]>
Commit | Line | Data |
---|---|---|
8cce16e5 | 1 | # PLD snort.cond |
2 | # | |
3 | #-------------------------------------------------- | |
4 | # http://www.snort.org Snort 2.0.0 Ruleset | |
5 | # Contact: snort-sigs@lists.sourceforge.net | |
6 | #-------------------------------------------------- | |
7 | # $Id$ | |
8 | # | |
9 | ################################################### | |
10 | # This file contains a sample snort configuration. | |
11 | # You can take the following steps to create your | |
12 | # own custom configuration: | |
13 | # | |
14 | # 1) Set the network variables for your network | |
15 | # 2) Configure preprocessors | |
16 | # 3) Configure output plugins | |
17 | # 4) Customize your rule set | |
18 | # | |
19 | ################################################### | |
20 | # Step #1: Set the network variables: | |
21 | # | |
22 | # You must change the following variables to reflect | |
23 | # your local network. The variable is currently | |
24 | # setup for an RFC 1918 address space. | |
25 | # | |
26 | # You can specify it explicitly as: | |
27 | # | |
28 | # var HOME_NET 10.1.1.0/24 | |
29 | # | |
30 | # or use global variable $<interfacename>_ADDRESS | |
31 | # which will be always initialized to IP address and | |
32 | # netmask of the network interface which you run | |
33 | # snort at. Under Windows, this must be specified | |
34 | # as $(<interfacename>_ADDRESS), such as: | |
35 | # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) | |
36 | # | |
37 | # var HOME_NET $eth0_ADDRESS | |
38 | # | |
39 | # You can specify lists of IP addresses for HOME_NET | |
40 | # by separating the IPs with commas like this: | |
41 | # | |
42 | # var HOME_NET [10.1.1.0/24,192.168.1.0/24] | |
43 | # | |
44 | # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! | |
45 | # | |
46 | # or you can specify the variable to be any IP address | |
47 | # like this: | |
48 | ||
49 | var HOME_NET any | |
50 | ||
51 | # Set up the external network addresses as well. | |
52 | # A good start may be "any" | |
53 | ||
54 | var EXTERNAL_NET any | |
55 | ||
56 | # Configure your server lists. This allows snort to only look for attacks | |
57 | # to systems that have a service up. Why look for HTTP attacks if you are | |
58 | # not running a web server? This allows quick filtering based on IP addresses | |
59 | # These configurations MUST follow the same configuration scheme as defined | |
60 | # above for $HOME_NET. | |
61 | ||
62 | # List of DNS servers on your network | |
63 | var DNS_SERVERS $HOME_NET | |
64 | ||
65 | # List of SMTP servers on your network | |
66 | var SMTP_SERVERS $HOME_NET | |
67 | ||
68 | # List of web servers on your network | |
69 | var HTTP_SERVERS $HOME_NET | |
70 | ||
71 | # List of sql servers on your network | |
72 | var SQL_SERVERS $HOME_NET | |
73 | ||
74 | # List of telnet servers on your network | |
75 | var TELNET_SERVERS $HOME_NET | |
76 | ||
77 | # Configure your service ports. This allows snort to look for attacks | |
78 | # destined to a specific application only on the ports that application | |
79 | # runs on. For example, if you run a web server on port 8081, set your | |
80 | # HTTP_PORTS variable like this: | |
81 | # | |
82 | # var HTTP_PORTS 8081 | |
83 | # | |
84 | # Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. | |
85 | # We will adding support for a real list of ports in the future. | |
86 | ||
87 | # Ports you run web servers on | |
88 | var HTTP_PORTS 80 | |
89 | ||
90 | # Ports you want to look for SHELLCODE on. | |
91 | var SHELLCODE_PORTS !80 | |
92 | ||
93 | # Ports you do oracle attacks on | |
94 | var ORACLE_PORTS 1521 | |
95 | ||
96 | # other variables | |
97 | # | |
98 | # AIM servers. AOL has a habit of adding new AIM servers, so instead of | |
99 | # modifying the signatures when they do, we add them to this list of | |
100 | # servers. | |
101 | var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] | |
102 | ||
103 | # Path to your rules files (this can be a relative path) | |
104 | var RULE_PATH /etc/snort/rules | |
105 | ||
106 | # Configure the snort decoder: | |
107 | # ============================ | |
108 | # | |
109 | # Stop generic decode events: | |
110 | # | |
111 | # config disable_decode_alerts | |
112 | # | |
113 | # Stop Alerts on experimental TCP options | |
114 | # | |
