]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blame - config/snort/snort.conf
projects / people / teissler / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add Turkish translation to core update 69.
[people/teissler/ipfire-2.x.git] / config / snort / snort.conf
CommitLineData
767cb737 1###################################################
89f3d66c 2# IPFire snort.conf
75a786b6 3#
89f3d66c 4# some parts of this file are changed/updated by the webif
cd1a2927 5###################################################
89f3d66c
AF		 6# VERSIONS : 2.9.1.1
7
8include /etc/snort/vars
767cb737 9
75a786b6
CS		 10###################################################
11# Step #1: Set the network variables. For more information, see README.variables
12###################################################
13
8dc25f04 14# taken from /etc/snort vars
89f3d66c 15#ipvar HOME_NET any
767cb737 16
89f3d66c
AF		 17# Set up the external network addresses. Leave as "any" in most situations
18ipvar EXTERNAL_NET any
767cb737 19
767cb737 20# List of DNS servers on your network
89f3d66c 21#ipvar DNS_SERVERS $HOME_NET
767cb737
SS		 22
23# List of SMTP servers on your network
89f3d66c 24ipvar SMTP_SERVERS $HOME_NET
767cb737
SS		 25
26# List of web servers on your network
89f3d66c 27ipvar HTTP_SERVERS $HOME_NET
767cb737
SS		 28
29# List of sql servers on your network
89f3d66c 30ipvar SQL_SERVERS $HOME_NET
767cb737
SS		 31
32# List of telnet servers on your network
89f3d66c 33ipvar TELNET_SERVERS $HOME_NET
767cb737 34
c07e938e 35# List of ssh servers on your network
89f3d66c
AF		 36ipvar SSH_SERVERS $HOME_NET
37
38# List of ftp servers on your network
39ipvar FTP_SERVERS $HOME_NET
40
41# List of sip servers on your network
42ipvar SIP_SERVERS $HOME_NET
767cb737 43
c07e938e 44# List of ports you run web servers on
bc9d59f8 45portvar HTTP_PORTS [80,81,311,444,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8181,8243,8280,8888,9090,9091,9443,9999,11371,50002,55555]
8dc25f04 46
75a786b6 47# List of ports you want to look for SHELLCODE on.
767cb737
SS		 48portvar SHELLCODE_PORTS !80
49
75a786b6 50# List of ports you might see oracle attacks on
c07e938e 51portvar ORACLE_PORTS 1024:
89f3d66c
AF		 52
53# List of ports you want to look for SSH connections on:
54portvar SSH_PORTS [22,222]
55
56# List of ports you run ftp servers on
57portvar FTP_PORTS [21,2100,3535]
58
59# List of ports you run SIP servers on
60portvar SIP_PORTS [5060,5061,5600]
61
bc9d59f8 62# List of file data ports for file inspection
63portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
64
65# List of GTP ports for GTP preprocessor
66portvar GTP_PORTS [2123,2152,3386]
67
75a786b6 68# other variables, these should not be modified
89f3d66c 69ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
767cb737
SS		 70
71# Path to your rules files (this can be a relative path)
72# Note for Windows users: You are advised to make this an absolute path,
73# such as: c:\snort\rules
74var RULE_PATH /etc/snort/rules
75a786b6 75var SO_RULE_PATH /etc/snort/so_rules
767cb737
SS		 76var PREPROC_RULE_PATH /etc/snort/preproc_rules
77
89f3d66c 78
75a786b6
CS		 79###################################################
80# Step #2: Configure the decoder. For more information, see README.decode
81###################################################
82
767cb737 83# Stop generic decode events:
f9866a72 84config disable_decode_alerts
75a786b6 85
767cb737 86# Stop Alerts on experimental TCP options
75a786b6
CS		 87config disable_tcpopt_experimental_alerts
88
767cb737 89# Stop Alerts on obsolete TCP options
75a786b6
CS		 90config disable_tcpopt_obsolete_alerts
91
767cb737 92# Stop Alerts on T/TCP alerts
89f3d66c 93# config disable_tcpopt_ttcp_alerts
75a786b6 94
767cb737 95# Stop Alerts on all other TCPOption type events:
f9866a72 96config disable_tcpopt_alerts
75a786b6 97
767cb737 98# Stop Alerts on invalid ip options
89f3d66c 99# config disable_ipopt_alerts
75a786b6
CS		 100
101# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
767cb737 102# config enable_decode_oversized_alerts
75a786b6
CS		 103
104# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
767cb737 105# config enable_decode_oversized_drops
767cb737 106
75a786b6
CS		 107# Configure IP / TCP checksum mode
108config checksum_mode: all
109
110# Configure maximum number of flowbit references. For more information, see README.flowbits
111# config flowbits_size: 64
112
113# Configure ports to ignore
114# config ignore_ports: tcp 21 6667:6671 1356
115# config ignore_ports: udp 1:17 53
116
c07e938e
CS		 117# Configure active response for non inline operation. For more information, see REAMDE.active
118# config response: eth0 attempts 2
89f3d66c
AF		 119
120# Configure DAQ related options for inline operation. For more information, see README.daq
121#
122# config daq: <type>
123# config daq_dir: <dir>
124# config daq_mode: <mode>
125# config daq_var: <var>
126#
127# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
