config/snort/snort.conf

   1 ###################################################
   2 # IPFire snort.conf
   3 #
   4 # some parts of this file are changed/updated by the webif
   5 ###################################################
   6 # VERSIONS : 2.9.1.1
   7
   8 include /etc/snort/vars
   9
  10 ###################################################
  11 # Step #1: Set the network variables.  For more information, see README.variables
  12 ###################################################
  13
  14 # taken from /etc/snort vars
  15 #ipvar HOME_NET any
  16
  17 # Set up the external network addresses. Leave as "any" in most situations
  18 ipvar EXTERNAL_NET any
  19
  20 # List of DNS servers on your network
  21 #ipvar DNS_SERVERS $HOME_NET
  22
  23 # List of SMTP servers on your network
  24 ipvar SMTP_SERVERS $HOME_NET
  25
  26 # List of web servers on your network
  27 ipvar HTTP_SERVERS $HOME_NET
  28
  29 # List of sql servers on your network
  30 ipvar SQL_SERVERS $HOME_NET
  31
  32 # List of telnet servers on your network
  33 ipvar TELNET_SERVERS $HOME_NET
  34
  35 # List of ssh servers on your network
  36 ipvar SSH_SERVERS $HOME_NET
  37
  38 # List of ftp servers on your network
  39 ipvar FTP_SERVERS $HOME_NET
  40
  41 # List of sip servers on your network
  42 ipvar SIP_SERVERS $HOME_NET
  43
  44 # List of ports you run web servers on
  45 portvar HTTP_PORTS [80,81,311,444,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8181,8243,8280,8888,9090,9091,9443,9999,11371]
  46
  47 # List of ports you want to look for SHELLCODE on.
  48 portvar SHELLCODE_PORTS !80
  49
  50 # List of ports you might see oracle attacks on
  51 portvar ORACLE_PORTS 1024:
  52
  53 # List of ports you want to look for SSH connections on:
  54 portvar SSH_PORTS [22,222]
  55
  56 # List of ports you run ftp servers on
  57 portvar FTP_PORTS [21,2100,3535]
  58
  59 # List of ports you run SIP servers on
  60 portvar SIP_PORTS [5060,5061,5600]
  61
  62 # other variables, these should not be modified
  63 ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
  64
  65 # Path to your rules files (this can be a relative path)
  66 # Note for Windows users:  You are advised to make this an absolute path,
  67 # such as:  c:\snort\rules
  68 var RULE_PATH /etc/snort/rules
  69 var SO_RULE_PATH /etc/snort/so_rules
  70 var PREPROC_RULE_PATH /etc/snort/preproc_rules
  71
  72
  73 ###################################################
  74 # Step #2: Configure the decoder.  For more information, see README.decode
  75 ###################################################
  76
  77 # Stop generic decode events:
  78 config disable_decode_alerts
  79
  80 # Stop Alerts on experimental TCP options
  81 config disable_tcpopt_experimental_alerts
  82
  83 # Stop Alerts on obsolete TCP options
  84 config disable_tcpopt_obsolete_alerts
  85
  86 # Stop Alerts on T/TCP alerts
  87 # config disable_tcpopt_ttcp_alerts
  88
  89 # Stop Alerts on all other TCPOption type events:
  90 config disable_tcpopt_alerts
  91
  92 # Stop Alerts on invalid ip options
  93 # config disable_ipopt_alerts
  94
  95 # Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
  96 # config enable_decode_oversized_alerts
  97
  98 # Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
  99 # config enable_decode_oversized_drops
 100
 101 # Configure IP / TCP checksum mode
 102 config checksum_mode: all
 103
 104 # Configure maximum number of flowbit references.  For more information, see README.flowbits
 105 # config flowbits_size: 64
 106
 107 # Configure ports to ignore
 108 # config ignore_ports: tcp 21 6667:6671 1356
 109 # config ignore_ports: udp 1:17 53
 110
 111 # Configure active response for non inline operation. For more information, see REAMDE.active
 112 # config response: eth0 attempts 2
 113
 114 # Configure DAQ related options for inline operation. For more information, see README.daq
 115 #
 116 # config daq: <type>
 117 # config daq_dir: <dir>
 118 # config daq_mode: <mode>
 119 # config daq_var: <var>
 120 #
 121 # <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
 122 # <mode> ::= read-file | passive | inline
 123 # <var> ::= arbitrary <name>=<value passed to DAQ
 124 # <dir> ::= path as to where to look for DAQ module so's
 125
 126 # Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options
 127 #
 128 # config set_gid:
 129 # config set_uid:
 130
 131 # Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README
 132 #
 133 # config snaplen:
 134 #
 135
 136 # Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)
 137 #
 138 # config bpf_file:
 139 #
 140
 141 # Configure default log directory for snort to log to.  For more information see snort -h command line options (-l)
 142 #
 143 # config logdir:
 144
 145
 146 ###################################################
 147 # Step #3: Configure the base detection engine.  For more information, see  README.decode
 148 ###################################################
 149
 150 # Configure PCRE match limitations
 151 config pcre_match_limit: 3500
 152 config pcre_match_limit_recursion: 1500
 153
 154 # Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Config
 155 config detection: search-method ac-split search-optimize max-pattern-len 20
 156
 157 # Configure the event queue.  For more information, see README.event_queue
 158 config event_queue: max_queue 8 log 3 order_events content_length
 159
 160 ###################################################
 161 # Per packet and rule latency enforcement
 162 # For more information see README.ppm
 163 ###################################################
 164
 165 # Per Packet latency configuration
 166 #config ppm: max-pkt-time 250, \
 167 #   fastpath-expensive-packets, \
 168 #   pkt-log
 169
 170 # Per Rule latency configuration
 171 #config ppm: max-rule-time 200, \
 172 #   threshold 3, \
 173 #   suspend-expensive-rules, \
 174 #   suspend-timeout 20, \
 175 #   rule-log alert
 176
 177 ###################################################
 178 # Configure Perf Profiling for debugging
 179 # For more information see README.PerfProfiling
 180 ###################################################
 181
 182 #config profile_rules: print all, sort avg_ticks
 183 #config profile_preprocs: print all, sort avg_ticks
 184
 185 ###################################################
 186 # Step #4: Configure dynamic loaded libraries.