115 | # config disable_tcpopt_experimental_alerts | |
116 | # | |
117 | # Stop Alerts on obsolete TCP options | |
118 | # | |
119 | # config disable_tcpopt_obsolete_alerts | |
120 | # | |
121 | # Stop Alerts on T/TCP alerts | |
122 | # | |
123 | # config disable_ttcp_alerts | |
124 | # | |
125 | # Stop Alerts on all other TCPOption type events: | |
126 | # | |
127 | # config disable_tcpopt_alerts | |
128 | # | |
129 | # Stop Alerts on invalid ip options | |
130 | # | |
131 | # config disable_ipopt_alerts | |
132 | ||
133 | ||
134 | # Configure the detection engine | |
135 | # =============================== | |
136 | # | |
137 | # Use a different pattern matcher in case you have a machine with very | |
138 | # limited resources: | |
139 | # | |
140 | # config detection: search-method lowmem | |
141 | ||
142 | ||
143 | ################################################### | |
144 | # Step #2: Configure preprocessors | |
145 | # | |
146 | # General configuration for preprocessors is of | |
147 | # the form | |
148 | # preprocessor <name_of_processor>: <configuration_options> | |
149 | ||
150 | # frag2: IP defragmentation support | |
151 | # ------------------------------- | |
152 | # This preprocessor performs IP defragmentation. This plugin will also detect | |
153 | # people launching fragmentation attacks (usually DoS) against hosts. No | |
154 | # arguments loads the default configuration of the preprocessor, which is a | |
155 | # 60 second timeout and a 4MB fragment buffer. | |
156 | ||
157 | # The following (comma delimited) options are available for frag2 | |
158 | # timeout [seconds] - sets the number of [seconds] than an unfinished | |
159 | # fragment will be kept around waiting for completion, | |
160 | # if this time expires the fragment will be flushed | |
161 | # memcap [bytes] - limit frag2 memory usage to [number] bytes | |
162 | # (default: 4194304) | |
163 | # | |
164 | # min_ttl [number] - minimum ttl to accept | |
165 | # | |
166 | # ttl_limit [number] - difference of ttl to accept without alerting | |
167 | # will cause false positves with router flap | |
168 | # | |
169 | # Frag2 uses Generator ID 113 and uses the following SIDS | |
170 | # for that GID: | |
171 | # SID Event description | |
172 | # ----- ------------------- | |
173 | # 1 Oversized fragment (reassembled frag > 64k bytes) | |
174 | # 2 Teardrop-type attack | |
175 | ||
176 | preprocessor frag2 | |
177 | ||
178 | # stream4: stateful inspection/stream reassembly for Snort | |
179 | #---------------------------------------------------------------------- | |
180 | # Use in concert with the -z [all|est] command line switch to defeat | |
181 | # stick/snot against TCP rules. Also performs full TCP stream | |
182 | # reassembly, stateful inspection of TCP streams, etc. Can statefully | |
183 | # detect various portscan types, fingerprinting, ECN, etc. | |
184 | ||
185 | # stateful inspection directive | |
186 | # no arguments loads the defaults (timeout 30, memcap 8388608) | |
187 | # options (options are comma delimited): | |
188 | # detect_scans - stream4 will detect stealth portscans and generate alerts | |
189 | # when it sees them when this option is set | |
190 | # detect_state_problems - detect TCP state problems, this tends to be very | |
191 | # noisy because there are a lot of crappy ip stack | |
192 | # implementations out there | |
193 | # | |
194 | # disable_evasion_alerts - turn off the possibly noisy mitigation of | |
195 | # overlapping sequences. | |
196 | # | |
197 | # | |
198 | # min_ttl [number] - set a minium ttl that snort will accept to | |
199 | # stream reassembly | |
200 | # | |
201 | # ttl_limit [number] - differential of the initial ttl on a session versus | |
202 | # the normal that someone may be playing games. | |
203 | # Routing flap may cause lots of false positives. | |
204 | # | |
205 | # keepstats [machine|binary] - keep session statistics, add "machine" to | |
206 | # get them in a flat format for machine reading, add | |
207 | # "binary" to get them in a unified binary output | |
208 | # format | |
209 | # noinspect - turn off stateful inspection only | |
210 | # timeout [number] - set the session timeout counter to [number] seconds, | |
211 | # default is 30 seconds | |
212 | # memcap [number] - limit stream4 memory usage to [number] bytes | |
