--- /dev/null
+# PLD snort.cond
+#
+#--------------------------------------------------
+# http://www.snort.org Snort 2.0.0 Ruleset
+# Contact: snort-sigs@lists.sourceforge.net
+#--------------------------------------------------
+# $Id$
+#
+###################################################
+# This file contains a sample snort configuration.
+# You can take the following steps to create your
+# own custom configuration:
+#
+# 1) Set the network variables for your network
+# 2) Configure preprocessors
+# 3) Configure output plugins
+# 4) Customize your rule set
+#
+###################################################
+# Step #1: Set the network variables:
+#
+# You must change the following variables to reflect
+# your local network. The variable is currently
+# setup for an RFC 1918 address space.
+#
+# You can specify it explicitly as:
+#
+# var HOME_NET 10.1.1.0/24
+#
+# or use global variable $<interfacename>_ADDRESS
+# which will be always initialized to IP address and
+# netmask of the network interface which you run
+# snort at. Under Windows, this must be specified
+# as $(<interfacename>_ADDRESS), such as:
+# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
+#
+# var HOME_NET $eth0_ADDRESS
+#
+# You can specify lists of IP addresses for HOME_NET
+# by separating the IPs with commas like this:
+#
+# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
+#
+# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
+#
+# or you can specify the variable to be any IP address
+# like this:
+
+var HOME_NET any
+
+# Set up the external network addresses as well.
+# A good start may be "any"
+
+var EXTERNAL_NET any
+
+# Configure your server lists. This allows snort to only look for attacks
+# to systems that have a service up. Why look for HTTP attacks if you are
+# not running a web server? This allows quick filtering based on IP addresses
+# These configurations MUST follow the same configuration scheme as defined
+# above for $HOME_NET.
+
+# List of DNS servers on your network
+var DNS_SERVERS $HOME_NET
+
+# List of SMTP servers on your network
+var SMTP_SERVERS $HOME_NET
+
+# List of web servers on your network
+var HTTP_SERVERS $HOME_NET
+
+# List of sql servers on your network
+var SQL_SERVERS $HOME_NET
+
+# List of telnet servers on your network
+var TELNET_SERVERS $HOME_NET
+
+# Configure your service ports. This allows snort to look for attacks
+# destined to a specific application only on the ports that application
+# runs on. For example, if you run a web server on port 8081, set your
+# HTTP_PORTS variable like this:
+#
+# var HTTP_PORTS 8081
+#
+# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
+# We will adding support for a real list of ports in the future.
+
+# Ports you run web servers on
+var HTTP_PORTS 80
+
+# Ports you want to look for SHELLCODE on.
+var SHELLCODE_PORTS !80
+
+# Ports you do oracle attacks on
+var ORACLE_PORTS 1521
+
+# other variables
+#
+# AIM servers. AOL has a habit of adding new AIM servers, so instead of
+# modifying the signatures when they do, we add them to this list of
+# servers.
+var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
+
+# Path to your rules files (this can be a relative path)
+var RULE_PATH /etc/snort/rules
+
+# Configure the snort decoder:
+# ============================
+#
+# Stop generic decode events:
+#
+# config disable_decode_alerts
+#
+# Stop Alerts on experimental TCP options
+#
+# config disable_tcpopt_experimental_alerts
+#
+# Stop Alerts on obsolete TCP options
+#
+# config disable_tcpopt_obsolete_alerts
+#
+# Stop Alerts on T/TCP alerts
+#
+# config disable_ttcp_alerts
+#
+# Stop Alerts on all other TCPOption type events:
+#
+# config disable_tcpopt_alerts
+#
+# Stop Alerts on invalid ip options
+#
+# config disable_ipopt_alerts
+
+
+# Configure the detection engine
+# ===============================
+#
+# Use a different pattern matcher in case you have a machine with very
+# limited resources:
+#
+# config detection: search-method lowmem
+
+
+###################################################
+# Step #2: Configure preprocessors
+#
+# General configuration for preprocessors is of
+# the form
+# preprocessor <name_of_processor>: <configuration_options>
+
+# frag2: IP defragmentation support
+# -------------------------------
+# This preprocessor performs IP defragmentation. This plugin will also detect
+# people launching fragmentation attacks (usually DoS) against hosts. No
+# arguments loads the default configuration of the preprocessor, which is a
+# 60 second timeout and a 4MB fragment buffer.
