]> git.pld-linux.org Git - packages/snort.git/blame - snort.conf
projects / packages / snort.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- working version
[packages/snort.git] / snort.conf
CommitLineData
8cce16e5 1# PLD snort.cond
2#
3#--------------------------------------------------
4# http://www.snort.org Snort 2.0.0 Ruleset
5# Contact: snort-sigs@lists.sourceforge.net
6#--------------------------------------------------
7# $Id$
8#
9###################################################
10# This file contains a sample snort configuration.
11# You can take the following steps to create your
12# own custom configuration:
13#
14# 1) Set the network variables for your network
15# 2) Configure preprocessors
16# 3) Configure output plugins
17# 4) Customize your rule set
18#
19###################################################
20# Step #1: Set the network variables:
21#
22# You must change the following variables to reflect
23# your local network. The variable is currently
24# setup for an RFC 1918 address space.
25#
26# You can specify it explicitly as:
27#
28# var HOME_NET 10.1.1.0/24
29#
30# or use global variable $<interfacename>_ADDRESS
31# which will be always initialized to IP address and
32# netmask of the network interface which you run
33# snort at. Under Windows, this must be specified
34# as $(<interfacename>_ADDRESS), such as:
35# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
36#
37# var HOME_NET $eth0_ADDRESS
38#
39# You can specify lists of IP addresses for HOME_NET
40# by separating the IPs with commas like this:
41#
42# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
43#
44# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
45#
46# or you can specify the variable to be any IP address
47# like this:
48
49var HOME_NET any
50
51# Set up the external network addresses as well.
52# A good start may be "any"
53
54var EXTERNAL_NET any
55
56# Configure your server lists. This allows snort to only look for attacks
57# to systems that have a service up. Why look for HTTP attacks if you are
58# not running a web server? This allows quick filtering based on IP addresses
59# These configurations MUST follow the same configuration scheme as defined
60# above for $HOME_NET.
61
62# List of DNS servers on your network
63var DNS_SERVERS $HOME_NET
64
65# List of SMTP servers on your network
66var SMTP_SERVERS $HOME_NET
67
68# List of web servers on your network
69var HTTP_SERVERS $HOME_NET
70
71# List of sql servers on your network
72var SQL_SERVERS $HOME_NET
73
74# List of telnet servers on your network
75var TELNET_SERVERS $HOME_NET
76
77# Configure your service ports. This allows snort to look for attacks
78# destined to a specific application only on the ports that application
79# runs on. For example, if you run a web server on port 8081, set your
80# HTTP_PORTS variable like this:
81#
82# var HTTP_PORTS 8081
83#
84# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
85# We will adding support for a real list of ports in the future.
86
87# Ports you run web servers on
88var HTTP_PORTS 80
89
90# Ports you want to look for SHELLCODE on.
91var SHELLCODE_PORTS !80
92
93# Ports you do oracle attacks on
94var ORACLE_PORTS 1521
95
96# other variables
97#
98# AIM servers. AOL has a habit of adding new AIM servers, so instead of
99# modifying the signatures when they do, we add them to this list of
100# servers.
101var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
102
103# Path to your rules files (this can be a relative path)
104var RULE_PATH /etc/snort/rules
105
106# Configure the snort decoder:
107# ============================
108#
109# Stop generic decode events:
110#
111# config disable_decode_alerts
112#
113# Stop Alerts on experimental TCP options
114#
115# config disable_tcpopt_experimental_alerts
116#
117# Stop Alerts on obsolete TCP options
118#
119# config disable_tcpopt_obsolete_alerts
120#
121# Stop Alerts on T/TCP alerts
122#
123# config disable_ttcp_alerts
124#
125# Stop Alerts on all other TCPOption type events:
126#
127# config disable_tcpopt_alerts
128#
129# Stop Alerts on invalid ip options
130#
131# config disable_ipopt_alerts
132
133
134# Configure the detection engine
135# ===============================
136#
137# Use a different pattern matcher in case you have a machine with very
138# limited resources:
139#
140# config detection: search-method lowmem
141
142
143###################################################
144# Step #2: Configure preprocessors
145#
146# General configuration for preprocessors is of
147# the form
148# preprocessor <name_of_processor>: <configuration_options>
149
150# frag2: IP defragmentation support
151# -------------------------------
152# This preprocessor performs IP defragmentation. This plugin will also detect
153# people launching fragmentation attacks (usually DoS) against hosts. No
154# arguments loads the default configuration of the preprocessor, which is a
155# 60 second timeout and a 4MB fragment buffer.