213 | # log_flushed_streams - if an event is detected on a stream this option will | |
214 | # cause all packets that are stored in the stream4 | |
215 | # packet buffers to be flushed to disk. This only | |
216 | # works when logging in pcap mode! | |
217 | # | |
218 | # Stream4 uses Generator ID 111 and uses the following SIDS | |
219 | # for that GID: | |
220 | # SID Event description | |
221 | # ----- ------------------- | |
222 | # 1 Stealth activity | |
223 | # 2 Evasive RST packet | |
224 | # 3 Evasive TCP packet retransmission | |
225 | # 4 TCP Window violation | |
226 | # 5 Data on SYN packet | |
227 | # 6 Stealth scan: full XMAS | |
228 | # 7 Stealth scan: SYN-ACK-PSH-URG | |
229 | # 8 Stealth scan: FIN scan | |
230 | # 9 Stealth scan: NULL scan | |
231 | # 10 Stealth scan: NMAP XMAS scan | |
232 | # 11 Stealth scan: Vecna scan | |
233 | # 12 Stealth scan: NMAP fingerprint scan stateful detect | |
234 | # 13 Stealth scan: SYN-FIN scan | |
235 | # 14 TCP forward overlap | |
236 | ||
237 | preprocessor stream4: detect_scans, disable_evasion_alerts | |
238 | ||
239 | # tcp stream reassembly directive | |
240 | # no arguments loads the default configuration | |
241 | # Only reassemble the client, | |
242 | # Only reassemble the default list of ports (See below), | |
243 | # Give alerts for "bad" streams | |
244 | # | |
245 | # Available options (comma delimited): | |
246 | # clientonly - reassemble traffic for the client side of a connection only | |
247 | # serveronly - reassemble traffic for the server side of a connection only | |
248 | # both - reassemble both sides of a session | |
249 | # noalerts - turn off alerts from the stream reassembly stage of stream4 | |
250 | # ports [list] - use the space separated list of ports in [list], "all" | |
251 | # will turn on reassembly for all ports, "default" will turn | |
252 | # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 | |
253 | # and 513 | |
254 | ||
255 | preprocessor stream4_reassemble | |
256 | ||
257 | # http_decode: normalize HTTP requests | |
258 | # ------------------------------------ | |
259 | # http_decode normalizes HTTP requests from remote | |
260 | # machines by converting any %XX character | |
261 | # substitutions to their ASCII equivalent. This is | |
262 | # very useful for doing things like defeating hostile | |
263 | # attackers trying to stealth themselves from IDSs by | |
264 | # mixing these substitutions in with the request. | |
265 | # Specify the port numbers you want it to analyze as arguments. | |
266 | # | |
267 | # Major code cleanups thanks to rfp | |
268 | # | |
269 | # unicode - normalize unicode | |
270 | # iis_alt_unicode - %u encoding from iis | |
271 | # double_encode - alert on possible double encodings | |
272 | # iis_flip_slash - normalize \ as / | |
273 | # full_whitespace - treat \t as whitespace ( for apache ) | |
274 | # | |
275 | # for that GID: | |
276 | # SID Event description | |
277 | # ----- ------------------- | |
278 | # 1 UNICODE attack | |
279 | # 2 NULL byte attack | |
280 | ||
281 | preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace | |
282 | ||
283 | # rpc_decode: normalize RPC traffic | |
284 | # --------------------------------- | |
285 | # RPC may be sent in alternate encodings besides the usual | |
286 | # 4-byte encoding that is used by default. This preprocessor | |
287 | # normalized RPC traffic in much the same way as the http_decode | |
288 | # preprocessor. This plugin takes the ports numbers that RPC | |
289 | # services are running on as arguments. | |
290 | # The RPC decode preprocessor uses generator ID 106 | |
291 | # | |
292 | # arguments: space separated list | |
293 | # alert_fragments - alert on any rpc fragmented TCP data | |
294 | # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet | |
295 | # no_alert_large_fragments - don't alert when the fragmented | |
296 | # sizes exceed the current packet size | |
297 | # no_alert_incomplete - don't alert when a single segment | |
298 | # exceeds the current packet size | |
299 | ||
300 | preprocessor rpc_decode: 111 32771 | |
301 | ||
302 | # bo: Back Orifice detector | |
303 | # ------------------------- | |
304 | # Detects Back Orifice traffic on the network. Takes no arguments in 2.0. | |
305 | # | |
306 | # The Back Orifice detector uses Generator ID 105 and uses the | |