+
+# The following (comma delimited) options are available for frag2
+# timeout [seconds] - sets the number of [seconds] than an unfinished
+# fragment will be kept around waiting for completion,
+# if this time expires the fragment will be flushed
+# memcap [bytes] - limit frag2 memory usage to [number] bytes
+# (default: 4194304)
+#
+# min_ttl [number] - minimum ttl to accept
+#
+# ttl_limit [number] - difference of ttl to accept without alerting
+# will cause false positves with router flap
+#
+# Frag2 uses Generator ID 113 and uses the following SIDS
+# for that GID:
+# SID Event description
+# ----- -------------------
+# 1 Oversized fragment (reassembled frag > 64k bytes)
+# 2 Teardrop-type attack
+
+preprocessor frag2
+
+# stream4: stateful inspection/stream reassembly for Snort
+#----------------------------------------------------------------------
+# Use in concert with the -z [all|est] command line switch to defeat
+# stick/snot against TCP rules. Also performs full TCP stream
+# reassembly, stateful inspection of TCP streams, etc. Can statefully
+# detect various portscan types, fingerprinting, ECN, etc.
+
+# stateful inspection directive
+# no arguments loads the defaults (timeout 30, memcap 8388608)
+# options (options are comma delimited):
+# detect_scans - stream4 will detect stealth portscans and generate alerts
+# when it sees them when this option is set
+# detect_state_problems - detect TCP state problems, this tends to be very
+# noisy because there are a lot of crappy ip stack
+# implementations out there
+#
+# disable_evasion_alerts - turn off the possibly noisy mitigation of
+# overlapping sequences.
+#
+#
+# min_ttl [number] - set a minium ttl that snort will accept to
+# stream reassembly
+#
+# ttl_limit [number] - differential of the initial ttl on a session versus
+# the normal that someone may be playing games.
+# Routing flap may cause lots of false positives.
+#
+# keepstats [machine|binary] - keep session statistics, add "machine" to
+# get them in a flat format for machine reading, add
+# "binary" to get them in a unified binary output
+# format
+# noinspect - turn off stateful inspection only
+# timeout [number] - set the session timeout counter to [number] seconds,
+# default is 30 seconds
+# memcap [number] - limit stream4 memory usage to [number] bytes
+# log_flushed_streams - if an event is detected on a stream this option will
+# cause all packets that are stored in the stream4
+# packet buffers to be flushed to disk. This only
+# works when logging in pcap mode!
+#
+# Stream4 uses Generator ID 111 and uses the following SIDS
+# for that GID:
+# SID Event description
+# ----- -------------------
+# 1 Stealth activity
+# 2 Evasive RST packet
+# 3 Evasive TCP packet retransmission
+# 4 TCP Window violation
+# 5 Data on SYN packet
+# 6 Stealth scan: full XMAS
+# 7 Stealth scan: SYN-ACK-PSH-URG
+# 8 Stealth scan: FIN scan
+# 9 Stealth scan: NULL scan
+# 10 Stealth scan: NMAP XMAS scan
+# 11 Stealth scan: Vecna scan
+# 12 Stealth scan: NMAP fingerprint scan stateful detect
+# 13 Stealth scan: SYN-FIN scan
+# 14 TCP forward overlap
+
+preprocessor stream4: detect_scans, disable_evasion_alerts
+
+# tcp stream reassembly directive
+# no arguments loads the default configuration
+# Only reassemble the client,
+# Only reassemble the default list of ports (See below),
+# Give alerts for "bad" streams
+#
+# Available options (comma delimited):
+# clientonly - reassemble traffic for the client side of a connection only
+# serveronly - reassemble traffic for the server side of a connection only
+# both - reassemble both sides of a session
+# noalerts - turn off alerts from the stream reassembly stage of stream4
+# ports [list] - use the space separated list of ports in [list], "all"
+# will turn on reassembly for all ports, "default" will turn
+# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
+# and 513
+
+preprocessor stream4_reassemble
+
+# http_decode: normalize HTTP requests
+# ------------------------------------
+# http_decode normalizes HTTP requests from remote
+# machines by converting any %XX character
+# substitutions to their ASCII equivalent. This is
+# very useful for doing things like defeating hostile
+# attackers trying to stealth themselves from IDSs by
+# mixing these substitutions in with the request.
