3 #--------------------------------------------------
4 # http://www.snort.org Snort 2.0.0 Ruleset
5 # Contact: snort-sigs@lists.sourceforge.net
6 #--------------------------------------------------
9 ###################################################
10 # This file contains a sample snort configuration.
11 # You can take the following steps to create your
12 # own custom configuration:
14 # 1) Set the network variables for your network
15 # 2) Configure preprocessors
16 # 3) Configure output plugins
17 # 4) Customize your rule set
19 ###################################################
20 # Step #1: Set the network variables:
22 # You must change the following variables to reflect
23 # your local network. The variable is currently
24 # setup for an RFC 1918 address space.
26 # You can specify it explicitly as:
28 # var HOME_NET 10.1.1.0/24
30 # or use global variable $<interfacename>_ADDRESS
31 # which will be always initialized to IP address and
32 # netmask of the network interface which you run
33 # snort at. Under Windows, this must be specified
34 # as $(<interfacename>_ADDRESS), such as:
35 # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
37 # var HOME_NET $eth0_ADDRESS
39 # You can specify lists of IP addresses for HOME_NET
40 # by separating the IPs with commas like this:
42 # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
44 # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
46 # or you can specify the variable to be any IP address
51 # Set up the external network addresses as well.
52 # A good start may be "any"
56 # Configure your server lists. This allows snort to only look for attacks
57 # to systems that have a service up. Why look for HTTP attacks if you are
58 # not running a web server? This allows quick filtering based on IP addresses
59 # These configurations MUST follow the same configuration scheme as defined
60 # above for $HOME_NET.
62 # List of DNS servers on your network
63 var DNS_SERVERS $HOME_NET
65 # List of SMTP servers on your network
66 var SMTP_SERVERS $HOME_NET
68 # List of web servers on your network
69 var HTTP_SERVERS $HOME_NET
71 # List of sql servers on your network
72 var SQL_SERVERS $HOME_NET
74 # List of telnet servers on your network
75 var TELNET_SERVERS $HOME_NET
77 # Configure your service ports. This allows snort to look for attacks
78 # destined to a specific application only on the ports that application
79 # runs on. For example, if you run a web server on port 8081, set your
80 # HTTP_PORTS variable like this:
84 # Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
85 # We will adding support for a real list of ports in the future.
87 # Ports you run web servers on
90 # Ports you want to look for SHELLCODE on.
91 var SHELLCODE_PORTS !80
93 # Ports you do oracle attacks on
98 # AIM servers. AOL has a habit of adding new AIM servers, so instead of
99 # modifying the signatures when they do, we add them to this list of
101 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
103 # Path to your rules files (this can be a relative path)
104 var RULE_PATH /etc/snort/rules
106 # Configure the snort decoder:
107 # ============================
109 # Stop generic decode events:
111 # config disable_decode_alerts
113 # Stop Alerts on experimental TCP options
115 # config disable_tcpopt_experimental_alerts
117 # Stop Alerts on obsolete TCP options
119 # config disable_tcpopt_obsolete_alerts
121 # Stop Alerts on T/TCP alerts
123 # config disable_ttcp_alerts
125 # Stop Alerts on all other TCPOption type events:
127 # config disable_tcpopt_alerts
129 # Stop Alerts on invalid ip options
131 # config disable_ipopt_alerts
134 # Configure the detection engine
135 # ===============================
137 # Use a different pattern matcher in case you have a machine with very
140 # config detection: search-method lowmem
143 ###################################################
144 # Step #2: Configure preprocessors
146 # General configuration for preprocessors is of
148 # preprocessor <name_of_processor>: <configuration_options>
150 # frag2: IP defragmentation support
151 # -------------------------------
152 # This preprocessor performs IP defragmentation. This plugin will also detect
153 # people launching fragmentation attacks (usually DoS) against hosts. No
154 # arguments loads the default configuration of the preprocessor, which is a
155 # 60 second timeout and a 4MB fragment buffer.
157 # The following (comma delimited) options are available for frag2
158 # timeout [seconds] - sets the number of [seconds] than an unfinished
159 # fragment will be kept around waiting for completion,
160 # if this time expires the fragment will be flushed
161 # memcap [bytes] - limit frag2 memory usage to [number] bytes
164 # min_ttl [number] - minimum ttl to accept
166 # ttl_limit [number] - difference of ttl to accept without alerting
167 # will cause false positves with router flap
169 # Frag2 uses Generator ID 113 and uses the following SIDS
171 # SID Event description
172 # ----- -------------------
173 # 1 Oversized fragment (reassembled frag > 64k bytes)
174 # 2 Teardrop-type attack
178 # stream4: stateful inspection/stream reassembly for Snort
179 #----------------------------------------------------------------------
180 # Use in concert with the -z [all|est] command line switch to defeat
181 # stick/snot against TCP rules. Also performs full TCP stream
182 # reassembly, stateful inspection of TCP streams, etc. Can statefully
183 # detect various portscan types, fingerprinting, ECN, etc.
