1 #--------------------------------------------------
2 # http://www.snort.org Snort 2.1.0 Ruleset
3 # Contact: snort-sigs@lists.sourceforge.net
4 #--------------------------------------------------
7 ###################################################
8 # This file contains a sample snort configuration.
9 # You can take the following steps to create your own custom configuration:
11 # 1) Set the network variables for your network
12 # 2) Configure preprocessors
13 # 3) Configure output plugins
14 # 4) Customize your rule set
16 ###################################################
17 # Step #1: Set the network variables:
19 # You must change the following variables to reflect your local network. The
20 # variable is currently setup for an RFC 1918 address space.
22 # You can specify it explicitly as:
24 # var HOME_NET 10.1.1.0/24
26 # or use global variable $<interfacename>_ADDRESS which will be always
27 # initialized to IP address and netmask of the network interface which you run
28 # snort at. Under Windows, this must be specified as
29 # $(<interfacename>_ADDRESS), such as:
30 # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
32 # var HOME_NET $eth0_ADDRESS
34 # You can specify lists of IP addresses for HOME_NET
35 # by separating the IPs with commas like this:
37 # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
39 # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
41 # or you can specify the variable to be any IP address
46 # Set up the external network addresses as well. A good start may be "any"
49 # Configure your server lists. This allows snort to only look for attacks to
50 # systems that have a service up. Why look for HTTP attacks if you are not
51 # running a web server? This allows quick filtering based on IP addresses
52 # These configurations MUST follow the same configuration scheme as defined
53 # above for $HOME_NET.
55 # List of DNS servers on your network
56 var DNS_SERVERS $HOME_NET
58 # List of SMTP servers on your network
59 var SMTP_SERVERS $HOME_NET
61 # List of web servers on your network
62 var HTTP_SERVERS $HOME_NET
64 # List of sql servers on your network
65 var SQL_SERVERS $HOME_NET
67 # List of telnet servers on your network
68 var TELNET_SERVERS $HOME_NET
70 # List of snmp servers on your network
71 var SNMP_SERVERS $HOME_NET
73 # Configure your service ports. This allows snort to look for attacks destined
74 # to a specific application only on the ports that application runs on. For
75 # example, if you run a web server on port 8081, set your HTTP_PORTS variable
80 # Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
81 # We will adding support for a real list of ports in the future.
83 # Ports you run web servers on
85 # Please note: [80,8080] does not work.
86 # If you wish to define multiple HTTP ports,
89 ## include somefile.rules
90 ## var HTTP_PORTS 8080
91 ## include somefile.rules
94 # Ports you want to look for SHELLCODE on.
95 var SHELLCODE_PORTS !80
97 # Ports you do oracle attacks on
102 # AIM servers. AOL has a habit of adding new AIM servers, so instead of
103 # modifying the signatures when they do, we add them to this list of servers.
104 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
106 # Path to your rules files (this can be a relative path)
107 var RULE_PATH /etc/snort/rules
109 # Configure the snort decoder
110 # ============================
112 # Snort's decoder will alert on lots of things such as header
113 # truncation or options of unusual length or infrequently used tcp options
116 # Stop generic decode events:
118 # config disable_decode_alerts
120 # Stop Alerts on experimental TCP options
122 # config disable_tcpopt_experimental_alerts
124 # Stop Alerts on obsolete TCP options
126 # config disable_tcpopt_obsolete_alerts
128 # Stop Alerts on T/TCP alerts
130 # In snort 2.0.1 and above, this only alerts when the a TCP option is detected
131 # that shows T/TCP being actively used on the network. If this is normal
132 # behavior for your network, disable the next option.
