]>
Commit | Line | Data |
---|---|---|
8cce16e5 | 1 | #-------------------------------------------------- |
6f723b29 | 2 | # http://www.snort.org Snort 2.1.0 Ruleset |
8cce16e5 | 3 | # Contact: snort-sigs@lists.sourceforge.net |
4 | #-------------------------------------------------- | |
5 | # $Id$ | |
6 | # | |
7 | ################################################### | |
8 | # This file contains a sample snort configuration. | |
6f723b29 | 9 | # You can take the following steps to create your own custom configuration: |
8cce16e5 | 10 | # |
11 | # 1) Set the network variables for your network | |
12 | # 2) Configure preprocessors | |
13 | # 3) Configure output plugins | |
14 | # 4) Customize your rule set | |
15 | # | |
16 | ################################################### | |
17 | # Step #1: Set the network variables: | |
18 | # | |
6f723b29 AM |
19 | # You must change the following variables to reflect your local network. The |
20 | # variable is currently setup for an RFC 1918 address space. | |
8cce16e5 | 21 | # |
22 | # You can specify it explicitly as: | |
23 | # | |
24 | # var HOME_NET 10.1.1.0/24 | |
25 | # | |
6f723b29 AM |
26 | # or use global variable $<interfacename>_ADDRESS which will be always |
27 | # initialized to IP address and netmask of the network interface which you run | |
28 | # snort at. Under Windows, this must be specified as | |
29 | # $(<interfacename>_ADDRESS), such as: | |
8cce16e5 | 30 | # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) |
31 | # | |
32 | # var HOME_NET $eth0_ADDRESS | |
33 | # | |
34 | # You can specify lists of IP addresses for HOME_NET | |
35 | # by separating the IPs with commas like this: | |
36 | # | |
37 | # var HOME_NET [10.1.1.0/24,192.168.1.0/24] | |
38 | # | |
39 | # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! | |
40 | # | |
41 | # or you can specify the variable to be any IP address | |
42 | # like this: | |
43 | ||
44 | var HOME_NET any | |
45 | ||
6f723b29 | 46 | # Set up the external network addresses as well. A good start may be "any" |
8cce16e5 | 47 | var EXTERNAL_NET any |
48 | ||
6f723b29 AM |
49 | # Configure your server lists. This allows snort to only look for attacks to |
50 | # systems that have a service up. Why look for HTTP attacks if you are not | |
51 | # running a web server? This allows quick filtering based on IP addresses | |
8cce16e5 | 52 | # These configurations MUST follow the same configuration scheme as defined |
53 | # above for $HOME_NET. | |
54 | ||
55 | # List of DNS servers on your network | |
56 | var DNS_SERVERS $HOME_NET | |
57 | ||
58 | # List of SMTP servers on your network | |
59 | var SMTP_SERVERS $HOME_NET | |
60 | ||
61 | # List of web servers on your network | |
62 | var HTTP_SERVERS $HOME_NET | |
63 | ||
64 | # List of sql servers on your network | |
65 | var SQL_SERVERS $HOME_NET | |
66 | ||
67 | # List of telnet servers on your network | |
68 | var TELNET_SERVERS $HOME_NET | |
69 | ||
6f723b29 AM |
70 | # List of snmp servers on your network |
71 | var SNMP_SERVERS $HOME_NET | |
72 | ||
73 | # Configure your service ports. This allows snort to look for attacks destined | |
74 | # to a specific application only on the ports that application runs on. For | |
75 | # example, if you run a web server on port 8081, set your HTTP_PORTS variable | |
76 | # like this: | |
8cce16e5 | 77 | # |
78 | # var HTTP_PORTS 8081 | |
79 | # | |
80 | # Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. | |
81 | # We will adding support for a real list of ports in the future. | |
82 | ||
83 | # Ports you run web servers on | |
6f723b29 AM |
84 | # |
85 | # Please note: [80,8080] does not work. | |
86 | # If you wish to define multiple HTTP ports, | |
87 | # | |
88 | ## var HTTP_PORTS 80 | |
89 | ## include somefile.rules | |
90 | ## var HTTP_PORTS 8080 | |
91 | ## include somefile.rules | |
8cce16e5 | 92 | var HTTP_PORTS 80 |
93 | ||
94 | # Ports you want to look for SHELLCODE on. | |
