapped from classification.config: +# info = 4 +# low = 3 +# medium = 2 +# high = anything below medium +# +# output alert_prelude +# output alert_prelude: profile=snort-profile-name + + +# You can optionally define new rule types and associate one or more output +# plugins specifically to that type. +# +# This example will create a type that will log to just tcpdump. +# ruletype suspicious +# { +# type log +# output log_tcpdump: suspicious.log +# } +# +# EXAMPLE RULE FOR SUSPICIOUS RULETYPE: +# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) +# +# This example will create a rule type that will log to syslog and a mysql +# database: +# ruletype redalert +# { +# type alert +# output alert_syslog: LOG_AUTH LOG_ALERT +# output database: log, mysql, user=snort dbname=snort host=localhost +# } +# +# EXAMPLE RULE FOR REDALERT RULETYPE: +# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ +# (msg:"Someone is being LEET"; flags:A+;) + +# +# Include classification & priority settings +# Note for Windows users: You are advised to make this an absolute path, +# such as: c:\snort\etc\classification.config +# + +include /etc/snort/rules/classification.config + +# +# Include reference systems +# Note for Windows users: You are advised to make this an absolute path, +# such as: c:\snort\etc\reference.config +# + +include /etc/snort/rules/reference.config + +#################################################################### +# Step #5: Configure snort with config statements +# +# See the snort manual for a full set of configuration references +# +# config flowbits_size: 64 +# +# New global ignore_ports config option from Andy Mullican +# +# config ignore_ports: +# config ignore_ports: tcp 21 6667:6671 1356 +# config ignore_ports: udp 1:17 53 + + +#################################################################### +# Step #6: Customize your rule set +# +# Up to date snort rules are available at http://www.snort.org +# +# The snort web site has documentation about how to write your own custom snort +# rules. + #========================================= -include $RULE_PATH/classification.config -include $RULE_PATH/reference.config +# Include all relevant rulesets here +# +# The following rulesets are disabled by default: +# +# web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus, +# chat, multimedia, and p2p +# +# These rules are either site policy specific or require tuning in order to not +# generate false positive alerts in most enviornments. +# +# Please read the specific include file for more information and +# README.alert_order for how rule ordering affects how alerts are triggered. #========================================= -include $RULE_PATH/community-bot.rules -include $RULE_PATH/community-deleted.rules -include $RULE_PATH/community-dos.rules -include $RULE_PATH/community-exploit.rules -include $RULE_PATH/community-ftp.rules -include $RULE_PATH/community-game.rules -include $RULE_PATH/community-icmp.rules -include $RULE_PATH/community-imap.rules -include $RULE_PATH/community-inappropriate.rules -include $RULE_PATH/community-mail-client.rules -include $RULE_PATH/community-misc.rules -include $RULE_PATH/community-nntp.rules -include $RULE_PATH/community-oracle.rules -include $RULE_PATH/community-policy.rules -include $RULE_PATH/community-sip.rules -include $RULE_PATH/community-smtp.rules -include $RULE_PATH/community-sql-injection.rules -include $RULE_PATH/community-virus.rules -include $RULE_PATH/community-web-attacks.rules -include $RULE_PATH/community-web-cgi.rules -include $RULE_PATH/community-web-client.rules -include $RULE_PATH/community-web-dos.rules -include $RULE_PATH/community-web-iis.rules -include $RULE_PATH/community-web-misc.rules -include $RULE_PATH/community-web-php.rules + +#include $RULE_PATH/local.rules +#include $RULE_PATH/bad-traffic.rules +#include $RULE_PATH/exploit.rules +#include $RULE_PATH/scan.rules +#include $RULE_PATH/finger.rules +#include $RULE_PATH/ftp.rules +#include $RULE_PATH/telnet.rules +#include $RULE_PATH/rpc.rules +#include $RULE_PATH/rservices.rules +#include $RULE_PATH/dos.rules +#include $RULE_PATH/ddos.rules +#include $RULE_PATH/dns.rules +#include $RULE_PATH/tftp.rules + +#include $RULE_PATH/web-cgi.rules +#include $RULE_PATH/web-coldfusion.rules +#include $RULE_PATH/web-iis.rules +#include $RULE_PATH/web-frontpage.rules +#include $RULE_PATH/web-misc.rules +#include $RULE_PATH/web-client.rules +#include $RULE_PATH/web-php.rules + +#include $RULE_PATH/sql.rules +#include $RULE_PATH/x11.rules +#include $RULE_PATH/icmp.rules +#include $RULE_PATH/netbios.rules +#include $RULE_PATH/misc.rules +#include $RULE_PATH/attack-responses.rules +#include $RULE_PATH/oracle.rules +#include $RULE_PATH/mysql.rules +#include $RULE_PATH/snmp.rules + +#include $RULE_PATH/smtp.rules +#include $RULE_PATH/imap.rules +#include $RULE_PATH/pop2.rules +#include $RULE_PATH/pop3.rules + +#include $RULE_PATH/nntp.rules +#include $RULE_PATH/other-ids.rules +# include $RULE_PATH/web-attacks.rules +# include $RULE_PATH/backdoor.rules +# include $RULE_PATH/shellcode.rules +# include $RULE_PATH/policy.rules +# include $RULE_PATH/porn.rules +# include $RULE_PATH/info.rules +# include $RULE_PATH/icmp-info.rules +# include $RULE_PATH/virus.rules +# include $RULE_PATH/chat.rules +# include $RULE_PATH/multimedia.rules +# include $RULE_PATH/p2p.rules +# include $RULE_PATH/spyware-put.rules +# include $RULE_PATH/specific-threats.rules +#include $RULE_PATH/experimental.rules + +# include $PREPROC_RULE_PATH/preprocessor.rules +# include $PREPROC_RULE_PATH/decoder.rules + +# Include any thresholding or suppression commands. See threshold.conf in the +# /etc directory for details. Commands don't necessarily need to be +# contained in this conf, but a separate conf makes it easier to maintain them. +# Note for Windows users: You are advised to make this an absolute path, +# such as: c:\snort\etc\threshold.conf +# Uncomment if needed. +# include threshold.conf -- 2.39.2