134 # config disable_tcpopt_ttcp_alerts
136 # Stop Alerts on all other TCPOption type events:
138 # config disable_tcpopt_alerts
140 # Stop Alerts on invalid ip options
142 # config disable_ipopt_alerts
144 # Configure the detection engine
145 # ===============================
147 # Use a different pattern matcher in case you have a machine with very limited
150 # config detection: search-method lowmem
152 ###################################################
153 # Step #2: Configure preprocessors
155 # General configuration for preprocessors is of
157 # preprocessor <name_of_processor>: <configuration_options>
159 # Configure Flow tracking module
160 # -------------------------------
162 # The Flow tracking module is meant to start unifying the state keeping
163 # mechanisms of snort into a single place. Right now, only a portscan detector
164 # is implemented but in the long term, many of the stateful subsystems of
165 # snort will be migrated over to becoming flow plugins. This must be enabled
166 # for flow-portscan to work correctly.
168 # See README.flow for additional information
170 # preprocessor flow: stats_interval 0 hash 2
172 # frag2: IP defragmentation support
173 # -------------------------------
174 # This preprocessor performs IP defragmentation. This plugin will also detect
175 # people launching fragmentation attacks (usually DoS) against hosts. No
176 # arguments loads the default configuration of the preprocessor, which is a 60
177 # second timeout and a 4MB fragment buffer.
179 # The following (comma delimited) options are available for frag2
180 # timeout [seconds] - sets the number of [seconds] than an unfinished
181 # fragment will be kept around waiting for completion,
182 # if this time expires the fragment will be flushed
183 # memcap [bytes] - limit frag2 memory usage to [number] bytes
186 # min_ttl [number] - minimum ttl to accept
188 # ttl_limit [number] - difference of ttl to accept without alerting
189 # will cause false positves with router flap
191 # Frag2 uses Generator ID 113 and uses the following SIDS
193 # SID Event description
194 # ----- -------------------
195 # 1 Oversized fragment (reassembled frag > 64k bytes)
196 # 2 Teardrop-type attack
200 # stream4: stateful inspection/stream reassembly for Snort
201 #----------------------------------------------------------------------
202 # Use in concert with the -z [all|est] command line switch to defeat stick/snot
203 # against TCP rules. Also performs full TCP stream reassembly, stateful
204 # inspection of TCP streams, etc. Can statefully detect various portscan
205 # types, fingerprinting, ECN, etc.
207 # stateful inspection directive
208 # no arguments loads the defaults (timeout 30, memcap 8388608)
209 # options (options are comma delimited):
210 # detect_scans - stream4 will detect stealth portscans and generate alerts
211 # when it sees them when this option is set
212 # detect_state_problems - detect TCP state problems, this tends to be very
213 # noisy because there are a lot of crappy ip stack
214 # implementations out there
216 # disable_evasion_alerts - turn off the possibly noisy mitigation of
217 # overlapping sequences.
220 # min_ttl [number] - set a minium ttl that snort will accept to
223 # ttl_limit [number] - differential of the initial ttl on a session versus
224 # the normal that someone may be playing games.
225 # Routing flap may cause lots of false positives.
227 # keepstats [machine|binary] - keep session statistics, add "machine" to
228 # get them in a flat format for machine reading, add
229 # "binary" to get them in a unified binary output
231 # noinspect - turn off stateful inspection only
232 # timeout [number] - set the session timeout counter to [number] seconds,
233 # default is 30 seconds
234 # memcap [number] - limit stream4 memory usage to [number] bytes
235 # log_flushed_streams - if an event is detected on a stream this option will
236 # cause all packets that are stored in the stream4
237 # packet buffers to be flushed to disk. This only
238 # works when logging in pcap mode!