95 | var SHELLCODE_PORTS !80 | |
96 | ||
97 | # Ports you do oracle attacks on | |
98 | var ORACLE_PORTS 1521 | |
99 | ||
100 | # other variables | |
101 | # | |
6f723b29 AM |
102 | # AIM servers. AOL has a habit of adding new AIM servers, so instead of |
103 | # modifying the signatures when they do, we add them to this list of servers. | |
8cce16e5 | 104 | var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] |
105 | ||
106 | # Path to your rules files (this can be a relative path) | |
107 | var RULE_PATH /etc/snort/rules | |
108 | ||
6f723b29 | 109 | # Configure the snort decoder |
8cce16e5 | 110 | # ============================ |
111 | # | |
6f723b29 AM |
112 | # Snort's decoder will alert on lots of things such as header |
113 | # truncation or options of unusual length or infrequently used tcp options | |
114 | # | |
115 | # | |
8cce16e5 | 116 | # Stop generic decode events: |
117 | # | |
118 | # config disable_decode_alerts | |
119 | # | |
120 | # Stop Alerts on experimental TCP options | |
121 | # | |
122 | # config disable_tcpopt_experimental_alerts | |
123 | # | |
124 | # Stop Alerts on obsolete TCP options | |
125 | # | |
126 | # config disable_tcpopt_obsolete_alerts | |
127 | # | |
128 | # Stop Alerts on T/TCP alerts | |
129 | # | |
6f723b29 AM |
130 | # In snort 2.0.1 and above, this only alerts when the a TCP option is detected |
131 | # that shows T/TCP being actively used on the network. If this is normal | |
132 | # behavior for your network, disable the next option. | |
133 | # | |
134 | # config disable_tcpopt_ttcp_alerts | |
8cce16e5 | 135 | # |
136 | # Stop Alerts on all other TCPOption type events: | |
137 | # | |
138 | # config disable_tcpopt_alerts | |
139 | # | |
140 | # Stop Alerts on invalid ip options | |
141 | # | |
142 | # config disable_ipopt_alerts | |
143 | ||
8cce16e5 | 144 | # Configure the detection engine |
145 | # =============================== | |
146 | # | |
6f723b29 AM |
147 | # Use a different pattern matcher in case you have a machine with very limited |
148 | # resources: | |
8cce16e5 | 149 | # |
150 | # config detection: search-method lowmem | |
151 | ||
8cce16e5 | 152 | ################################################### |
153 | # Step #2: Configure preprocessors | |
154 | # | |
155 | # General configuration for preprocessors is of | |
156 | # the form | |
157 | # preprocessor <name_of_processor>: <configuration_options> | |
158 | ||
6f723b29 AM |
159 | # Configure Flow tracking module |
160 | # ------------------------------- | |
161 | # | |
162 | # The Flow tracking module is meant to start unifying the state keeping | |
163 | # mechanisms of snort into a single place. Right now, only a portscan detector | |
164 | # is implemented but in the long term, many of the stateful subsystems of | |
165 | # snort will be migrated over to becoming flow plugins. This must be enabled | |
166 | # for flow-portscan to work correctly. | |
167 | # | |
168 | # See README.flow for additional information | |
169 | # | |
170 | # preprocessor flow: stats_interval 0 hash 2 | |
171 | ||
8cce16e5 | 172 | # frag2: IP defragmentation support |
173 | # ------------------------------- | |
174 | # This preprocessor performs IP defragmentation. This plugin will also detect | |
175 | # people launching fragmentation attacks (usually DoS) against hosts. No | |
6f723b29 AM |
176 | # arguments loads the default configuration of the preprocessor, which is a 60 |
177 | # second timeout and a 4MB fragment buffer. | |
8cce16e5 | 178 | |
179 | # The following (comma delimited) options are available for frag2 | |
180 | # timeout [seconds] - sets the number of [seconds] than an unfinished | |
181 | # fragment will be kept around waiting for completion, | |
182 | # if this time expires the fragment will be flushed | |
183 | # memcap [bytes] - limit frag2 memory usage to [number] bytes | |
184 | # (default: 4194304) | |
185 | # | |
186 | # min_ttl [number] - minimum ttl to accept | |