+# Specify the port numbers you want it to analyze as arguments.
+#
+# Major code cleanups thanks to rfp
+#
+# unicode - normalize unicode
+# iis_alt_unicode - %u encoding from iis
+# double_encode - alert on possible double encodings
+# iis_flip_slash - normalize \ as /
+# full_whitespace - treat \t as whitespace ( for apache )
+#
+# for that GID:
+# SID Event description
+# ----- -------------------
+# 1 UNICODE attack
+# 2 NULL byte attack
+
+preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
+
+# rpc_decode: normalize RPC traffic
+# ---------------------------------
+# RPC may be sent in alternate encodings besides the usual
+# 4-byte encoding that is used by default. This preprocessor
+# normalized RPC traffic in much the same way as the http_decode
+# preprocessor. This plugin takes the ports numbers that RPC
+# services are running on as arguments.
+# The RPC decode preprocessor uses generator ID 106
+#
+# arguments: space separated list
+# alert_fragments - alert on any rpc fragmented TCP data
+# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
+# no_alert_large_fragments - don't alert when the fragmented
+# sizes exceed the current packet size
+# no_alert_incomplete - don't alert when a single segment
+# exceeds the current packet size
+
+preprocessor rpc_decode: 111 32771
+
+# bo: Back Orifice detector
+# -------------------------
+# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
+#
+# The Back Orifice detector uses Generator ID 105 and uses the
+# following SIDS for that GID:
+# SID Event description
+# ----- -------------------
+# 1 Back Orifice traffic detected
+
+preprocessor bo
+
+# telnet_decode: Telnet negotiation string normalizer
+# ---------------------------------------------------
+# This preprocessor "normalizes" telnet negotiation strings from
+# telnet and ftp traffic. It works in much the same way as the
+# http_decode preprocessor, searching for traffic that breaks up
+# the normal data stream of a protocol and replacing it with
+# a normalized representation of that traffic so that the "content"
+# pattern matching keyword can work without requiring modifications.
+# This preprocessor requires no arguments.
+# Portscan uses Generator ID 109 and does not generate any SID currently.
+
+preprocessor telnet_decode
+
+# Portscan: detect a variety of portscans
+# ---------------------------------------
+# portscan preprocessor by Patrick Mullen <p_mullen@linuxrc.net>
+# This preprocessor detects UDP packets or TCP SYN packets going to
+# four different ports in less than three seconds. "Stealth" TCP
+# packets are always detected, regardless of these settings.
+# Portscan uses Generator ID 100 and uses the following SIDS for that GID:
+# SID Event description
+# ----- -------------------
+# 1 Portscan detect
+# 2 Inter-scan info
+# 3 Portscan End
+
+# preprocessor portscan: $HOME_NET 4 3 portscan.log
+
+# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
+# specific networks or hosts to reduce false alerts. It is typical
+# to see many false alerts from DNS servers so you may want to
+# add your DNS servers here. You can all multiple hosts/networks
+# in a whitespace-delimited list.
+#
+#preprocessor portscan-ignorehosts: 0.0.0.0
+
+# arpspoof
+#----------------------------------------
+# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
+# unicast ARP requests, and specific ARP mapping monitoring. To make use
+# of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line.
+# Also takes a "-unicast" option to turn on unicast ARP request detection.
+# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
+# SID Event description
+# ----- -------------------
+# 1 Unicast ARP request
+# 2 Etherframe ARP mismatch (src)
+# 3 Etherframe ARP mismatch (dst)
+# 4 ARP cache overwrite attack
+
+#preprocessor arpspoof
+#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
+
+# Conversation
+#------------------------------------------
+# This preprocessor tracks conversations for tcp, udp and icmp traffic. It
+# is a prerequisite for running portscan2.