156
157# The following (comma delimited) options are available for frag2
158# timeout [seconds] - sets the number of [seconds] than an unfinished
159# fragment will be kept around waiting for completion,
160# if this time expires the fragment will be flushed
161# memcap [bytes] - limit frag2 memory usage to [number] bytes
162# (default: 4194304)
163#
164# min_ttl [number] - minimum ttl to accept
165#
166# ttl_limit [number] - difference of ttl to accept without alerting
167# will cause false positves with router flap
168#
169# Frag2 uses Generator ID 113 and uses the following SIDS
170# for that GID:
171# SID Event description
172# ----- -------------------
173# 1 Oversized fragment (reassembled frag > 64k bytes)
174# 2 Teardrop-type attack
175
176preprocessor frag2
177
178# stream4: stateful inspection/stream reassembly for Snort
179#----------------------------------------------------------------------
180# Use in concert with the -z [all|est] command line switch to defeat
181# stick/snot against TCP rules. Also performs full TCP stream
182# reassembly, stateful inspection of TCP streams, etc. Can statefully
183# detect various portscan types, fingerprinting, ECN, etc.
184
185# stateful inspection directive
186# no arguments loads the defaults (timeout 30, memcap 8388608)
187# options (options are comma delimited):
188# detect_scans - stream4 will detect stealth portscans and generate alerts
189# when it sees them when this option is set
190# detect_state_problems - detect TCP state problems, this tends to be very
191# noisy because there are a lot of crappy ip stack
192# implementations out there
193#
194# disable_evasion_alerts - turn off the possibly noisy mitigation of
195# overlapping sequences.
196#
197#
198# min_ttl [number] - set a minium ttl that snort will accept to
199# stream reassembly
200#
201# ttl_limit [number] - differential of the initial ttl on a session versus
202# the normal that someone may be playing games.
203# Routing flap may cause lots of false positives.
204#
205# keepstats [machine|binary] - keep session statistics, add "machine" to
206# get them in a flat format for machine reading, add
207# "binary" to get them in a unified binary output
208# format
209# noinspect - turn off stateful inspection only
210# timeout [number] - set the session timeout counter to [number] seconds,
211# default is 30 seconds
212# memcap [number] - limit stream4 memory usage to [number] bytes
213# log_flushed_streams - if an event is detected on a stream this option will
214# cause all packets that are stored in the stream4
215# packet buffers to be flushed to disk. This only
216# works when logging in pcap mode!
217#
218# Stream4 uses Generator ID 111 and uses the following SIDS
219# for that GID:
220# SID Event description
221# ----- -------------------
222# 1 Stealth activity
223# 2 Evasive RST packet
224# 3 Evasive TCP packet retransmission
225# 4 TCP Window violation
226# 5 Data on SYN packet
227# 6 Stealth scan: full XMAS
228# 7 Stealth scan: SYN-ACK-PSH-URG
229# 8 Stealth scan: FIN scan
230# 9 Stealth scan: NULL scan
231# 10 Stealth scan: NMAP XMAS scan
232# 11 Stealth scan: Vecna scan
233# 12 Stealth scan: NMAP fingerprint scan stateful detect
234# 13 Stealth scan: SYN-FIN scan
235# 14 TCP forward overlap
236
237preprocessor stream4: detect_scans, disable_evasion_alerts
238
239# tcp stream reassembly directive
240# no arguments loads the default configuration
241# Only reassemble the client,
242# Only reassemble the default list of ports (See below),
243# Give alerts for "bad" streams
244#
245# Available options (comma delimited):
246# clientonly - reassemble traffic for the client side of a connection only
247# serveronly - reassemble traffic for the server side of a connection only
248# both - reassemble both sides of a session
249# noalerts - turn off alerts from the stream reassembly stage of stream4
250# ports [list] - use the space separated list of ports in [list], "all"
251# will turn on reassembly for all ports, "default" will turn
252# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
253# and 513
254
255preprocessor stream4_reassemble
256
257# http_decode: normalize HTTP requests
258# ------------------------------------
259# http_decode normalizes HTTP requests from remote
260# machines by converting any %XX character
261# substitutions to their ASCII equivalent. This is
262# very useful for doing things like defeating hostile
263# attackers trying to stealth themselves from IDSs by
264# mixing these substitutions in with the request.