185 # stateful inspection directive
186 # no arguments loads the defaults (timeout 30, memcap 8388608)
187 # options (options are comma delimited):
188 # detect_scans - stream4 will detect stealth portscans and generate alerts
189 # when it sees them when this option is set
190 # detect_state_problems - detect TCP state problems, this tends to be very
191 # noisy because there are a lot of crappy ip stack
192 # implementations out there
194 # disable_evasion_alerts - turn off the possibly noisy mitigation of
195 # overlapping sequences.
198 # min_ttl [number] - set a minium ttl that snort will accept to
201 # ttl_limit [number] - differential of the initial ttl on a session versus
202 # the normal that someone may be playing games.
203 # Routing flap may cause lots of false positives.
205 # keepstats [machine|binary] - keep session statistics, add "machine" to
206 # get them in a flat format for machine reading, add
207 # "binary" to get them in a unified binary output
209 # noinspect - turn off stateful inspection only
210 # timeout [number] - set the session timeout counter to [number] seconds,
211 # default is 30 seconds
212 # memcap [number] - limit stream4 memory usage to [number] bytes
213 # log_flushed_streams - if an event is detected on a stream this option will
214 # cause all packets that are stored in the stream4
215 # packet buffers to be flushed to disk. This only
216 # works when logging in pcap mode!
218 # Stream4 uses Generator ID 111 and uses the following SIDS
220 # SID Event description
221 # ----- -------------------
223 # 2 Evasive RST packet
224 # 3 Evasive TCP packet retransmission
225 # 4 TCP Window violation
226 # 5 Data on SYN packet
227 # 6 Stealth scan: full XMAS
228 # 7 Stealth scan: SYN-ACK-PSH-URG
229 # 8 Stealth scan: FIN scan
230 # 9 Stealth scan: NULL scan
231 # 10 Stealth scan: NMAP XMAS scan
232 # 11 Stealth scan: Vecna scan
233 # 12 Stealth scan: NMAP fingerprint scan stateful detect
234 # 13 Stealth scan: SYN-FIN scan
235 # 14 TCP forward overlap
237 preprocessor stream4: detect_scans, disable_evasion_alerts
239 # tcp stream reassembly directive
240 # no arguments loads the default configuration
241 # Only reassemble the client,
242 # Only reassemble the default list of ports (See below),
243 # Give alerts for "bad" streams
245 # Available options (comma delimited):
246 # clientonly - reassemble traffic for the client side of a connection only
247 # serveronly - reassemble traffic for the server side of a connection only
248 # both - reassemble both sides of a session
249 # noalerts - turn off alerts from the stream reassembly stage of stream4
250 # ports [list] - use the space separated list of ports in [list], "all"
251 # will turn on reassembly for all ports, "default" will turn
252 # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
255 preprocessor stream4_reassemble
257 # http_decode: normalize HTTP requests
258 # ------------------------------------
259 # http_decode normalizes HTTP requests from remote
260 # machines by converting any %XX character
261 # substitutions to their ASCII equivalent. This is
262 # very useful for doing things like defeating hostile
263 # attackers trying to stealth themselves from IDSs by
264 # mixing these substitutions in with the request.
265 # Specify the port numbers you want it to analyze as arguments.
267 # Major code cleanups thanks to rfp
269 # unicode - normalize unicode
270 # iis_alt_unicode - %u encoding from iis
271 # double_encode - alert on possible double encodings
272 # iis_flip_slash - normalize \ as /
273 # full_whitespace - treat \t as whitespace ( for apache )
276 # SID Event description
277 # ----- -------------------
281 preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
283 # rpc_decode: normalize RPC traffic
284 # ---------------------------------
285 # RPC may be sent in alternate encodings besides the usual
286 # 4-byte encoding that is used by default. This preprocessor
287 # normalized RPC traffic in much the same way as the http_decode
288 # preprocessor. This plugin takes the ports numbers that RPC
289 # services are running on as arguments.
290 # The RPC decode preprocessor uses generator ID 106
292 # arguments: space separated list
293 # alert_fragments - alert on any rpc fragmented TCP data
294 # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
295 # no_alert_large_fragments - don't alert when the fragmented
296 # sizes exceed the current packet size
297 # no_alert_incomplete - don't alert when a single segment
298 # exceeds the current packet size
300 preprocessor rpc_decode: 111 32771
302 # bo: Back Orifice detector
303 # -------------------------
304 # Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
306 # The Back Orifice detector uses Generator ID 105 and uses the
307 # following SIDS for that GID:
308 # SID Event description
309 # ----- -------------------
310 # 1 Back Orifice traffic detected
314 # telnet_decode: Telnet negotiation string normalizer
315 # ---------------------------------------------------
316 # This preprocessor "normalizes" telnet negotiation strings from
317 # telnet and ftp traffic. It works in much the same way as the
318 # http_decode preprocessor, searching for traffic that breaks up
319 # the normal data stream of a protocol and replacing it with
320 # a normalized representation of that traffic so that the "content"
321 # pattern matching keyword can work without requiring modifications.
