From: misi3k Date: Tue, 6 May 2003 07:07:08 +0000 (+0000) Subject: - working version X-Git-Tag: snort_2_0_5_stabel~27 X-Git-Url: http://git.pld-linux.org/?a=commitdiff_plain;h=8cce16e5b78927cc51220b34b5722f3699e85f37;p=packages%2Fsnort.git - working version Changed files: snort.conf -> 1.1 --- diff --git a/snort.conf b/snort.conf new file mode 100644 index 0000000..531b35f --- /dev/null +++ b/snort.conf @@ -0,0 +1,606 @@ +# PLD snort.cond +# +#-------------------------------------------------- +# http://www.snort.org Snort 2.0.0 Ruleset +# Contact: snort-sigs@lists.sourceforge.net +#-------------------------------------------------- +# $Id$ +# +################################################### +# This file contains a sample snort configuration. +# You can take the following steps to create your +# own custom configuration: +# +# 1) Set the network variables for your network +# 2) Configure preprocessors +# 3) Configure output plugins +# 4) Customize your rule set +# +################################################### +# Step #1: Set the network variables: +# +# You must change the following variables to reflect +# your local network. The variable is currently +# setup for an RFC 1918 address space. +# +# You can specify it explicitly as: +# +# var HOME_NET 10.1.1.0/24 +# +# or use global variable $_ADDRESS +# which will be always initialized to IP address and +# netmask of the network interface which you run +# snort at. Under Windows, this must be specified +# as $(_ADDRESS), such as: +# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) +# +# var HOME_NET $eth0_ADDRESS +# +# You can specify lists of IP addresses for HOME_NET +# by separating the IPs with commas like this: +# +# var HOME_NET [10.1.1.0/24,192.168.1.0/24] +# +# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! +# +# or you can specify the variable to be any IP address +# like this: + +var HOME_NET any + +# Set up the external network addresses as well. +# A good start may be "any" + +var EXTERNAL_NET any + +# Configure your server lists. This allows snort to only look for attacks +# to systems that have a service up. Why look for HTTP attacks if you are +# not running a web server? This allows quick filtering based on IP addresses +# These configurations MUST follow the same configuration scheme as defined +# above for $HOME_NET. + +# List of DNS servers on your network +var DNS_SERVERS $HOME_NET + +# List of SMTP servers on your network +var SMTP_SERVERS $HOME_NET + +# List of web servers on your network +var HTTP_SERVERS $HOME_NET + +# List of sql servers on your network +var SQL_SERVERS $HOME_NET + +# List of telnet servers on your network +var TELNET_SERVERS $HOME_NET + +# Configure your service ports. This allows snort to look for attacks +# destined to a specific application only on the ports that application +# runs on. For example, if you run a web server on port 8081, set your +# HTTP_PORTS variable like this: +# +# var HTTP_PORTS 8081 +# +# Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. +# We will adding support for a real list of ports in the future. + +# Ports you run web servers on +var HTTP_PORTS 80 + +# Ports you want to look for SHELLCODE on. +var SHELLCODE_PORTS !80 + +# Ports you do oracle attacks on +var ORACLE_PORTS 1521 + +# other variables +# +# AIM servers. AOL has a habit of adding new AIM servers, so instead of +# modifying the signatures when they do, we add them to this list of +# servers. +var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] + +# Path to your rules files (this can be a relative path) +var RULE_PATH /etc/snort/rules + +# Configure the snort decoder: +# ============================ +# +# Stop generic decode events: +# +# config disable_decode_alerts +# +# Stop Alerts on experimental TCP options +# +# config disable_tcpopt_experimental_alerts +# +# Stop Alerts on obsolete TCP options +# +# config disable_tcpopt_obsolete_alerts +# +# Stop Alerts on T/TCP alerts +# +# config disable_ttcp_alerts +# +# Stop Alerts on all other TCPOption type events: +# +# config disable_tcpopt_alerts +# +# Stop Alerts on invalid ip options +# +# config disable_ipopt_alerts + + +# Configure the detection engine +# =============================== +# +# Use a different pattern matcher in case you have a machine with very +# limited resources: +# +# config detection: search-method lowmem + + +################################################### +# Step #2: Configure preprocessors +# +# General configuration for preprocessors is of +# the form +# preprocessor : + +# frag2: IP defragmentation support +# ------------------------------- +# This preprocessor performs IP defragmentation. This plugin will also detect +# people launching fragmentation attacks (usually DoS) against hosts. No +# arguments loads the default configuration of the preprocessor, which is a +# 60 second timeout and a 4MB fragment buffer. + +# The following (comma delimited) options are available for frag2 +# timeout [seconds] - sets the number of [seconds] than an unfinished +# fragment will be kept around waiting for completion, +# if this time expires the fragment will be flushed +# memcap [bytes] - limit frag2 memory usage to [number] bytes +# (default: 4194304) +# +# min_ttl [number] - minimum ttl to accept +# +# ttl_limit [number] - difference of ttl to accept without alerting +# will cause false positves with router flap +# +# Frag2 uses Generator ID 113 and uses the following SIDS +# for that GID: +# SID Event description +# ----- ------------------- +# 1 Oversized fragment (reassembled frag > 64k bytes) +# 2 Teardrop-type attack + +preprocessor frag2 + +# stream4: stateful inspection/stream reassembly for Snort +#---------------------------------------------------------------------- +# Use in concert with the -z [all|est] command line switch to defeat +# stick/snot against TCP rules. Also performs full TCP stream +# reassembly, stateful inspection of TCP streams, etc. Can statefully +# detect various portscan types, fingerprinting, ECN, etc. + +# stateful inspection directive +# no arguments loads the defaults (timeout 30, memcap 8388608) +# options (options are comma delimited): +# detect_scans - stream4 will detect stealth portscans and generate alerts +# when it sees them when this option is set +# detect_state_problems - detect TCP state problems, this tends to be very +# noisy because there are a lot of crappy ip stack +# implementations out there +# +# disable_evasion_alerts - turn off the possibly noisy mitigation of +# overlapping sequences. +# +# +# min_ttl [number] - set a minium ttl that snort will accept to +# stream reassembly +# +# ttl_limit [number] - differential of the initial ttl on a session versus +# the normal that someone may be playing games. +# Routing flap may cause lots of false positives. +# +# keepstats [machine|binary] - keep session statistics, add "machine" to +# get them in a flat format for machine reading, add +# "binary" to get them in a unified binary output +# format +# noinspect - turn off stateful inspection only +# timeout [number] - set the session timeout counter to [number] seconds, +# default is 30 seconds +# memcap [number] - limit stream4 memory usage to [number] bytes +# log_flushed_streams - if an event is detected on a stream this option will +# cause all packets that are stored in the stream4 +# packet buffers to be flushed to disk. This only +# works when logging in pcap mode! +# +# Stream4 uses Generator ID 111 and uses the following SIDS +# for that GID: +# SID Event description +# ----- ------------------- +# 1 Stealth activity +# 2 Evasive RST packet +# 3 Evasive TCP packet retransmission +# 4 TCP Window violation +# 5 Data on SYN packet +# 6 Stealth scan: full XMAS +# 7 Stealth scan: SYN-ACK-PSH-URG +# 8 Stealth scan: FIN scan +# 9 Stealth scan: NULL scan +# 10 Stealth scan: NMAP XMAS scan +# 11 Stealth scan: Vecna scan +# 12 Stealth scan: NMAP fingerprint scan stateful detect +# 13 Stealth scan: SYN-FIN scan +# 14 TCP forward overlap + +preprocessor stream4: detect_scans, disable_evasion_alerts + +# tcp stream reassembly directive +# no arguments loads the default configuration +# Only reassemble the client, +# Only reassemble the default list of ports (See below), +# Give alerts for "bad" streams +# +# Available options (comma delimited): +# clientonly - reassemble traffic for the client side of a connection only +# serveronly - reassemble traffic for the server side of a connection only +# both - reassemble both sides of a session +# noalerts - turn off alerts from the stream reassembly stage of stream4 +# ports [list] - use the space separated list of ports in [list], "all" +# will turn on reassembly for all ports, "default" will turn +# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 +# and 513 + +preprocessor stream4_reassemble + +# http_decode: normalize HTTP requests +# ------------------------------------ +# http_decode normalizes HTTP requests from remote +# machines by converting any %XX character +# substitutions to their ASCII equivalent. This is +# very useful for doing things like defeating hostile +# attackers trying to stealth themselves from IDSs by +# mixing these substitutions in with the request. +# Specify the port numbers you want it to analyze as arguments. +# +# Major code cleanups thanks to rfp +# +# unicode - normalize unicode +# iis_alt_unicode - %u encoding from iis +# double_encode - alert on possible double encodings +# iis_flip_slash - normalize \ as / +# full_whitespace - treat \t as whitespace ( for apache ) +# +# for that GID: +# SID Event description +# ----- ------------------- +# 1 UNICODE attack +# 2 NULL byte attack + +preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace + +# rpc_decode: normalize RPC traffic +# --------------------------------- +# RPC may be sent in alternate encodings besides the usual +# 4-byte encoding that is used by default. This preprocessor +# normalized RPC traffic in much the same way as the http_decode +# preprocessor. This plugin takes the ports numbers that RPC +# services are running on as arguments. +# The RPC decode preprocessor uses generator ID 106 +# +# arguments: space separated list +# alert_fragments - alert on any rpc fragmented TCP data +# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet +# no_alert_large_fragments - don't alert when the fragmented +# sizes exceed the current packet