240 # Stream4 uses Generator ID 111 and uses the following SIDS
242 # SID Event description
243 # ----- -------------------
245 # 2 Evasive RST packet
246 # 3 Evasive TCP packet retransmission
247 # 4 TCP Window violation
248 # 5 Data on SYN packet
249 # 6 Stealth scan: full XMAS
250 # 7 Stealth scan: SYN-ACK-PSH-URG
251 # 8 Stealth scan: FIN scan
252 # 9 Stealth scan: NULL scan
253 # 10 Stealth scan: NMAP XMAS scan
254 # 11 Stealth scan: Vecna scan
255 # 12 Stealth scan: NMAP fingerprint scan stateful detect
256 # 13 Stealth scan: SYN-FIN scan
257 # 14 TCP forward overlap
259 preprocessor stream4: disable_evasion_alerts
261 # tcp stream reassembly directive
262 # no arguments loads the default configuration
263 # Only reassemble the client,
264 # Only reassemble the default list of ports (See below),
265 # Give alerts for "bad" streams
267 # Available options (comma delimited):
268 # clientonly - reassemble traffic for the client side of a connection only
269 # serveronly - reassemble traffic for the server side of a connection only
270 # both - reassemble both sides of a session
271 # noalerts - turn off alerts from the stream reassembly stage of stream4
272 # ports [list] - use the space separated list of ports in [list], "all"
273 # will turn on reassembly for all ports, "default" will turn
274 # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
277 preprocessor stream4_reassemble
279 # http_inspect: normalize and detect HTTP traffic and protocol anomalies
281 # lots of options available here. See doc/README.http_inspect.
282 # unicode.map should be wherever your snort.conf lives, or given
283 # a full path to where snort can find it.
284 preprocessor http_inspect: global \
285 iis_unicode_map unicode.map 1252
287 preprocessor http_inspect_server: server default \
291 # Example unqiue server configuration
293 #preprocessor http_inspect_server: server 1.1.1.1 \
294 # ports { 80 3128 8080 } \
297 # double_decode yes \
298 # non_rfc_char { 0x00 } \
299 # chunk_length 500000 \
304 # rpc_decode: normalize RPC traffic
305 # ---------------------------------
306 # RPC may be sent in alternate encodings besides the usual 4-byte encoding
307 # that is used by default. This plugin takes the port numbers that RPC
308 # services are running on as arguments - it is assumed that the given ports
309 # are actually running this type of service. If not, change the ports or turn
311 # The RPC decode preprocessor uses generator ID 106
313 # arguments: space separated list
314 # alert_fragments - alert on any rpc fragmented TCP data
315 # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
316 # no_alert_large_fragments - don't alert when the fragmented
317 # sizes exceed the current packet size
318 # no_alert_incomplete - don't alert when a single segment
319 # exceeds the current packet size
321 preprocessor rpc_decode: 111 32771
323 # bo: Back Orifice detector
324 # -------------------------
325 # Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
327 # The Back Orifice detector uses Generator ID 105 and uses the
328 # following SIDS for that GID:
329 # SID Event description
330 # ----- -------------------
331 # 1 Back Orifice traffic detected
335 # telnet_decode: Telnet negotiation string normalizer
336 # ---------------------------------------------------
337 # This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
338 # traffic. It works in much the same way as the http_decode preprocessor,
339 # searching for traffic that breaks up the normal data stream of a protocol and
340 # replacing it with a normalized representation of that traffic so that the
341 # "content" pattern matching keyword can work without requiring modifications.
342 # This preprocessor requires no arguments.
343 # Portscan uses Generator ID 109 and does not generate any SID currently.
345 preprocessor telnet_decode
347 # Flow-Portscan: detect a variety of portscans
348 # ---------------------------------------
349 # Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan to
352 # This module detects portscans based off of flow creation in the flow
353 # preprocessors. The goal is to catch catch one->many hosts and one->many
356 # Flow-Portscan has numerous options available, please read
357 # README.flow-portscan for help configuring this option.
359 # Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
360 # SID Event description
361 # ----- -------------------
362 # 1 flow-portscan: Fixed Scale Scanner Limit Exceeded
363 # 2 flow-portscan: Sliding Scale Scanner Limit Exceeded
364 # 3 flow-portscan: Fixed Scale Talker Limit Exceeded
365 # 4 flow-portscan: Sliding Scale Talker Limit Exceeded
367 # preprocessor flow-portscan: \
368 # talker-sliding-scale-factor 0.50 \
369 # talker-fixed-threshold 30 \
370 # talker-sliding-threshold 30 \
371 # talker-sliding-window 20 \
372 # talker-fixed-window 30 \
373 # scoreboard-rows-talker 30000 \
374 # server-watchnet [10.2.0.0/30] \
375 # server-ignore-limit 200 \
376 # server-rows 65535 \
377 # server-learning-time 14400 \
378 # server-scanner-limit 4 \
379 # scanner-sliding-window 20 \
380 # scanner-sliding-scale-factor 0.50 \
381 # scanner-fixed-threshold 15 \
382 # scanner-sliding-threshold 40 \
383 # scanner-fixed-window 15 \
384 # scoreboard-rows-scanner 30000 \
385 # src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
386 # dst-ignore-net [10.0.0.0/30] \
392 #----------------------------------------
393 # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
394 # unicast ARP requests, and specific ARP mapping monitoring. To make use of
395 # this preprocessor you must specify the IP and hardware address of hosts on
396 # the same layer 2 segment as you. Specify one host IP MAC combo per line.