 187 # For more information, see Snort Manual, Configuring Snort - Dynamic Modules
 188 ###################################################
 189
 190 # path to dynamic preprocessor libraries
 191 dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
 192
 193 # path to base preprocessor engine
 194 dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
 195
 196 # path to dynamic rules libraries
 197 # dynamicdetection directory /usr/local/lib/snort_dynamicrules
 198
 199 ###################################################
 200 # Step #5: Configure preprocessors
 201 # For more information, see the Snort Manual, Configuring Snort - Preprocessors
 202 ###################################################
 203
 204 # Inline packet normalization. For more information, see README.normalize
 205 # Does nothing in IDS mode
 206 preprocessor normalize_ip4
 207 preprocessor normalize_tcp: ips ecn stream
 208 preprocessor normalize_icmp4
 209 preprocessor normalize_ip6
 210 preprocessor normalize_icmp6
 211
 212 # Target-based IP defragmentation.  For more inforation, see README.frag3
 213 preprocessor frag3_global: max_frags 65536
 214 preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
 215
 216 # Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
 217 preprocessor stream5_global: track_tcp yes, \
 218    track_udp yes, \
 219    track_icmp no, \
 220    max_tcp 262144, \
 221    max_udp 131072, \
 222    max_active_responses 2, \
 223    min_response_seconds 5
 224 preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
 225    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
 226     ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
 227         161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666 6667 6668 6669 \
 228         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
 229     ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 5250 7907 7001 7802 7777 7779 \
 230         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
 231         7917 7918 7919 7920 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371
 232 preprocessor stream5_udp: timeout 180
 233
 234 # performance statistics.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
 235 # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
 236
 237 # HTTP normalization and anomaly detection.  For more information, see README.http_inspect
 238 preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
 239 preprocessor http_inspect_server: server default \
 240     chunk_length 500000 \
 241     server_flow_depth 0 \
 242     client_flow_depth 0 \
 243     post_depth 65495 \
 244     oversize_dir_length 500 \
 245     max_header_length 750 \
 246     max_headers 100 \
 247     ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 } \
 248     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
 249     enable_cookie \
 250     extended_response_inspection \
 251     inspect_gzip \
 252     normalize_utf \
 253     unlimited_decompress \
 254     apache_whitespace no \
 255     ascii no \
 256     bare_byte no \
 257     directory no \
 258     double_decode no \
 259     iis_backslash no \
 260     iis_delimiter no \
 261     iis_unicode no \
 262     multi_slash no \
 263    utf_8 no \
 264     u_encode yes \
 265     webroot no
 266
 267 # ONC-RPC normalization and anomaly detection.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
 268 preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
 269
 270 # Back Orifice detection.