size +# no_alert_incomplete - don't alert when a single segment +# exceeds the current packet size + +preprocessor rpc_decode: 111 32771 + +# bo: Back Orifice detector +# ------------------------- +# Detects Back Orifice traffic on the network. Takes no arguments in 2.0. +# +# The Back Orifice detector uses Generator ID 105 and uses the +# following SIDS for that GID: +# SID Event description +# ----- ------------------- +# 1 Back Orifice traffic detected + +preprocessor bo + +# telnet_decode: Telnet negotiation string normalizer +# --------------------------------------------------- +# This preprocessor "normalizes" telnet negotiation strings from +# telnet and ftp traffic. It works in much the same way as the +# http_decode preprocessor, searching for traffic that breaks up +# the normal data stream of a protocol and replacing it with +# a normalized representation of that traffic so that the "content" +# pattern matching keyword can work without requiring modifications. +# This preprocessor requires no arguments. +# Portscan uses Generator ID 109 and does not generate any SID currently. + +preprocessor telnet_decode + +# Portscan: detect a variety of portscans +# --------------------------------------- +# portscan preprocessor by Patrick Mullen +# This preprocessor detects UDP packets or TCP SYN packets going to +# four different ports in less than three seconds. "Stealth" TCP +# packets are always detected, regardless of these settings. +# Portscan uses Generator ID 100 and uses the following SIDS for that GID: +# SID Event description +# ----- ------------------- +# 1 Portscan detect +# 2 Inter-scan info +# 3 Portscan End + +# preprocessor portscan: $HOME_NET 4 3 portscan.log + +# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from +# specific networks or hosts to reduce false alerts. It is typical +# to see many false alerts from DNS servers so you may want to +# add your DNS servers here. You can all multiple hosts/networks +# in a whitespace-delimited list. +# +#preprocessor portscan-ignorehosts: 0.0.0.0 + +# arpspoof +#---------------------------------------- +# Experimental ARP detection code from Jeff Nathan, detects ARP attacks, +# unicast ARP requests, and specific ARP mapping monitoring. To make use +# of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line. +# Also takes a "-unicast" option to turn on unicast ARP request detection. +# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: +# SID Event description +# ----- ------------------- +# 1 Unicast ARP request +# 2 Etherframe ARP mismatch (src) +# 3 Etherframe ARP mismatch (dst) +# 4 ARP cache overwrite attack + +#preprocessor arpspoof +#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 + +# Conversation +#------------------------------------------ +# This preprocessor tracks conversations for tcp, udp and icmp traffic. It +# is a prerequisite for running portscan2. +# +# allowed_ip_protcols 1 6 17 +# list of allowed ip protcols ( defaults to any ) +# +# timeout [num] +# conversation timeout ( defaults to 60 ) +# +# +# max_conversations [num] +# number of conversations to support at once (defaults to 65335) +# +# +# alert_odd_protocols +# alert on protocols not listed in allowed_ip_protocols +# +# preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000 +# +# Portscan2 +#------------------------------------------- +# Portscan 2, detect portscans in a new and exciting way. You must enable +# spp_conversation in order to use this preprocessor. +# +# Available options: +# scanners_max [num] +# targets_max [num] +# target_limit [num] +# port_limit [num] +# timeout [num] +# log [logdir] +# +#preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60 + +# Too many false alerts from portscan2? Tone it down with +# portscan2-ignorehosts! +# +# A space delimited list of addresses in CIDR notation to ignore +# +# preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24 +# + +# Experimental Perf stats +# ----------------------- +# No docs. Highly subject to change. +# +# preprocessor perfmonitor: console flow events time 10 + +#################################################################### +# Step #3: Configure output plugins +# +# Uncomment and configure the output plugins you decide to use. +# General configuration for output plugins is of the form: +# +# output : +# +# alert_syslog: log alerts to syslog +# ---------------------------------- +# Use one or more syslog facilities as arguments. Win32 can also +# optionally specify a particular hostname/port. Under Win32, the +# default hostname is '127.0.0.1', and the default port is 514. +# +# [Unix flavours should use this format...] +# output alert_syslog: LOG_AUTH LOG_ALERT +# +# [Win32 can use any of these formats...] +# output alert_syslog: LOG_AUTH LOG_ALERT +# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT +# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT + +# log_tcpdump: log packets in binary tcpdump format +# ------------------------------------------------- +# The only argument is the output file name. +# +# output log_tcpdump: tcpdump.log + +# database: log to a variety of databases +# --------------------------------------- +# See the README.database