187 | # | |
188 | # ttl_limit [number] - difference of ttl to accept without alerting | |
189 | # will cause false positves with router flap | |
190 | # | |
191 | # Frag2 uses Generator ID 113 and uses the following SIDS | |
192 | # for that GID: | |
193 | # SID Event description | |
194 | # ----- ------------------- | |
195 | # 1 Oversized fragment (reassembled frag > 64k bytes) | |
196 | # 2 Teardrop-type attack | |
197 | ||
198 | preprocessor frag2 | |
199 | ||
200 | # stream4: stateful inspection/stream reassembly for Snort | |
201 | #---------------------------------------------------------------------- | |
6f723b29 AM |
202 | # Use in concert with the -z [all|est] command line switch to defeat stick/snot |
203 | # against TCP rules. Also performs full TCP stream reassembly, stateful | |
204 | # inspection of TCP streams, etc. Can statefully detect various portscan | |
205 | # types, fingerprinting, ECN, etc. | |
8cce16e5 | 206 | |
207 | # stateful inspection directive | |
208 | # no arguments loads the defaults (timeout 30, memcap 8388608) | |
209 | # options (options are comma delimited): | |
210 | # detect_scans - stream4 will detect stealth portscans and generate alerts | |
211 | # when it sees them when this option is set | |
212 | # detect_state_problems - detect TCP state problems, this tends to be very | |
213 | # noisy because there are a lot of crappy ip stack | |
214 | # implementations out there | |
215 | # | |
216 | # disable_evasion_alerts - turn off the possibly noisy mitigation of | |
217 | # overlapping sequences. | |
218 | # | |
219 | # | |
220 | # min_ttl [number] - set a minium ttl that snort will accept to | |
221 | # stream reassembly | |
222 | # | |
223 | # ttl_limit [number] - differential of the initial ttl on a session versus | |
224 | # the normal that someone may be playing games. | |
225 | # Routing flap may cause lots of false positives. | |
226 | # | |
227 | # keepstats [machine|binary] - keep session statistics, add "machine" to | |
228 | # get them in a flat format for machine reading, add | |
229 | # "binary" to get them in a unified binary output | |
230 | # format | |
231 | # noinspect - turn off stateful inspection only | |
232 | # timeout [number] - set the session timeout counter to [number] seconds, | |
233 | # default is 30 seconds | |
234 | # memcap [number] - limit stream4 memory usage to [number] bytes | |
235 | # log_flushed_streams - if an event is detected on a stream this option will | |
236 | # cause all packets that are stored in the stream4 | |
237 | # packet buffers to be flushed to disk. This only | |
238 | # works when logging in pcap mode! | |
239 | # | |
240 | # Stream4 uses Generator ID 111 and uses the following SIDS | |
241 | # for that GID: | |
242 | # SID Event description | |
243 | # ----- ------------------- | |
244 | # 1 Stealth activity | |
245 | # 2 Evasive RST packet | |
246 | # 3 Evasive TCP packet retransmission | |
247 | # 4 TCP Window violation | |
248 | # 5 Data on SYN packet | |
249 | # 6 Stealth scan: full XMAS | |
250 | # 7 Stealth scan: SYN-ACK-PSH-URG | |
251 | # 8 Stealth scan: FIN scan | |
252 | # 9 Stealth scan: NULL scan | |
253 | # 10 Stealth scan: NMAP XMAS scan | |
254 | # 11 Stealth scan: Vecna scan | |
255 | # 12 Stealth scan: NMAP fingerprint scan stateful detect | |
256 | # 13 Stealth scan: SYN-FIN scan | |
257 | # 14 TCP forward overlap | |
258 | ||
6f723b29 | 259 | preprocessor stream4: disable_evasion_alerts |
8cce16e5 | 260 | |
261 | # tcp stream reassembly directive | |
262 | # no arguments loads the default configuration | |
263 | # Only reassemble the client, | |
264 | # Only reassemble the default list of ports (See below), | |
265 | # Give alerts for "bad" streams | |
266 | # | |
267 | # Available options (comma delimited): | |
268 | # clientonly - reassemble traffic for the client side of a connection only | |
269 | # serveronly - reassemble traffic for the server side of a connection only | |