+#
+# allowed_ip_protcols 1 6 17
+# list of allowed ip protcols ( defaults to any )
+#
+# timeout [num]
+# conversation timeout ( defaults to 60 )
+#
+#
+# max_conversations [num]
+# number of conversations to support at once (defaults to 65335)
+#
+#
+# alert_odd_protocols
+# alert on protocols not listed in allowed_ip_protocols
+#
+# preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000
+#
+# Portscan2
+#-------------------------------------------
+# Portscan 2, detect portscans in a new and exciting way. You must enable
+# spp_conversation in order to use this preprocessor.
+#
+# Available options:
+# scanners_max [num]
+# targets_max [num]
+# target_limit [num]
+# port_limit [num]
+# timeout [num]
+# log [logdir]
+#
+#preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60
+
+# Too many false alerts from portscan2? Tone it down with
+# portscan2-ignorehosts!
+#
+# A space delimited list of addresses in CIDR notation to ignore
+#
+# preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24
+#
+
+# Experimental Perf stats
+# -----------------------
+# No docs. Highly subject to change.
+#
+# preprocessor perfmonitor: console flow events time 10
+
+####################################################################
+# Step #3: Configure output plugins
+#
+# Uncomment and configure the output plugins you decide to use.
+# General configuration for output plugins is of the form:
+#
+# output <name_of_plugin>: <configuration_options>
+#
+# alert_syslog: log alerts to syslog
+# ----------------------------------
+# Use one or more syslog facilities as arguments. Win32 can also
+# optionally specify a particular hostname/port. Under Win32, the
+# default hostname is '127.0.0.1', and the default port is 514.
+#
+# [Unix flavours should use this format...]
+# output alert_syslog: LOG_AUTH LOG_ALERT
+#
+# [Win32 can use any of these formats...]
+# output alert_syslog: LOG_AUTH LOG_ALERT
+# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
+# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
+
+# log_tcpdump: log packets in binary tcpdump format
+# -------------------------------------------------
+# The only argument is the output file name.
+#
+# output log_tcpdump: tcpdump.log
+
+# database: log to a variety of databases
+# ---------------------------------------
+# See the README.database file for more information about configuring
+# and using this plugin.
+#
+# output database: log, mysql, user=root password=test dbname=db host=localhost
+# output database: alert, postgresql, user=snort dbname=snort
+# output database: log, unixodbc, user=snort dbname=snort
+# output database: log, mssql, dbname=snort user=snort password=test
+
+# unified: Snort unified binary format alerting and logging
+# -------------------------------------------------------------
+# The unified output plugin provides two new formats for logging
+# and generating alerts from Snort, the "unified" format. The
+# unified format is a straight binary format for logging data
+# out of Snort that is designed to be fast and efficient. Used
+# with barnyard (the new alert/log processor), most of the overhead
+# for logging and alerting to various slow storage mechanisms
+# such as databases or the network can now be avoided.
+#
+# Check out the spo_unified.h file for the data formats.
+#
+# Two arguments are supported.
+# filename - base filename to write to (current time_t is appended)
+# limit - maximum size of spool file in MB (default: 128)
+#
+# output alert_unified: filename snort.alert, limit 128
+# output log_unified: filename snort.log, limit 128
+
+# You can optionally define new rule types and associate one or
+# more output plugins specifically to that type.
+#
+# This example will create a type that will log to just tcpdump.
+# ruletype suspicious
+# {
+# type log
+# output log_tcpdump: suspicious.log
+# }
+#
+# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
+# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
+#
+# This example will create a rule type that will log to syslog
+# and a mysql database.