128# <mode> ::= read-file | passive | inline
129# <var> ::= arbitrary <name>=<value passed to DAQ
130# <dir> ::= path as to where to look for DAQ module so's
131
132# Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options
133#
134# config set_gid:
135# config set_uid:
136
137# Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README
138#
139# config snaplen:
140#
141
142# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)
143#
144# config bpf_file:
145#
146
147# Configure default log directory for snort to log to. For more information see snort -h command line options (-l)
148#
149# config logdir:
150
151
75a786b6
CS		 152###################################################
153# Step #3: Configure the base detection engine. For more information, see README.decode
154###################################################
155
156# Configure PCRE match limitations
c07e938e 157config pcre_match_limit: 3500
75a786b6
CS		 158config pcre_match_limit_recursion: 1500
159
160# Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config
c07e938e 161config detection: search-method ac-split search-optimize max-pattern-len 20
75a786b6
CS		 162
163# Configure the event queue. For more information, see README.event_queue
164config event_queue: max_queue 8 log 3 order_events content_length
165
bc9d59f8 166###################################################
167## Configure GTP if it is to be used.
168## For more information, see README.GTP
169####################################################
170
171# config enable_gtp
172
c07e938e
CS		 173###################################################
174# Per packet and rule latency enforcement
175# For more information see README.ppm
176###################################################
177
178# Per Packet latency configuration
179#config ppm: max-pkt-time 250, \
180# fastpath-expensive-packets, \
181# pkt-log
182
183# Per Rule latency configuration
184#config ppm: max-rule-time 200, \
185# threshold 3, \
186# suspend-expensive-rules, \
187# suspend-timeout 20, \
188# rule-log alert
767cb737 189
c07e938e
CS		 190###################################################
191# Configure Perf Profiling for debugging
192# For more information see README.PerfProfiling
193###################################################
75a786b6 194
c07e938e
CS		 195#config profile_rules: print all, sort avg_ticks
196#config profile_preprocs: print all, sort avg_ticks
89f3d66c 197
bc9d59f8 198###################################################
199# Configure protocol aware flushing
200# For more information see README.stream5
201###################################################
202config paf_max: 16000
203
cd1a2927 204###################################################
75a786b6
CS		 205# Step #4: Configure dynamic loaded libraries.
206# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
207###################################################
208
209# path to dynamic preprocessor libraries
4fba936c 210dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
75a786b6
CS		 211
212# path to base preprocessor engine
767cb737 213dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
cd1a2927 214
75a786b6 215# path to dynamic rules libraries
89f3d66c 216# dynamicdetection directory /usr/local/lib/snort_dynamicrules
767cb737 217
75a786b6
CS		 218###################################################
219# Step #5: Configure preprocessors
220# For more information, see the Snort Manual, Configuring Snort - Preprocessors
221###################################################
222
bc9d59f8 223# GTP Control Channle Preprocessor. For more information, see README.GTP
224# preprocessor gtp: ports { 2123 3386 2152 }
225
c07e938e
CS		 226# Inline packet normalization. For more information, see README.normalize
227# Does nothing in IDS mode
228preprocessor normalize_ip4
229preprocessor normalize_tcp: ips ecn stream
230preprocessor normalize_icmp4
89f3d66c
AF		 231preprocessor normalize_ip6
232preprocessor normalize_icmp6
c07e938e 233
75a786b6
CS		 234# Target-based IP defragmentation. For more inforation, see README.frag3
235preprocessor frag3_global: max_frags 65536
c07e938e 236preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
767cb737 237
75a786b6 238# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
89f3d66c
AF		 239preprocessor stream5_global: track_tcp yes, \
240 track_udp yes, \
241 track_icmp no, \
242 max_tcp 262144, \
243 max_udp 131072, \
244 max_active_responses 2, \
245 min_response_seconds 5
c07e938e
CS		 246preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
247 overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
248 ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
249 161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666 6667 6668 6669 \
89f3d66c
AF		 250 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
251 ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 5250 7907 7001 7802 7777 7779 \