307 | # following SIDS for that GID: | |
308 | # SID Event description | |
309 | # ----- ------------------- | |
310 | # 1 Back Orifice traffic detected | |
311 | ||
312 | preprocessor bo | |
313 | ||
314 | # telnet_decode: Telnet negotiation string normalizer | |
315 | # --------------------------------------------------- | |
316 | # This preprocessor "normalizes" telnet negotiation strings from | |
317 | # telnet and ftp traffic. It works in much the same way as the | |
318 | # http_decode preprocessor, searching for traffic that breaks up | |
319 | # the normal data stream of a protocol and replacing it with | |
320 | # a normalized representation of that traffic so that the "content" | |
321 | # pattern matching keyword can work without requiring modifications. | |
322 | # This preprocessor requires no arguments. | |
323 | # Portscan uses Generator ID 109 and does not generate any SID currently. | |
324 | ||
325 | preprocessor telnet_decode | |
326 | ||
327 | # Portscan: detect a variety of portscans | |
328 | # --------------------------------------- | |
329 | # portscan preprocessor by Patrick Mullen <p_mullen@linuxrc.net> | |
330 | # This preprocessor detects UDP packets or TCP SYN packets going to | |
331 | # four different ports in less than three seconds. "Stealth" TCP | |
332 | # packets are always detected, regardless of these settings. | |
333 | # Portscan uses Generator ID 100 and uses the following SIDS for that GID: | |
334 | # SID Event description | |
335 | # ----- ------------------- | |
336 | # 1 Portscan detect | |
337 | # 2 Inter-scan info | |
338 | # 3 Portscan End | |
339 | ||
340 | # preprocessor portscan: $HOME_NET 4 3 portscan.log | |
341 | ||
342 | # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from | |
343 | # specific networks or hosts to reduce false alerts. It is typical | |
344 | # to see many false alerts from DNS servers so you may want to | |
345 | # add your DNS servers here. You can all multiple hosts/networks | |
346 | # in a whitespace-delimited list. | |
347 | # | |
348 | #preprocessor portscan-ignorehosts: 0.0.0.0 | |
349 | ||
350 | # arpspoof | |
351 | #---------------------------------------- | |
352 | # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, | |
353 | # unicast ARP requests, and specific ARP mapping monitoring. To make use | |
354 | # of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line. | |
355 | # Also takes a "-unicast" option to turn on unicast ARP request detection. | |
356 | # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: | |
357 | # SID Event description | |
358 | # ----- ------------------- | |
359 | # 1 Unicast ARP request | |
360 | # 2 Etherframe ARP mismatch (src) | |
361 | # 3 Etherframe ARP mismatch (dst) | |
362 | # 4 ARP cache overwrite attack | |
363 | ||
364 | #preprocessor arpspoof | |
365 | #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 | |
366 | ||
367 | # Conversation | |
368 | #------------------------------------------ | |
369 | # This preprocessor tracks conversations for tcp, udp and icmp traffic. It | |
370 | # is a prerequisite for running portscan2. | |
371 | # | |
372 | # allowed_ip_protcols 1 6 17 | |
373 | # list of allowed ip protcols ( defaults to any ) | |
374 | # | |
375 | # timeout [num] | |
376 | # conversation timeout ( defaults to 60 ) | |
377 | # | |
378 | # | |
379 | # max_conversations [num] | |
380 | # number of conversations to support at once (defaults to 65335) | |
381 | # | |
382 | # | |
383 | # alert_odd_protocols | |
384 | # alert on protocols not listed in allowed_ip_protocols | |
385 | # | |
386 | # preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000 | |
387 | # | |
388 | # Portscan2 | |
389 | #------------------------------------------- | |
390 | # Portscan 2, detect portscans in a new and exciting way. You must enable | |
391 | # spp_conversation in order to use this preprocessor. | |
392 | # | |
393 | # Available options: | |
394 | # scanners_max [num] | |
395 | # targets_max [num] | |
396 | # target_limit [num] | |
397 | # port_limit [num] | |
398 | # timeout [num] | |
399 | # log [logdir] | |
400 | # | |
401 | #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60 | |
402 | ||
403 | # Too many false alerts from portscan2? Tone it down with | |
404 | # portscan2-ignorehosts! | |
405 | # | |