322 # This preprocessor requires no arguments.
323 # Portscan uses Generator ID 109 and does not generate any SID currently.
325 preprocessor telnet_decode
327 # Portscan: detect a variety of portscans
328 # ---------------------------------------
329 # portscan preprocessor by Patrick Mullen <p_mullen@linuxrc.net>
330 # This preprocessor detects UDP packets or TCP SYN packets going to
331 # four different ports in less than three seconds. "Stealth" TCP
332 # packets are always detected, regardless of these settings.
333 # Portscan uses Generator ID 100 and uses the following SIDS for that GID:
334 # SID Event description
335 # ----- -------------------
340 # preprocessor portscan: $HOME_NET 4 3 portscan.log
342 # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
343 # specific networks or hosts to reduce false alerts. It is typical
344 # to see many false alerts from DNS servers so you may want to
345 # add your DNS servers here. You can all multiple hosts/networks
346 # in a whitespace-delimited list.
348 #preprocessor portscan-ignorehosts: 0.0.0.0
351 #----------------------------------------
352 # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
353 # unicast ARP requests, and specific ARP mapping monitoring. To make use
354 # of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line.
355 # Also takes a "-unicast" option to turn on unicast ARP request detection.
356 # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
357 # SID Event description
358 # ----- -------------------
359 # 1 Unicast ARP request
360 # 2 Etherframe ARP mismatch (src)
361 # 3 Etherframe ARP mismatch (dst)
362 # 4 ARP cache overwrite attack
364 #preprocessor arpspoof
365 #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
368 #------------------------------------------
369 # This preprocessor tracks conversations for tcp, udp and icmp traffic. It
370 # is a prerequisite for running portscan2.
372 # allowed_ip_protcols 1 6 17
373 # list of allowed ip protcols ( defaults to any )
376 # conversation timeout ( defaults to 60 )
379 # max_conversations [num]
380 # number of conversations to support at once (defaults to 65335)
383 # alert_odd_protocols
384 # alert on protocols not listed in allowed_ip_protocols
386 # preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000
389 #-------------------------------------------
390 # Portscan 2, detect portscans in a new and exciting way. You must enable
391 # spp_conversation in order to use this preprocessor.
401 #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60
403 # Too many false alerts from portscan2? Tone it down with
404 # portscan2-ignorehosts!
406 # A space delimited list of addresses in CIDR notation to ignore
408 # preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24
411 # Experimental Perf stats
412 # -----------------------
413 # No docs. Highly subject to change.
415 # preprocessor perfmonitor: console flow events time 10
417 ####################################################################
418 # Step #3: Configure output plugins
420 # Uncomment and configure the output plugins you decide to use.
421 # General configuration for output plugins is of the form:
423 # output <name_of_plugin>: <configuration_options>
425 # alert_syslog: log alerts to syslog
426 # ----------------------------------
427 # Use one or more syslog facilities as arguments. Win32 can also
428 # optionally specify a particular hostname/port. Under Win32, the
429 # default hostname is '127.0.0.1', and the default port is 514.
431 # [Unix flavours should use this format...]
432 # output alert_syslog: LOG_AUTH LOG_ALERT
434 # [Win32 can use any of these formats...]
435 # output alert_syslog: LOG_AUTH LOG_ALERT
436 # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
437 # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
439 # log_tcpdump: log packets in binary tcpdump format
440 # -------------------------------------------------
441 # The only argument is the output file name.
443 # output log_tcpdump: tcpdump.log
445 # database: log to a variety of databases
446 # ---------------------------------------
447 # See the README.database file for more information about configuring
448 # and using this plugin.
450 # output database: log, mysql, user=root password=test dbname=db host=localhost
451 # output database: alert, postgresql, user=snort dbname=snort
452 # output database: log, unixodbc, user=snort dbname=snort
453 # output database: log, mssql, dbname=snort user=snort password=test
455 # unified: Snort unified binary format alerting and logging
456 # -------------------------------------------------------------
457 # The unified output plugin provides two new formats for logging
458 # and generating alerts from Snort, the "unified" format. The
459 # unified format is a straight binary format for logging data
460 # out of Snort that is designed to be fast and efficient. Used
461 # with barnyard (the new alert/log processor), most of the overhead
462 # for logging and alerting to various slow storage mechanisms
463 # such as databases or the network can now be avoided.
465 # Check out the spo_unified.h file for the data formats.