+# ruletype redalert
+# {
+# type alert
+# output alert_syslog: LOG_AUTH LOG_ALERT
+# output database: log, mysql, user=snort dbname=snort host=localhost
+# }
+#
+# EXAMPLE RULE FOR REDALERT RULETYPE
+# redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \
+# flags:A+;)
+
+#
+# Include classification & priority settings
+#
+
+include classification.config
+
+#
+# Include reference systems
+#
+
+include reference.config
+
+####################################################################
+# Step #4: Customize your rule set
+#
+# Up to date snort rules are available at http://www.snort.org
+#
+# The snort web site has documentation about how to write your own
+# custom snort rules.
+#
+# The rules included with this distribution generate alerts based on
+# on suspicious activity. Depending on your network environment, your
+# security policies, and what you consider to be suspicious, some of
+# these rules may either generate false positives ore may be detecting
+# activity you consider to be acceptable; therefore, you are
+# encouraged to comment out rules that are not applicable in your
+# environment.
+#
+# Note that using all of the rules at the same time may lead to
+# serious packet loss on slower machines. YMMV, use with caution,
+# standard disclaimers apply. :)
+#
+# The following individuals contributed many of rules in this
+# distribution.
+#
+# Credits:
+# Ron Gula <rgula@securitywizards.com> of Network Security Wizards
+# Max Vision <vision@whitehats.com>
+# Martin Markgraf <martin@mail.du.gtn.com>
+# Fyodor Yarochkin <fygrave@tigerteam.net>
+# Nick Rogness <nick@rapidnet.com>
+# Jim Forster <jforster@rapidnet.com>
+# Scott McIntyre <scott@whoi.edu>
+# Tom Vandepoel <Tom.Vandepoel@ubizen.com>
+# Brian Caswell <bmc@snort.org>
+# Zeno <admin@cgisecurity.com>
+# Ryan Russell <ryan@securityfocus.com>
+#
+#=========================================
+# Include all relevant rulesets here
+#
+# shellcode, policy, info, backdoor, and virus rulesets are
+# disabled by default. These require tuning and maintance.
+# Please read the included specific file for more information.
+#=========================================
+
+include $RULE_PATH/bad-traffic.rules
+include $RULE_PATH/exploit.rules
+include $RULE_PATH/scan.rules
+include $RULE_PATH/finger.rules
+include $RULE_PATH/ftp.rules
+include $RULE_PATH/telnet.rules
+include $RULE_PATH/rpc.rules
+include $RULE_PATH/rservices.rules
+include $RULE_PATH/dos.rules
+include $RULE_PATH/ddos.rules
+include $RULE_PATH/dns.rules
+include $RULE_PATH/tftp.rules
+
+include $RULE_PATH/web-cgi.rules
+include $RULE_PATH/web-coldfusion.rules
+include $RULE_PATH/web-iis.rules
+include $RULE_PATH/web-frontpage.rules
+include $RULE_PATH/web-misc.rules
+include $RULE_PATH/web-client.rules
+include $RULE_PATH/web-php.rules
+
+include $RULE_PATH/sql.rules
+include $RULE_PATH/x11.rules
+include $RULE_PATH/icmp.rules
+include $RULE_PATH/netbios.rules
+include $RULE_PATH/misc.rules
+include $RULE_PATH/attack-responses.rules
+include $RULE_PATH/oracle.rules
+include $RULE_PATH/mysql.rules
+include $RULE_PATH/snmp.rules
+
+include $RULE_PATH/smtp.rules
+include $RULE_PATH/imap.rules
+include $RULE_PATH/pop2.rules
+include $RULE_PATH/pop3.rules
+
+include $RULE_PATH/nntp.rules
+include $RULE_PATH/other-ids.rules
+include $RULE_PATH/web-attacks.rules
+include $RULE_PATH/backdoor.rules
+include $RULE_PATH/shellcode.rules
+include $RULE_PATH/policy.rules
+include $RULE_PATH/porn.rules
+include $RULE_PATH/info.rules
+include $RULE_PATH/icmp-info.rules
+include $RULE_PATH/virus.rules
+include $RULE_PATH/chat.rules
+include $RULE_PATH/multimedia.rules
+include $RULE_PATH/p2p.rules
+include $RULE_PATH/experimental.rules
+include $RULE_PATH/local.rules
projects / packages / snort.git / commitdiff