265# Specify the port numbers you want it to analyze as arguments.
266#
267# Major code cleanups thanks to rfp
268#
269# unicode - normalize unicode
270# iis_alt_unicode - %u encoding from iis
271# double_encode - alert on possible double encodings
272# iis_flip_slash - normalize \ as /
273# full_whitespace - treat \t as whitespace ( for apache )
274#
275# for that GID:
276# SID Event description
277# ----- -------------------
278# 1 UNICODE attack
279# 2 NULL byte attack
280
281preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
282
283# rpc_decode: normalize RPC traffic
284# ---------------------------------
285# RPC may be sent in alternate encodings besides the usual
286# 4-byte encoding that is used by default. This preprocessor
287# normalized RPC traffic in much the same way as the http_decode
288# preprocessor. This plugin takes the ports numbers that RPC
289# services are running on as arguments.
290# The RPC decode preprocessor uses generator ID 106
291#
292# arguments: space separated list
293# alert_fragments - alert on any rpc fragmented TCP data
294# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
295# no_alert_large_fragments - don't alert when the fragmented
296# sizes exceed the current packet size
297# no_alert_incomplete - don't alert when a single segment
298# exceeds the current packet size
299
300preprocessor rpc_decode: 111 32771
301
302# bo: Back Orifice detector
303# -------------------------
304# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
305#
306# The Back Orifice detector uses Generator ID 105 and uses the
307# following SIDS for that GID:
308# SID Event description
309# ----- -------------------
310# 1 Back Orifice traffic detected
311
312preprocessor bo
313
314# telnet_decode: Telnet negotiation string normalizer
315# ---------------------------------------------------
316# This preprocessor "normalizes" telnet negotiation strings from
317# telnet and ftp traffic. It works in much the same way as the
318# http_decode preprocessor, searching for traffic that breaks up
319# the normal data stream of a protocol and replacing it with
320# a normalized representation of that traffic so that the "content"
321# pattern matching keyword can work without requiring modifications.
322# This preprocessor requires no arguments.
323# Portscan uses Generator ID 109 and does not generate any SID currently.
324
325preprocessor telnet_decode
326
327# Portscan: detect a variety of portscans
328# ---------------------------------------
329# portscan preprocessor by Patrick Mullen <p_mullen@linuxrc.net>
330# This preprocessor detects UDP packets or TCP SYN packets going to
331# four different ports in less than three seconds. "Stealth" TCP
332# packets are always detected, regardless of these settings.
333# Portscan uses Generator ID 100 and uses the following SIDS for that GID:
334# SID Event description
335# ----- -------------------
336# 1 Portscan detect
337# 2 Inter-scan info
338# 3 Portscan End
339
340# preprocessor portscan: $HOME_NET 4 3 portscan.log
341
342# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
343# specific networks or hosts to reduce false alerts. It is typical
344# to see many false alerts from DNS servers so you may want to
345# add your DNS servers here. You can all multiple hosts/networks
346# in a whitespace-delimited list.
347#
348#preprocessor portscan-ignorehosts: 0.0.0.0
349
350# arpspoof
351#----------------------------------------
352# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
353# unicast ARP requests, and specific ARP mapping monitoring. To make use
354# of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line.
355# Also takes a "-unicast" option to turn on unicast ARP request detection.
356# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
357# SID Event description
358# ----- -------------------
359# 1 Unicast ARP request
360# 2 Etherframe ARP mismatch (src)
361# 3 Etherframe ARP mismatch (dst)
362# 4 ARP cache overwrite attack
363
364#preprocessor arpspoof
365#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
366
367# Conversation
368#------------------------------------------
369# This preprocessor tracks conversations for tcp, udp and icmp traffic. It
370# is a prerequisite for running portscan2.