406 | # A space delimited list of addresses in CIDR notation to ignore | |
407 | # | |
408 | # preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24 | |
409 | # | |
410 | ||
411 | # Experimental Perf stats | |
412 | # ----------------------- | |
413 | # No docs. Highly subject to change. | |
414 | # | |
415 | # preprocessor perfmonitor: console flow events time 10 | |
416 | ||
417 | #################################################################### | |
418 | # Step #3: Configure output plugins | |
419 | # | |
420 | # Uncomment and configure the output plugins you decide to use. | |
421 | # General configuration for output plugins is of the form: | |
422 | # | |
423 | # output <name_of_plugin>: <configuration_options> | |
424 | # | |
425 | # alert_syslog: log alerts to syslog | |
426 | # ---------------------------------- | |
427 | # Use one or more syslog facilities as arguments. Win32 can also | |
428 | # optionally specify a particular hostname/port. Under Win32, the | |
429 | # default hostname is '127.0.0.1', and the default port is 514. | |
430 | # | |
431 | # [Unix flavours should use this format...] | |
432 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
433 | # | |
434 | # [Win32 can use any of these formats...] | |
435 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
436 | # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT | |
437 | # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT | |
438 | ||
439 | # log_tcpdump: log packets in binary tcpdump format | |
440 | # ------------------------------------------------- | |
441 | # The only argument is the output file name. | |
442 | # | |
443 | # output log_tcpdump: tcpdump.log | |
444 | ||
445 | # database: log to a variety of databases | |
446 | # --------------------------------------- | |
447 | # See the README.database file for more information about configuring | |
448 | # and using this plugin. | |
449 | # | |
450 | # output database: log, mysql, user=root password=test dbname=db host=localhost | |
451 | # output database: alert, postgresql, user=snort dbname=snort | |
452 | # output database: log, unixodbc, user=snort dbname=snort | |
453 | # output database: log, mssql, dbname=snort user=snort password=test | |
454 | ||
455 | # unified: Snort unified binary format alerting and logging | |
456 | # ------------------------------------------------------------- | |
457 | # The unified output plugin provides two new formats for logging | |
458 | # and generating alerts from Snort, the "unified" format. The | |
459 | # unified format is a straight binary format for logging data | |
460 | # out of Snort that is designed to be fast and efficient. Used | |
461 | # with barnyard (the new alert/log processor), most of the overhead | |
462 | # for logging and alerting to various slow storage mechanisms | |
463 | # such as databases or the network can now be avoided. | |
464 | # | |
465 | # Check out the spo_unified.h file for the data formats. | |
466 | # | |
467 | # Two arguments are supported. | |
468 | # filename - base filename to write to (current time_t is appended) | |
469 | # limit - maximum size of spool file in MB (default: 128) | |
470 | # | |
471 | # output alert_unified: filename snort.alert, limit 128 | |
472 | # output log_unified: filename snort.log, limit 128 | |
473 | ||
474 | # You can optionally define new rule types and associate one or | |
475 | # more output plugins specifically to that type. | |
476 | # | |
477 | # This example will create a type that will log to just tcpdump. | |
478 | # ruletype suspicious | |
479 | # { | |
480 | # type log | |
481 | # output log_tcpdump: suspicious.log | |
482 | # } | |
483 | # | |
484 | # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: | |
485 | # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) | |
486 | # | |
487 | # This example will create a rule type that will log to syslog | |
488 | # and a mysql database. | |
489 | # ruletype redalert | |
490 | # { | |
491 | # type alert | |
492 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
493 | # output database: log, mysql, user=snort dbname=snort host=localhost | |
494 | # } | |
495 | # | |
496 | # EXAMPLE RULE FOR REDALERT RULETYPE | |
497 | # redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \ | |
498 | # flags:A+;) | |
499 | ||
500 | # | |
501 | # Include classification & priority settings | |