397 # Also takes a "-unicast" option to turn on unicast ARP request detection.
398 # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
400 # SID Event description
401 # ----- -------------------
402 # 1 Unicast ARP request
403 # 2 Etherframe ARP mismatch (src)
404 # 3 Etherframe ARP mismatch (dst)
405 # 4 ARP cache overwrite attack
407 #preprocessor arpspoof
408 #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
411 # Performance Statistics
412 # ----------------------
413 # Documentation for this is provided in the Snort Manual. You should read it.
414 # It is included in the release distribution as doc/snort_manual.pdf
416 # preprocessor perfmonitor: console flow events time 10
418 ####################################################################
419 # Step #3: Configure output plugins
421 # Uncomment and configure the output plugins you decide to use. General
422 # configuration for output plugins is of the form:
424 # output <name_of_plugin>: <configuration_options>
426 # alert_syslog: log alerts to syslog
427 # ----------------------------------
428 # Use one or more syslog facilities as arguments. Win32 can also optionally
429 # specify a particular hostname/port. Under Win32, the default hostname is
430 # '127.0.0.1', and the default port is 514.
432 # [Unix flavours should use this format...]
433 # output alert_syslog: LOG_AUTH LOG_ALERT
435 # [Win32 can use any of these formats...]
436 # output alert_syslog: LOG_AUTH LOG_ALERT
437 # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
438 # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
440 # log_tcpdump: log packets in binary tcpdump format
441 # -------------------------------------------------
442 # The only argument is the output file name.
444 # output log_tcpdump: tcpdump.log
446 # database: log to a variety of databases
447 # ---------------------------------------
448 # See the README.database file for more information about configuring
449 # and using this plugin.
451 # output database: log, mysql, user=root password=test dbname=db host=localhost
452 # output database: alert, postgresql, user=snort dbname=snort
453 # output database: log, unixodbc, user=snort dbname=snort
454 # output database: log, mssql, dbname=snort user=snort password=test
456 # unified: Snort unified binary format alerting and logging
457 # -------------------------------------------------------------
458 # The unified output plugin provides two new formats for logging and generating
459 # alerts from Snort, the "unified" format. The unified format is a straight
460 # binary format for logging data out of Snort that is designed to be fast and
461 # efficient. Used with barnyard (the new alert/log processor), most of the
462 # overhead for logging and alerting to various slow storage mechanisms such as
463 # databases or the network can now be avoided.
465 # Check out the spo_unified.h file for the data formats.
467 # Two arguments are supported.
468 # filename - base filename to write to (current time_t is appended)
469 # limit - maximum size of spool file in MB (default: 128)
471 # output alert_unified: filename snort.alert, limit 128
472 # output log_unified: filename snort.log, limit 128
474 # You can optionally define new rule types and associate one or more output
475 # plugins specifically to that type.
477 # This example will create a type that will log to just tcpdump.