270 | # both - reassemble both sides of a session | |
271 | # noalerts - turn off alerts from the stream reassembly stage of stream4 | |
272 | # ports [list] - use the space separated list of ports in [list], "all" | |
273 | # will turn on reassembly for all ports, "default" will turn | |
274 | # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 | |
275 | # and 513 | |
276 | ||
277 | preprocessor stream4_reassemble | |
278 | ||
6f723b29 | 279 | # http_inspect: normalize and detect HTTP traffic and protocol anomalies |
8cce16e5 | 280 | # |
6f723b29 AM |
281 | # lots of options available here. See doc/README.http_inspect. |
282 | # unicode.map should be wherever your snort.conf lives, or given | |
283 | # a full path to where snort can find it. | |
284 | preprocessor http_inspect: global \ | |
285 | iis_unicode_map unicode.map 1252 | |
286 | ||
287 | preprocessor http_inspect_server: server default \ | |
288 | profile all \ | |
289 | ports { 80 8080 } | |
8cce16e5 | 290 | # |
6f723b29 | 291 | # Example unqiue server configuration |
8cce16e5 | 292 | # |
6f723b29 AM |
293 | #preprocessor http_inspect_server: server 1.1.1.1 \ |
294 | # ports { 80 3128 8080 } \ | |
295 | # flow_depth 0 \ | |
296 | # ascii no \ | |
297 | # double_decode yes \ | |
298 | # non_rfc_char { 0x00 } \ | |
299 | # chunk_length 500000 \ | |
300 | # non_strict \ | |
301 | # no_alerts | |
8cce16e5 | 302 | |
8cce16e5 | 303 | |
304 | # rpc_decode: normalize RPC traffic | |
305 | # --------------------------------- | |
6f723b29 AM |
306 | # RPC may be sent in alternate encodings besides the usual 4-byte encoding |
307 | # that is used by default. This plugin takes the port numbers that RPC | |
308 | # services are running on as arguments - it is assumed that the given ports | |
309 | # are actually running this type of service. If not, change the ports or turn | |
310 | # it off. | |
8cce16e5 | 311 | # The RPC decode preprocessor uses generator ID 106 |
312 | # | |
313 | # arguments: space separated list | |
314 | # alert_fragments - alert on any rpc fragmented TCP data | |
315 | # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet | |
316 | # no_alert_large_fragments - don't alert when the fragmented | |
317 | # sizes exceed the current packet size | |
318 | # no_alert_incomplete - don't alert when a single segment | |
319 | # exceeds the current packet size | |
320 | ||
321 | preprocessor rpc_decode: 111 32771 | |
322 | ||
323 | # bo: Back Orifice detector | |
324 | # ------------------------- | |
325 | # Detects Back Orifice traffic on the network. Takes no arguments in 2.0. | |
326 | # | |
327 | # The Back Orifice detector uses Generator ID 105 and uses the | |
328 | # following SIDS for that GID: | |
329 | # SID Event description | |
330 | # ----- ------------------- | |
331 | # 1 Back Orifice traffic detected | |
332 | ||
333 | preprocessor bo | |
334 | ||
335 | # telnet_decode: Telnet negotiation string normalizer | |
336 | # --------------------------------------------------- | |
6f723b29 AM |
337 | # This preprocessor "normalizes" telnet negotiation strings from telnet and ftp |
338 | # traffic. It works in much the same way as the http_decode preprocessor, | |
339 | # searching for traffic that breaks up the normal data stream of a protocol and | |
340 | # replacing it with a normalized representation of that traffic so that the | |
341 | # "content" pattern matching keyword can work without requiring modifications. | |
8cce16e5 | 342 | # This preprocessor requires no arguments. |
343 | # Portscan uses Generator ID 109 and does not generate any SID currently. | |
344 | ||
345 | preprocessor telnet_decode | |
346 | ||
6f723b29 | 347 | # Flow-Portscan: detect a variety of portscans |
8cce16e5 | 348 | # --------------------------------------- |
6f723b29 AM |
349 | # Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan to |
350 | # work. | |
351 | # | |