371#
372# allowed_ip_protcols 1 6 17
373# list of allowed ip protcols ( defaults to any )
374#
375# timeout [num]
376# conversation timeout ( defaults to 60 )
377#
378#
379# max_conversations [num]
380# number of conversations to support at once (defaults to 65335)
381#
382#
383# alert_odd_protocols
384# alert on protocols not listed in allowed_ip_protocols
385#
386# preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000
387#
388# Portscan2
389#-------------------------------------------
390# Portscan 2, detect portscans in a new and exciting way. You must enable
391# spp_conversation in order to use this preprocessor.
392#
393# Available options:
394# scanners_max [num]
395# targets_max [num]
396# target_limit [num]
397# port_limit [num]
398# timeout [num]
399# log [logdir]
400#
401#preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60
402
403# Too many false alerts from portscan2? Tone it down with
404# portscan2-ignorehosts!
405#
406# A space delimited list of addresses in CIDR notation to ignore
407#
408# preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24
409#
410
411# Experimental Perf stats
412# -----------------------
413# No docs. Highly subject to change.
414#
415# preprocessor perfmonitor: console flow events time 10
416
417####################################################################
418# Step #3: Configure output plugins
419#
420# Uncomment and configure the output plugins you decide to use.
421# General configuration for output plugins is of the form:
422#
423# output <name_of_plugin>: <configuration_options>
424#
425# alert_syslog: log alerts to syslog
426# ----------------------------------
427# Use one or more syslog facilities as arguments. Win32 can also
428# optionally specify a particular hostname/port. Under Win32, the
429# default hostname is '127.0.0.1', and the default port is 514.
430#
431# [Unix flavours should use this format...]
432# output alert_syslog: LOG_AUTH LOG_ALERT
433#
434# [Win32 can use any of these formats...]
435# output alert_syslog: LOG_AUTH LOG_ALERT
436# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
437# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
438
439# log_tcpdump: log packets in binary tcpdump format
440# -------------------------------------------------
441# The only argument is the output file name.
442#
443# output log_tcpdump: tcpdump.log
444
445# database: log to a variety of databases
446# ---------------------------------------
447# See the README.database file for more information about configuring
448# and using this plugin.
449#
450# output database: log, mysql, user=root password=test dbname=db host=localhost
451# output database: alert, postgresql, user=snort dbname=snort
452# output database: log, unixodbc, user=snort dbname=snort
453# output database: log, mssql, dbname=snort user=snort password=test
454
455# unified: Snort unified binary format alerting and logging
456# -------------------------------------------------------------
457# The unified output plugin provides two new formats for logging
458# and generating alerts from Snort, the "unified" format. The
459# unified format is a straight binary format for logging data
460# out of Snort that is designed to be fast and efficient. Used
461# with barnyard (the new alert/log processor), most of the overhead
462# for logging and alerting to various slow storage mechanisms
463# such as databases or the network can now be avoided.
464#
465# Check out the spo_unified.h file for the data formats.
466#
467# Two arguments are supported.
468# filename - base filename to write to (current time_t is appended)
469# limit - maximum size of spool file in MB (default: 128)
470#
471# output alert_unified: filename snort.alert, limit 128
472# output log_unified: filename snort.log, limit 128
473
474# You can optionally define new rule types and associate one or
475# more output plugins specifically to that type.
476#
477# This example will create a type that will log to just tcpdump.
478# ruletype suspicious
479# {
480# type log
481# output log_tcpdump: suspicious.log
482# }
483#
484# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
485# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
486#
487# This example will create a rule type that will log to syslog
488# and a mysql database.