file for more information about configuring +# and using this plugin. +# +# output database: log, mysql, user=root password=test dbname=db host=localhost +# output database: alert, postgresql, user=snort dbname=snort +# output database: log, unixodbc, user=snort dbname=snort +# output database: log, mssql, dbname=snort user=snort password=test + +# unified: Snort unified binary format alerting and logging +# ------------------------------------------------------------- +# The unified output plugin provides two new formats for logging +# and generating alerts from Snort, the "unified" format. The +# unified format is a straight binary format for logging data +# out of Snort that is designed to be fast and efficient. Used +# with barnyard (the new alert/log processor), most of the overhead +# for logging and alerting to various slow storage mechanisms +# such as databases or the network can now be avoided. +# +# Check out the spo_unified.h file for the data formats. +# +# Two arguments are supported. +# filename - base filename to write to (current time_t is appended) +# limit - maximum size of spool file in MB (default: 128) +# +# output alert_unified: filename snort.alert, limit 128 +# output log_unified: filename snort.log, limit 128 + +# You can optionally define new rule types and associate one or +# more output plugins specifically to that type. +# +# This example will create a type that will log to just tcpdump. +# ruletype suspicious +# { +# type log +# output log_tcpdump: suspicious.log +# } +# +# EXAMPLE RULE FOR SUSPICIOUS RULETYPE: +# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) +# +# This example will create a rule type that will log to syslog +# and a mysql database. +# ruletype redalert +# { +# type alert +# output alert_syslog: LOG_AUTH LOG_ALERT +# output database: log, mysql, user=snort dbname=snort host=localhost +# } +# +# EXAMPLE RULE FOR REDALERT RULETYPE +# redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \ +# flags:A+;) + +# +# Include classification & priority settings +# + +include classification.config + +# +# Include reference systems +# + +include reference.config + +#################################################################### +# Step #4: Customize your rule set +# +# Up to date snort rules are available at http://www.snort.org +# +# The snort web site has documentation about how to write your own +# custom snort rules. +# +# The rules included with this distribution generate alerts based on +# on suspicious activity. Depending on your network environment, your +# security policies, and what you consider to be suspicious, some of +# these rules may either generate false positives ore may be detecting +# activity you consider to be acceptable; therefore, you are +# encouraged to comment out rules that are not applicable in your +# environment. +# +# Note that using all of the rules at the same time may lead to +# serious packet loss on slower machines. YMMV, use with caution, +# standard disclaimers apply. :) +# +# The following individuals contributed many of rules in this +# distribution. +# +# Credits: +# Ron Gula of Network Security Wizards +# Max Vision +# Martin Markgraf +# Fyodor Yarochkin +# Nick Rogness +# Jim Forster +# Scott McIntyre +# Tom Vandepoel +# Brian Caswell +# Zeno +# Ryan Russell +# +#========================================= +# Include all relevant rulesets here +# +# shellcode, policy, info, backdoor, and virus rulesets are +# disabled by default. These require tuning and maintance. +# Please read the included specific file for more information. +#========================================= + +include $RULE_PATH/bad-traffic.rules +include $RULE_PATH/exploit.rules +include $RULE_PATH/scan.rules +include $RULE_PATH/finger.rules +include $RULE_PATH/ftp.rules +include $RULE_PATH/telnet.rules +include $RULE_PATH/rpc.rules +include $RULE_PATH/rservices.rules +include $RULE_PATH/dos.rules +include $RULE_PATH/ddos.rules +include $RULE_PATH/dns.rules +include $RULE_PATH/tftp.rules + +include $RULE_PATH/web-cgi.rules +include $RULE_PATH/web-coldfusion.rules +include $RULE_PATH/web-iis.rules +include $RULE_PATH/web-frontpage.rules +include $RULE_PATH/web-misc.rules +include $RULE_PATH/web-client.rules +include $RULE_PATH/web-php.rules + +include $RULE_PATH/sql.rules +include $RULE_PATH/x11.rules +include $RULE_PATH/icmp.rules +include $RULE_PATH/netbios.rules +include $RULE_PATH/misc.rules +include $RULE_PATH/attack-responses.rules +include $RULE_PATH/oracle.rules +include $RULE_PATH/mysql.rules +include $RULE_PATH/snmp.rules + +include $RULE_PATH/smtp.rules +include $RULE_PATH/imap.rules +include $RULE_PATH/pop2.rules +include $RULE_PATH/pop3.rules + +include $RULE_PATH/nntp.rules +include $RULE_PATH/other-ids.rules +include $RULE_PATH/web-attacks.rules +include $RULE_PATH/backdoor.rules +include $RULE_PATH/shellcode.rules +include $RULE_PATH/policy.rules +include $RULE_PATH/porn.rules +include $RULE_PATH/info.rules +include $RULE_PATH/icmp-info.rules +include $RULE_PATH/virus.rules +include $RULE_PATH/chat.rules +include $RULE_PATH/multimedia.rules +include $RULE_PATH/p2p.rules +include $RULE_PATH/experimental.rules +include $RULE_PATH/local.rules