c07e938e 252 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
bc9d59f8 253 7917 7918 7919 7920 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371 50002 55555
c07e938e 254preprocessor stream5_udp: timeout 180
75a786b6
CS		 255
256# performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
257# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
767cb737 258
75a786b6 259# HTTP normalization and anomaly detection. For more information, see README.http_inspect
89f3d66c 260preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
75a786b6 261preprocessor http_inspect_server: server default \
bc9d59f8 262 http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
c07e938e
CS		 263 chunk_length 500000 \
264 server_flow_depth 0 \
265 client_flow_depth 0 \
266 post_depth 65495 \
267 oversize_dir_length 500 \
268 max_header_length 750 \
269 max_headers 100 \
bc9d59f8 270 max_spaces 200 \
271 small_chunk_length { 10 5 } \
272 ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 50002 55555 } \
c07e938e
CS		 273 non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
274 enable_cookie \
275 extended_response_inspection \
276 inspect_gzip \
277 normalize_utf \
278 unlimited_decompress \
bc9d59f8 279 normalize_javascript \
75a786b6
CS		 280 apache_whitespace no \
281 ascii no \
c07e938e 282 bare_byte no \
c07e938e
CS		 283 directory no \
284 double_decode no \
285 iis_backslash no \
286 iis_delimiter no \
287 iis_unicode no \
288 multi_slash no \
89f3d66c 289 utf_8 no \
c07e938e
CS		 290 u_encode yes \
291 webroot no
75a786b6
CS		 292
293# ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
294preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
295
296# Back Orifice detection.
297preprocessor bo
298
299# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet
bc9d59f8 300preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
4fba936c 301preprocessor ftp_telnet_protocol: telnet \
75a786b6
CS		 302 ayt_attack_thresh 20 \
303 normalize ports { 23 } \
304 detect_anomalies
4fba936c 305preprocessor ftp_telnet_protocol: ftp server default \
75a786b6 306 def_max_param_len 100 \
c07e938e
CS		 307 ports { 21 2100 3535 } \
308 telnet_cmds yes \
309 ignore_telnet_erase_cmds yes \
310 ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
311 ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
312 ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
313 ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
314 ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
315 ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
316 ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
317 ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
318 ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
319 ftp_cmds { XSEN XSHA1 XSHA256 } \
320 alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
321 alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
322 alt_max_param_len 256 { CWD RNTO } \
75a786b6
CS		 323 alt_max_param_len 400 { PORT } \
324 alt_max_param_len 512 { SIZE } \
c07e938e
CS		 325 chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
326 chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
327 chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
328 chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
329 chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
330 chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
331 chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
332 chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
333 cmd_validity ALLO < int [ char R int ] > \
334 cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
335 cmd_validity MACB < string > \
75a786b6 336 cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
c07e938e
CS		 337 cmd_validity MODE < char ASBCZ > \
338 cmd_validity PORT < host_port > \
339 cmd_validity PROT < char CSEP > \
340 cmd_validity STRU < char FRPO [ string ] > \
341 cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
4fba936c 342preprocessor ftp_telnet_protocol: ftp client default \
75a786b6
CS		 343 max_resp_len 256 \
344 bounce yes \
c07e938e
CS		 345 ignore_telnet_erase_cmds yes \
346 telnet_cmds yes
767cb737 347
89f3d66c 348
75a786b6 349# SMTP normalization and anomaly detection. For more information, see README.SMTP
14820894 350preprocessor smtp: ports { 25 465 587 691 } \
c07e938e 351 inspection_type stateful \
89f3d66c
AF		 352 b64_decode_depth 0 \
353 qp_decode_depth 0 \
354 bitenc_decode_depth 0 \
355 uu_decode_depth 0 \
356 log_mailfrom \
357 log_rcptto \
358 log_filename \
359 log_email_hdrs \
c07e938e
CS		 360 normalize cmds \
361 normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
362 normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
363 normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
364 normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
365 max_command_line_len 512 \
366 max_header_line_len 1000 \
367 max_response_line_len 512 \
368 alt_max_command_line_len 260 { MAIL } \