489# ruletype redalert
490# {
491# type alert
492# output alert_syslog: LOG_AUTH LOG_ALERT
493# output database: log, mysql, user=snort dbname=snort host=localhost
494# }
495#
496# EXAMPLE RULE FOR REDALERT RULETYPE
497# redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \
498# flags:A+;)
499
500#
501# Include classification & priority settings
502#
503
504include classification.config
505
506#
507# Include reference systems
508#
509
510include reference.config
511
512####################################################################
513# Step #4: Customize your rule set
514#
515# Up to date snort rules are available at http://www.snort.org
516#
517# The snort web site has documentation about how to write your own
518# custom snort rules.
519#
520# The rules included with this distribution generate alerts based on
521# on suspicious activity. Depending on your network environment, your
522# security policies, and what you consider to be suspicious, some of
523# these rules may either generate false positives ore may be detecting
524# activity you consider to be acceptable; therefore, you are
525# encouraged to comment out rules that are not applicable in your
526# environment.
527#
528# Note that using all of the rules at the same time may lead to
529# serious packet loss on slower machines. YMMV, use with caution,
530# standard disclaimers apply. :)
531#
532# The following individuals contributed many of rules in this
533# distribution.
534#
535# Credits:
536# Ron Gula <rgula@securitywizards.com> of Network Security Wizards
537# Max Vision <vision@whitehats.com>
538# Martin Markgraf <martin@mail.du.gtn.com>
539# Fyodor Yarochkin <fygrave@tigerteam.net>
540# Nick Rogness <nick@rapidnet.com>
541# Jim Forster <jforster@rapidnet.com>
542# Scott McIntyre <scott@whoi.edu>
543# Tom Vandepoel <Tom.Vandepoel@ubizen.com>
544# Brian Caswell <bmc@snort.org>
545# Zeno <admin@cgisecurity.com>
546# Ryan Russell <ryan@securityfocus.com>
547#
548#=========================================
549# Include all relevant rulesets here
550#
551# shellcode, policy, info, backdoor, and virus rulesets are
552# disabled by default. These require tuning and maintance.
553# Please read the included specific file for more information.
554#=========================================
555
556include $RULE_PATH/bad-traffic.rules
557include $RULE_PATH/exploit.rules
558include $RULE_PATH/scan.rules
559include $RULE_PATH/finger.rules
560include $RULE_PATH/ftp.rules
561include $RULE_PATH/telnet.rules
562include $RULE_PATH/rpc.rules
563include $RULE_PATH/rservices.rules
564include $RULE_PATH/dos.rules
565include $RULE_PATH/ddos.rules
566include $RULE_PATH/dns.rules
567include $RULE_PATH/tftp.rules
568
569include $RULE_PATH/web-cgi.rules
570include $RULE_PATH/web-coldfusion.rules
571include $RULE_PATH/web-iis.rules
572include $RULE_PATH/web-frontpage.rules
573include $RULE_PATH/web-misc.rules
574include $RULE_PATH/web-client.rules
575include $RULE_PATH/web-php.rules
576
577include $RULE_PATH/sql.rules
578include $RULE_PATH/x11.rules
579include $RULE_PATH/icmp.rules
580include $RULE_PATH/netbios.rules
581include $RULE_PATH/misc.rules
582include $RULE_PATH/attack-responses.rules
583include $RULE_PATH/oracle.rules
584include $RULE_PATH/mysql.rules
585include $RULE_PATH/snmp.rules
586
587include $RULE_PATH/smtp.rules
588include $RULE_PATH/imap.rules
589include $RULE_PATH/pop2.rules
590include $RULE_PATH/pop3.rules
591
592include $RULE_PATH/nntp.rules
593include $RULE_PATH/other-ids.rules
594include $RULE_PATH/web-attacks.rules
595include $RULE_PATH/backdoor.rules
596include $RULE_PATH/shellcode.rules
597include $RULE_PATH/policy.rules
598include $RULE_PATH/porn.rules
599include $RULE_PATH/info.rules
600include $RULE_PATH/icmp-info.rules
601include $RULE_PATH/virus.rules
602include $RULE_PATH/chat.rules
603include $RULE_PATH/multimedia.rules
604include $RULE_PATH/p2p.rules
605include $RULE_PATH/experimental.rules
606include $RULE_PATH/local.rules
Network intrusion detection system (IDS/IPS)
This page took 0.120909 seconds and 4 git commands to generate.