352 | # This module detects portscans based off of flow creation in the flow | |
353 | # preprocessors. The goal is to catch catch one->many hosts and one->many | |
354 | # ports scans. | |
355 | # | |
356 | # Flow-Portscan has numerous options available, please read | |
357 | # README.flow-portscan for help configuring this option. | |
358 | ||
359 | # Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID: | |
8cce16e5 | 360 | # SID Event description |
361 | # ----- ------------------- | |
6f723b29 AM |
362 | # 1 flow-portscan: Fixed Scale Scanner Limit Exceeded |
363 | # 2 flow-portscan: Sliding Scale Scanner Limit Exceeded | |
364 | # 3 flow-portscan: Fixed Scale Talker Limit Exceeded | |
365 | # 4 flow-portscan: Sliding Scale Talker Limit Exceeded | |
366 | ||
367 | # preprocessor flow-portscan: \ | |
368 | # talker-sliding-scale-factor 0.50 \ | |
369 | # talker-fixed-threshold 30 \ | |
370 | # talker-sliding-threshold 30 \ | |
371 | # talker-sliding-window 20 \ | |
372 | # talker-fixed-window 30 \ | |
373 | # scoreboard-rows-talker 30000 \ | |
374 | # server-watchnet [10.2.0.0/30] \ | |
375 | # server-ignore-limit 200 \ | |
376 | # server-rows 65535 \ | |
377 | # server-learning-time 14400 \ | |
378 | # server-scanner-limit 4 \ | |
379 | # scanner-sliding-window 20 \ | |
380 | # scanner-sliding-scale-factor 0.50 \ | |
381 | # scanner-fixed-threshold 15 \ | |
382 | # scanner-sliding-threshold 40 \ | |
383 | # scanner-fixed-window 15 \ | |
384 | # scoreboard-rows-scanner 30000 \ | |
385 | # src-ignore-net [192.168.1.1/32,192.168.0.0/24] \ | |
386 | # dst-ignore-net [10.0.0.0/30] \ | |
387 | # alert-mode once \ | |
388 | # output-mode msg \ | |
389 | # tcp-penalties on | |
8cce16e5 | 390 | |
391 | # arpspoof | |
392 | #---------------------------------------- | |
6f723b29 AM |
393 | # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, |
394 | # unicast ARP requests, and specific ARP mapping monitoring. To make use of | |
395 | # this preprocessor you must specify the IP and hardware address of hosts on | |
396 | # the same layer 2 segment as you. Specify one host IP MAC combo per line. | |
8cce16e5 | 397 | # Also takes a "-unicast" option to turn on unicast ARP request detection. |
398 | # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: | |
6f723b29 | 399 | |
8cce16e5 | 400 | # SID Event description |
401 | # ----- ------------------- | |
402 | # 1 Unicast ARP request | |
403 | # 2 Etherframe ARP mismatch (src) | |
404 | # 3 Etherframe ARP mismatch (dst) | |
405 | # 4 ARP cache overwrite attack | |
406 | ||
407 | #preprocessor arpspoof | |
408 | #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 | |
409 | ||
8cce16e5 | 410 | |
6f723b29 AM |
411 | # Performance Statistics |
412 | # ---------------------- | |
413 | # Documentation for this is provided in the Snort Manual. You should read it. | |
414 | # It is included in the release distribution as doc/snort_manual.pdf | |
8cce16e5 | 415 | # |
416 | # preprocessor perfmonitor: console flow events time 10 | |
417 | ||
418 | #################################################################### | |
419 | # Step #3: Configure output plugins | |
420 | # | |
6f723b29 AM |
421 | # Uncomment and configure the output plugins you decide to use. General |
422 | # configuration for output plugins is of the form: | |
8cce16e5 | 423 | # |
424 | # output <name_of_plugin>: <configuration_options> | |
425 | # | |
426 | # alert_syslog: log alerts to syslog | |
427 | # ---------------------------------- | |
6f723b29 AM |
428 | # Use one or more syslog facilities as arguments. Win32 can also optionally |
429 | # specify a particular hostname/port. Under Win32, the default hostname is | |
430 | # '127.0.0.1', and the default port is 514. | |
8cce16e5 | 431 | # |
432 | # [Unix flavours should use this format...] | |
433 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
434 | # | |
435 | # [Win32 can use any of these formats...] | |
436 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