502 | # | |
503 | ||
504 | include classification.config | |
505 | ||
506 | # | |
507 | # Include reference systems | |
508 | # | |
509 | ||
510 | include reference.config | |
511 | ||
512 | #################################################################### | |
513 | # Step #4: Customize your rule set | |
514 | # | |
515 | # Up to date snort rules are available at http://www.snort.org | |
516 | # | |
517 | # The snort web site has documentation about how to write your own | |
518 | # custom snort rules. | |
519 | # | |
520 | # The rules included with this distribution generate alerts based on | |
521 | # on suspicious activity. Depending on your network environment, your | |
522 | # security policies, and what you consider to be suspicious, some of | |
523 | # these rules may either generate false positives ore may be detecting | |
524 | # activity you consider to be acceptable; therefore, you are | |
525 | # encouraged to comment out rules that are not applicable in your | |
526 | # environment. | |
527 | # | |
528 | # Note that using all of the rules at the same time may lead to | |
529 | # serious packet loss on slower machines. YMMV, use with caution, | |
530 | # standard disclaimers apply. :) | |
531 | # | |
532 | # The following individuals contributed many of rules in this | |
533 | # distribution. | |
534 | # | |
535 | # Credits: | |
536 | # Ron Gula <rgula@securitywizards.com> of Network Security Wizards | |
537 | # Max Vision <vision@whitehats.com> | |
538 | # Martin Markgraf <martin@mail.du.gtn.com> | |
539 | # Fyodor Yarochkin <fygrave@tigerteam.net> | |
540 | # Nick Rogness <nick@rapidnet.com> | |
541 | # Jim Forster <jforster@rapidnet.com> | |
542 | # Scott McIntyre <scott@whoi.edu> | |
543 | # Tom Vandepoel <Tom.Vandepoel@ubizen.com> | |
544 | # Brian Caswell <bmc@snort.org> | |
545 | # Zeno <admin@cgisecurity.com> | |
546 | # Ryan Russell <ryan@securityfocus.com> | |
547 | # | |
548 | #========================================= | |
549 | # Include all relevant rulesets here | |
550 | # | |
551 | # shellcode, policy, info, backdoor, and virus rulesets are | |
552 | # disabled by default. These require tuning and maintance. | |
553 | # Please read the included specific file for more information. | |
554 | #========================================= | |
555 | ||
556 | include $RULE_PATH/bad-traffic.rules | |
557 | include $RULE_PATH/exploit.rules | |
558 | include $RULE_PATH/scan.rules | |
559 | include $RULE_PATH/finger.rules | |
560 | include $RULE_PATH/ftp.rules | |
561 | include $RULE_PATH/telnet.rules | |
562 | include $RULE_PATH/rpc.rules | |
563 | include $RULE_PATH/rservices.rules | |
564 | include $RULE_PATH/dos.rules | |
565 | include $RULE_PATH/ddos.rules | |
566 | include $RULE_PATH/dns.rules | |
567 | include $RULE_PATH/tftp.rules | |
568 | ||
569 | include $RULE_PATH/web-cgi.rules | |
570 | include $RULE_PATH/web-coldfusion.rules | |
571 | include $RULE_PATH/web-iis.rules | |
572 | include $RULE_PATH/web-frontpage.rules | |
573 | include $RULE_PATH/web-misc.rules | |
574 | include $RULE_PATH/web-client.rules | |
575 | include $RULE_PATH/web-php.rules | |
576 | ||
577 | include $RULE_PATH/sql.rules | |
578 | include $RULE_PATH/x11.rules | |
579 | include $RULE_PATH/icmp.rules | |
580 | include $RULE_PATH/netbios.rules | |
581 | include $RULE_PATH/misc.rules | |
582 | include $RULE_PATH/attack-responses.rules | |
583 | include $RULE_PATH/oracle.rules | |
584 | include $RULE_PATH/mysql.rules | |
585 | include $RULE_PATH/snmp.rules | |
586 | ||
587 | include $RULE_PATH/smtp.rules | |
588 | include $RULE_PATH/imap.rules | |
589 | include $RULE_PATH/pop2.rules | |
590 | include $RULE_PATH/pop3.rules | |
591 | ||
592 | include $RULE_PATH/nntp.rules | |
593 | include $RULE_PATH/other-ids.rules | |
594 | include $RULE_PATH/web-attacks.rules | |
595 | include $RULE_PATH/backdoor.rules | |
596 | include $RULE_PATH/shellcode.rules | |
597 | include $RULE_PATH/policy.rules | |
598 | include $RULE_PATH/porn.rules | |
599 | include $RULE_PATH/info.rules | |
600 | include $RULE_PATH/icmp-info.rules | |
601 | include $RULE_PATH/virus.rules | |
602 | include $RULE_PATH/chat.rules | |
603 | include $RULE_PATH/multimedia.rules | |
604 | include $RULE_PATH/p2p.rules | |
605 | include $RULE_PATH/experimental.rules | |
606 | include $RULE_PATH/local.rules |