 271 preprocessor bo
 272
 273 # FTP / Telnet normalization and anomaly detection.  For more information, see README.ftptelnet
 274 preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no
 275 preprocessor ftp_telnet_protocol: telnet \
 276     ayt_attack_thresh 20 \
 277     normalize ports { 23 } \
 278     detect_anomalies
 279 preprocessor ftp_telnet_protocol: ftp server default \
 280     def_max_param_len 100 \
 281     ports { 21 2100 3535 } \
 282     telnet_cmds yes \
 283     ignore_telnet_erase_cmds yes \
 284     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
 285     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
 286     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
 287     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
 288     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
 289     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
 290     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
 291     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
 292     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
 293     ftp_cmds { XSEN XSHA1 XSHA256 } \
 294     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
 295     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
 296     alt_max_param_len 256 { CWD RNTO } \
 297     alt_max_param_len 400 { PORT } \
 298     alt_max_param_len 512 { SIZE } \
 299     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
 300     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
 301     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
 302     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
 303     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
 304     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
 305     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
 306     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
 307     cmd_validity ALLO < int [ char R int ] > \
 308     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
 309     cmd_validity MACB < string > \
 310     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
 311     cmd_validity MODE < char ASBCZ > \
 312     cmd_validity PORT < host_port > \
 313     cmd_validity PROT < char CSEP > \
 314     cmd_validity STRU < char FRPO [ string ] > \
 315     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
 316 preprocessor ftp_telnet_protocol: ftp client default \
 317     max_resp_len 256 \
 318     bounce yes \
 319     ignore_telnet_erase_cmds yes \
 320     telnet_cmds yes
 321
 322
 323 # SMTP normalization and anomaly detection.  For more information, see README.SMTP
 324 preprocessor smtp: ports { 25 465 587 691 } \
 325     inspection_type stateful \
 326     b64_decode_depth 0 \
 327     qp_decode_depth 0 \
 328     bitenc_decode_depth 0 \
 329     uu_decode_depth 0 \
 330     log_mailfrom \
 331     log_rcptto \
 332     log_filename \
 333     log_email_hdrs \
 334     normalize cmds \
 335     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
 336     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
 337     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
 338     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
 339     max_command_line_len 512 \
 340     max_header_line_len 1000 \
 341     max_response_line_len 512 \
 342     alt_max_command_line_len 260 { MAIL } \
 343     alt_max_command_line_len 300 { RCPT } \
 344     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
 345     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
 346     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
 347     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
 348     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
 349     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
 350     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
 351     xlink2state { enabled }
 352
 353 # Portscan detection.  For more information, see README.sfportscan
 354 preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium }
 355
 356 # ARP spoof detection.  For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
 357 # preprocessor arpspoof
 358 # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
 359
 360 # SSH anomaly detection.  For more information, see README.ssh
 361 preprocessor ssh: server_ports { 22,222 } \
 362                   autodetect \
 363                   max_client_bytes 19600 \
 364                   max_encrypted_packets 20 \
 365                   max_server_version_len 100 \
 366                   enable_respoverflow enable_ssh1crc32 \
 367                   enable_srvoverflow enable_protomismatch
 368
 369 # SMB / DCE-RPC normalization and anomaly detection.  For more information, see README.dcerpc2
 370 preprocessor dcerpc2: memcap 102400, events [co ]
 371 preprocessor dcerpc2_server: default, policy WinXP, \
 372     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
 373     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
 374     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
 375
 376 # DNS anomaly detection.  For more information, see README.dns
 377 preprocessor dns: ports { 53 } enable_rdata_overflow
 378
 379 # SSL anomaly detection and traffic bypass.  For more information, see README.ssl
 380 preprocessor ssl: ports { 443 444 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
 381
 382 # SDF sensitive data preprocessor.  For more information see README.sensitive_data
 383 preprocessor sensitive_data: alert_threshold 25
 384
 385 # SIP Session Initiation Protocol preprocessor.  For more information see README.sip
 386 preprocessor sip: max_sessions 10000, \
 387    ports { 5060 5061 5600 }, \
 388    methods { invite \
 389              cancel \
 390              ack \
 391              bye \
 392              register \
 393              options \
 394              refer \
 395              subscribe \
 396              update \
 397              join \
 398              info \
 399              message \
 400              notify \
 401              benotify \
 402              do \
 403              qauth \
 404              sprack \
 405              publish \
 406              service \
 407              unsubscribe \
 408              prack }, \
 409    max_uri_len 512, \
 410    max_call_id_len 80, \
 411    max_requestName_len 20, \
 412    max_from_len 256, \
 413    max_to_len 256, \
 414    max_via_len 1024, \
 415    max_contact_len 512, \
 416    max_content_len 1024
 417
 418 # IMAP preprocessor.  For more information see README.imap
 419 preprocessor imap: \
 420    ports { 143 } \
 421    b64_decode_depth 0 \
 422    qp_decode_depth 0 \
 423    bitenc_decode_depth 0 \
 424    uu_decode_depth 0
 425
 426 # POP preprocessor. For more information see README.pop
 427 preprocessor pop: \
 428    ports { 110 } \
 429    b64_decode_depth 0 \
 430    qp_decode_depth 0 \
 431    bitenc_decode_depth 0 \
 432    uu_decode_depth 0
 433
 434 ###################################################
 435 # Step #6: Configure output plugins
 436 # For more information, see Snort Manual, Configuring Snort - Output Modules
 437 ###################################################
 438
 439 # unified2
 440 # Recommended for most installs
 441 # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
 442
 443 # Additional configuration for specific types of installs
 444 # output alert_unified2: filename snort.alert, limit 128, nostamp
 445 # output log_unified2: filename snort.log, limit 128, nostamp
 446
 447 # syslog
 448 # output alert_syslog: LOG_AUTH LOG_ALERT
 449
 450 # pcap
 451 # output log_tcpdump: tcpdump.log
 452
 453 # database
 454 # output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
 455 # output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
 456
 457 # prelude
 458 # output alert_prelude
 459
 460 # metadata reference data.  do not modify these lines
 461 include /etc/snort/rules/classification.config
 462 include /etc/snort/rules/reference.config
 463
 464
 465 ###################################################
 466 # Step #7: Customize your rule set
 467 # For more information, see Snort Manual, Writing Snort Rules
 468 ###################################################
 469
 470 #
 471 # site specific rules
 472 #