369 alt_max_command_line_len 300 { RCPT } \
370 alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
371 alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
372 alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
373 valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
374 valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
375 valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
376 valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
377 xlink2state { enabled }
767cb737 378
75a786b6 379# Portscan detection. For more information, see README.sfportscan
14820894 380preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium }
767cb737 381
75a786b6
CS		 382# ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
383# preprocessor arpspoof
384# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
8581d1ef 385
75a786b6 386# SSH anomaly detection. For more information, see README.ssh
89f3d66c 387preprocessor ssh: server_ports { 22,222 } \
c07e938e 388 autodetect \
75a786b6
CS		 389 max_client_bytes 19600 \
390 max_encrypted_packets 20 \
c07e938e 391 max_server_version_len 100 \
75a786b6
CS		 392 enable_respoverflow enable_ssh1crc32 \
393 enable_srvoverflow enable_protomismatch
8581d1ef 394
75a786b6
CS		 395# SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2
396preprocessor dcerpc2: memcap 102400, events [co ]
397preprocessor dcerpc2_server: default, policy WinXP, \
398 detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
399 autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
89f3d66c 400 smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
767cb737 401
75a786b6
CS		 402# DNS anomaly detection. For more information, see README.dns
403preprocessor dns: ports { 53 } enable_rdata_overflow
767cb737 404
75a786b6 405# SSL anomaly detection and traffic bypass. For more information, see README.ssl
89f3d66c 406preprocessor ssl: ports { 443 444 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
767cb737 407
c07e938e
CS		 408# SDF sensitive data preprocessor. For more information see README.sensitive_data
409preprocessor sensitive_data: alert_threshold 25
767cb737 410
89f3d66c
AF		 411# SIP Session Initiation Protocol preprocessor. For more information see README.sip
412preprocessor sip: max_sessions 10000, \
413 ports { 5060 5061 5600 }, \
414 methods { invite \
415 cancel \
416 ack \
417 bye \
418 register \
419 options \
420 refer \
421 subscribe \
422 update \
423 join \
424 info \
425 message \
426 notify \
427 benotify \
428 do \
429 qauth \
430 sprack \
431 publish \
432 service \
433 unsubscribe \
434 prack }, \
435 max_uri_len 512, \
436 max_call_id_len 80, \
437 max_requestName_len 20, \
438 max_from_len 256, \
439 max_to_len 256, \
440 max_via_len 1024, \
441 max_contact_len 512, \
442 max_content_len 1024
443
444# IMAP preprocessor. For more information see README.imap
445preprocessor imap: \
446 ports { 143 } \
447 b64_decode_depth 0 \
448 qp_decode_depth 0 \
449 bitenc_decode_depth 0 \
450 uu_decode_depth 0
451
452# POP preprocessor. For more information see README.pop
453preprocessor pop: \
454 ports { 110 } \
455 b64_decode_depth 0 \
456 qp_decode_depth 0 \
457 bitenc_decode_depth 0 \
458 uu_decode_depth 0
459
bc9d59f8 460# Modbus preprocessor. For more information see README.modbus
461preprocessor modbus: ports { 502 }
462
463# DNP3 preprocessor. For more information see README.dnp3
464preprocessor dnp3: ports { 20000 } \
465 memcap 262144 \
466 check_crc
467
75a786b6
CS		 468###################################################
469# Step #6: Configure output plugins
470# For more information, see Snort Manual, Configuring Snort - Output Modules
471###################################################
767cb737 472
c07e938e
CS		 473# unified2
474# Recommended for most installs
475# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
476
477# Additional configuration for specific types of installs
478# output alert_unified2: filename snort.alert, limit 128, nostamp
479# output log_unified2: filename snort.log, limit 128, nostamp
89f3d66c 480
75a786b6 481# syslog
767cb737 482# output alert_syslog: LOG_AUTH LOG_ALERT
767cb737 483
75a786b6 484# pcap
767cb737
SS		 485# output log_tcpdump: tcpdump.log
486
75a786b6
CS		 487# database
488# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
489# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
490
75a786b6 491# prelude
767cb737 492# output alert_prelude
767cb737 493
75a786b6 494# metadata reference data. do not modify these lines
767cb737 495include /etc/snort/rules/classification.config
767cb737
SS		 496include /etc/snort/rules/reference.config
497
767cb737 498
75a786b6
CS		 499###################################################
500# Step #7: Customize your rule set
501# For more information, see Snort Manual, Writing Snort Rules
502###################################################
767cb737 503
89f3d66c 504#
75a786b6 505# site specific rules
89f3d66c 506#
Timo's tree of IPFire 2.x