478 # ruletype suspicious
481 # output log_tcpdump: suspicious.log
484 # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
485 # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
487 # This example will create a rule type that will log to syslog and a mysql
492 # output alert_syslog: LOG_AUTH LOG_ALERT
493 # output database: log, mysql, user=snort dbname=snort host=localhost
496 # EXAMPLE RULE FOR REDALERT RULETYPE:
497 # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
498 # (msg:"Someone is being LEET"; flags:A+;)
501 # Include classification & priority settings
504 include classification.config
507 # Include reference systems
510 include reference.config
512 ####################################################################
513 # Step #4: Customize your rule set
515 # Up to date snort rules are available at http://www.snort.org
517 # The snort web site has documentation about how to write your own custom snort
520 # The rules included with this distribution generate alerts based on on
521 # suspicious activity. Depending on your network environment, your security
522 # policies, and what you consider to be suspicious, some of these rules may
523 # either generate false positives ore may be detecting activity you consider to
524 # be acceptable; therefore, you are encouraged to comment out rules that are
525 # not applicable in your environment.
527 # The following individuals contributed many of rules in this distribution.
530 # Ron Gula <rgula@securitywizards.com> of Network Security Wizards
531 # Max Vision <vision@whitehats.com>
532 # Martin Markgraf <martin@mail.du.gtn.com>
533 # Fyodor Yarochkin <fygrave@tigerteam.net>
534 # Nick Rogness <nick@rapidnet.com>
535 # Jim Forster <jforster@rapidnet.com>
536 # Scott McIntyre <scott@whoi.edu>
537 # Tom Vandepoel <Tom.Vandepoel@ubizen.com>
538 # Brian Caswell <bmc@snort.org>
539 # Zeno <admin@cgisecurity.com>
540 # Ryan Russell <ryan@securityfocus.com>
544 #=========================================
545 # Include all relevant rulesets here
547 # The following rulesets are disabled by default:
549 # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
550 # chat, multimedia, and p2p
552 # These rules are either site policy specific or require tuning in order to not
553 # generate false positive alerts in most enviornments.
555 # Please read the specific include file for more information and
556 # README.alert_order for how rule ordering affects how alerts are triggered.
557 #=========================================
559 include $RULE_PATH/local.rules
560 include $RULE_PATH/bad-traffic.rules
561 include $RULE_PATH/exploit.rules
562 include $RULE_PATH/scan.rules
563 include $RULE_PATH/finger.rules
564 include $RULE_PATH/ftp.rules
565 include $RULE_PATH/telnet.rules
566 include $RULE_PATH/rpc.rules
567 include $RULE_PATH/rservices.rules
568 include $RULE_PATH/dos.rules
569 include $RULE_PATH/ddos.rules
570 include $RULE_PATH/dns.rules
571 include $RULE_PATH/tftp.rules
573 include $RULE_PATH/web-cgi.rules
574 include $RULE_PATH/web-coldfusion.rules
575 include $RULE_PATH/web-iis.rules
576 include $RULE_PATH/web-frontpage.rules
577 include $RULE_PATH/web-misc.rules
578 include $RULE_PATH/web-client.rules
579 include $RULE_PATH/web-php.rules
581 include $RULE_PATH/sql.rules
582 include $RULE_PATH/x11.rules
583 include $RULE_PATH/icmp.rules
584 include $RULE_PATH/netbios.rules
585 include $RULE_PATH/misc.rules
586 include $RULE_PATH/attack-responses.rules
587 include $RULE_PATH/oracle.rules
588 include $RULE_PATH/mysql.rules
589 include $RULE_PATH/snmp.rules
591 include $RULE_PATH/smtp.rules
592 include $RULE_PATH/imap.rules
593 include $RULE_PATH/pop2.rules
594 include $RULE_PATH/pop3.rules
596 include $RULE_PATH/nntp.rules
597 include $RULE_PATH/other-ids.rules
598 # include $RULE_PATH/web-attacks.rules
599 # include $RULE_PATH/backdoor.rules
600 # include $RULE_PATH/shellcode.rules
601 # include $RULE_PATH/policy.rules
602 # include $RULE_PATH/porn.rules
603 # include $RULE_PATH/info.rules
604 # include $RULE_PATH/icmp-info.rules
605 # include $RULE_PATH/virus.rules
606 # include $RULE_PATH/chat.rules
607 # include $RULE_PATH/multimedia.rules
608 # include $RULE_PATH/p2p.rules
609 include $RULE_PATH/experimental.rules
611 # Include any thresholding or suppression commands
612 #include threshold.conf