437 | # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT | |
438 | # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT | |
439 | ||
440 | # log_tcpdump: log packets in binary tcpdump format | |
441 | # ------------------------------------------------- | |
442 | # The only argument is the output file name. | |
443 | # | |
444 | # output log_tcpdump: tcpdump.log | |
445 | ||
446 | # database: log to a variety of databases | |
447 | # --------------------------------------- | |
448 | # See the README.database file for more information about configuring | |
449 | # and using this plugin. | |
450 | # | |
451 | # output database: log, mysql, user=root password=test dbname=db host=localhost | |
452 | # output database: alert, postgresql, user=snort dbname=snort | |
453 | # output database: log, unixodbc, user=snort dbname=snort | |
454 | # output database: log, mssql, dbname=snort user=snort password=test | |
455 | ||
456 | # unified: Snort unified binary format alerting and logging | |
457 | # ------------------------------------------------------------- | |
6f723b29 AM |
458 | # The unified output plugin provides two new formats for logging and generating |
459 | # alerts from Snort, the "unified" format. The unified format is a straight | |
460 | # binary format for logging data out of Snort that is designed to be fast and | |
461 | # efficient. Used with barnyard (the new alert/log processor), most of the | |
462 | # overhead for logging and alerting to various slow storage mechanisms such as | |
463 | # databases or the network can now be avoided. | |
8cce16e5 | 464 | # |
465 | # Check out the spo_unified.h file for the data formats. | |
466 | # | |
467 | # Two arguments are supported. | |
468 | # filename - base filename to write to (current time_t is appended) | |
469 | # limit - maximum size of spool file in MB (default: 128) | |
470 | # | |
471 | # output alert_unified: filename snort.alert, limit 128 | |
472 | # output log_unified: filename snort.log, limit 128 | |
473 | ||
6f723b29 AM |
474 | # You can optionally define new rule types and associate one or more output |
475 | # plugins specifically to that type. | |
8cce16e5 | 476 | # |
477 | # This example will create a type that will log to just tcpdump. | |
478 | # ruletype suspicious | |
479 | # { | |
480 | # type log | |
481 | # output log_tcpdump: suspicious.log | |
482 | # } | |
483 | # | |
484 | # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: | |
485 | # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) | |
486 | # | |
6f723b29 AM |
487 | # This example will create a rule type that will log to syslog and a mysql |
488 | # database: | |
8cce16e5 | 489 | # ruletype redalert |
490 | # { | |
491 | # type alert | |
492 | # output alert_syslog: LOG_AUTH LOG_ALERT | |
493 | # output database: log, mysql, user=snort dbname=snort host=localhost | |
494 | # } | |
495 | # | |
6f723b29 AM |
496 | # EXAMPLE RULE FOR REDALERT RULETYPE: |
497 | # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ | |
498 | # (msg:"Someone is being LEET"; flags:A+;) | |
8cce16e5 | 499 | |
500 | # | |
501 | # Include classification & priority settings | |
502 | # | |
503 | ||
504 | include classification.config | |
505 | ||
506 | # | |
507 | # Include reference systems | |
508 | # | |
509 | ||
510 | include reference.config | |
511 | ||
512 | #################################################################### | |
513 | # Step #4: Customize your rule set | |
514 | # | |
515 | # Up to date snort rules are available at http://www.snort.org | |
516 | # | |
6f723b29 AM |
517 | # The snort web site has documentation about how to write your own custom snort |
518 | # rules. | |
8cce16e5 | 519 | # |
6f723b29 AM |
520 | # The rules included with this distribution generate alerts based on on |
521 | # suspicious activity. Depending on your network environment, your security | |