467 # Two arguments are supported.
468 # filename - base filename to write to (current time_t is appended)
469 # limit - maximum size of spool file in MB (default: 128)
471 # output alert_unified: filename snort.alert, limit 128
472 # output log_unified: filename snort.log, limit 128
474 # You can optionally define new rule types and associate one or
475 # more output plugins specifically to that type.
477 # This example will create a type that will log to just tcpdump.
478 # ruletype suspicious
481 # output log_tcpdump: suspicious.log
484 # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
485 # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
487 # This example will create a rule type that will log to syslog
488 # and a mysql database.
492 # output alert_syslog: LOG_AUTH LOG_ALERT
493 # output database: log, mysql, user=snort dbname=snort host=localhost
496 # EXAMPLE RULE FOR REDALERT RULETYPE
497 # redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \
501 # Include classification & priority settings
504 include classification.config
507 # Include reference systems
510 include reference.config
512 ####################################################################
513 # Step #4: Customize your rule set
515 # Up to date snort rules are available at http://www.snort.org
517 # The snort web site has documentation about how to write your own
518 # custom snort rules.
520 # The rules included with this distribution generate alerts based on
521 # on suspicious activity. Depending on your network environment, your
522 # security policies, and what you consider to be suspicious, some of
523 # these rules may either generate false positives ore may be detecting
524 # activity you consider to be acceptable; therefore, you are
525 # encouraged to comment out rules that are not applicable in your
528 # Note that using all of the rules at the same time may lead to
529 # serious packet loss on slower machines. YMMV, use with caution,
530 # standard disclaimers apply. :)
532 # The following individuals contributed many of rules in this
536 # Ron Gula <rgula@securitywizards.com> of Network Security Wizards
537 # Max Vision <vision@whitehats.com>
538 # Martin Markgraf <martin@mail.du.gtn.com>
539 # Fyodor Yarochkin <fygrave@tigerteam.net>
540 # Nick Rogness <nick@rapidnet.com>
541 # Jim Forster <jforster@rapidnet.com>
542 # Scott McIntyre <scott@whoi.edu>
543 # Tom Vandepoel <Tom.Vandepoel@ubizen.com>
544 # Brian Caswell <bmc@snort.org>
545 # Zeno <admin@cgisecurity.com>
546 # Ryan Russell <ryan@securityfocus.com>
548 #=========================================
549 # Include all relevant rulesets here
551 # shellcode, policy, info, backdoor, and virus rulesets are
552 # disabled by default. These require tuning and maintance.
553 # Please read the included specific file for more information.
554 #=========================================
556 include $RULE_PATH/bad-traffic.rules
557 include $RULE_PATH/exploit.rules
558 include $RULE_PATH/scan.rules
559 include $RULE_PATH/finger.rules
560 include $RULE_PATH/ftp.rules
561 include $RULE_PATH/telnet.rules
562 include $RULE_PATH/rpc.rules
563 include $RULE_PATH/rservices.rules
564 include $RULE_PATH/dos.rules
565 include $RULE_PATH/ddos.rules
566 include $RULE_PATH/dns.rules
567 include $RULE_PATH/tftp.rules
569 include $RULE_PATH/web-cgi.rules
570 include $RULE_PATH/web-coldfusion.rules
571 include $RULE_PATH/web-iis.rules
572 include $RULE_PATH/web-frontpage.rules
573 include $RULE_PATH/web-misc.rules
574 include $RULE_PATH/web-client.rules
575 include $RULE_PATH/web-php.rules
577 include $RULE_PATH/sql.rules
578 include $RULE_PATH/x11.rules
579 include $RULE_PATH/icmp.rules
580 include $RULE_PATH/netbios.rules
581 include $RULE_PATH/misc.rules
582 include $RULE_PATH/attack-responses.rules
583 include $RULE_PATH/oracle.rules
584 include $RULE_PATH/mysql.rules
585 include $RULE_PATH/snmp.rules
587 include $RULE_PATH/smtp.rules
588 include $RULE_PATH/imap.rules
589 include $RULE_PATH/pop2.rules
590 include $RULE_PATH/pop3.rules
592 include $RULE_PATH/nntp.rules
593 include $RULE_PATH/other-ids.rules
594 include $RULE_PATH/web-attacks.rules
595 include $RULE_PATH/backdoor.rules
596 include $RULE_PATH/shellcode.rules
597 include $RULE_PATH/policy.rules
598 include $RULE_PATH/porn.rules
599 include $RULE_PATH/info.rules
600 include $RULE_PATH/icmp-info.rules
601 include $RULE_PATH/virus.rules
602 include $RULE_PATH/chat.rules
603 include $RULE_PATH/multimedia.rules
604 include $RULE_PATH/p2p.rules
605 include $RULE_PATH/experimental.rules
606 include $RULE_PATH/local.rules