522 | # policies, and what you consider to be suspicious, some of these rules may | |
523 | # either generate false positives ore may be detecting activity you consider to | |
524 | # be acceptable; therefore, you are encouraged to comment out rules that are | |
525 | # not applicable in your environment. | |
8cce16e5 | 526 | # |
6f723b29 | 527 | # The following individuals contributed many of rules in this distribution. |
8cce16e5 | 528 | # |
529 | # Credits: | |
530 | # Ron Gula <rgula@securitywizards.com> of Network Security Wizards | |
531 | # Max Vision <vision@whitehats.com> | |
532 | # Martin Markgraf <martin@mail.du.gtn.com> | |
533 | # Fyodor Yarochkin <fygrave@tigerteam.net> | |
534 | # Nick Rogness <nick@rapidnet.com> | |
535 | # Jim Forster <jforster@rapidnet.com> | |
536 | # Scott McIntyre <scott@whoi.edu> | |
537 | # Tom Vandepoel <Tom.Vandepoel@ubizen.com> | |
538 | # Brian Caswell <bmc@snort.org> | |
539 | # Zeno <admin@cgisecurity.com> | |
540 | # Ryan Russell <ryan@securityfocus.com> | |
6f723b29 AM |
541 | |
542 | ||
543 | ||
8cce16e5 | 544 | #========================================= |
545 | # Include all relevant rulesets here | |
546 | # | |
6f723b29 AM |
547 | # The following rulesets are disabled by default: |
548 | # | |
549 | # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus, | |
550 | # chat, multimedia, and p2p | |
551 | # | |
552 | # These rules are either site policy specific or require tuning in order to not | |
553 | # generate false positive alerts in most enviornments. | |
554 | # | |
555 | # Please read the specific include file for more information and | |
556 | # README.alert_order for how rule ordering affects how alerts are triggered. | |
8cce16e5 | 557 | #========================================= |
558 | ||
6f723b29 | 559 | include $RULE_PATH/local.rules |
8cce16e5 | 560 | include $RULE_PATH/bad-traffic.rules |
561 | include $RULE_PATH/exploit.rules | |
562 | include $RULE_PATH/scan.rules | |
563 | include $RULE_PATH/finger.rules | |
564 | include $RULE_PATH/ftp.rules | |
565 | include $RULE_PATH/telnet.rules | |
566 | include $RULE_PATH/rpc.rules | |
567 | include $RULE_PATH/rservices.rules | |
568 | include $RULE_PATH/dos.rules | |
569 | include $RULE_PATH/ddos.rules | |
570 | include $RULE_PATH/dns.rules | |
571 | include $RULE_PATH/tftp.rules | |
572 | ||
573 | include $RULE_PATH/web-cgi.rules | |
574 | include $RULE_PATH/web-coldfusion.rules | |
575 | include $RULE_PATH/web-iis.rules | |
576 | include $RULE_PATH/web-frontpage.rules | |
577 | include $RULE_PATH/web-misc.rules | |
578 | include $RULE_PATH/web-client.rules | |
579 | include $RULE_PATH/web-php.rules | |
580 | ||
581 | include $RULE_PATH/sql.rules | |
582 | include $RULE_PATH/x11.rules | |
583 | include $RULE_PATH/icmp.rules | |
584 | include $RULE_PATH/netbios.rules | |
585 | include $RULE_PATH/misc.rules | |
586 | include $RULE_PATH/attack-responses.rules | |
587 | include $RULE_PATH/oracle.rules | |
588 | include $RULE_PATH/mysql.rules | |
589 | include $RULE_PATH/snmp.rules | |
590 | ||
591 | include $RULE_PATH/smtp.rules | |
592 | include $RULE_PATH/imap.rules | |
593 | include $RULE_PATH/pop2.rules | |
594 | include $RULE_PATH/pop3.rules | |
595 | ||
596 | include $RULE_PATH/nntp.rules | |
597 | include $RULE_PATH/other-ids.rules | |
6f723b29 AM |
598 | # include $RULE_PATH/web-attacks.rules |
599 | # include $RULE_PATH/backdoor.rules | |
600 | # include $RULE_PATH/shellcode.rules | |
601 | # include $RULE_PATH/policy.rules | |
602 | # include $RULE_PATH/porn.rules | |
603 | # include $RULE_PATH/info.rules | |
604 | # include $RULE_PATH/icmp-info.rules | |
605 | # include $RULE_PATH/virus.rules | |
606 | # include $RULE_PATH/chat.rules | |
607 | # include $RULE_PATH/multimedia.rules | |
608 | # include $RULE_PATH/p2p.rules | |
8cce16e5 | 609 | include $RULE_PATH/experimental.rules |
6f723b29 AM |
610 | |
611 | # Include any thresholding or suppression commands | |
043fd876 | 612 | #include threshold.conf |