2 # Taken and modified from "vision.conf", part of Max Vision's
3 # ArachNIDs work. See /usr/doc/snort-stuff/README.snort-stuff for more
4 # information on how to use this file.
6 var INTERNAL 192.168.1.0/24
7 var EXTERNAL 63.87.101.0/24
8 var DNSSERVERS 63.87.101.90/32 63.87.101.92/32
10 preprocessor http_decode: 80 443 8080
11 preprocessor minfrag: 128
12 preprocessor portscan: $EXTERNAL 3 5 /var/log/snort/portscan.log
13 preprocessor portscan-ignorehosts: $DNSSERVERS
15 # Ruleset, available (updated hourly) from:
17 # http://dev.whitehats.com/ids/vision.rules
19 # Include the latest copy of Max Vision's ruleset
20 include /etc/snort/vision.rules
22 # Uncomment the next line if you wish to include the latest
23 # copy of the snort.org ruleset. Be sure to download the latest
24 # one from http://www.snort.org/snort-files.htm#Rules
26 # include /etc/snort/06082k.rules
29 # If you wish to monitor multiple INTERNAL networks, you can include
30 # another variable that defines the additional network, then include
31 # the snort ruleset again. Uncomment the two following lines.
33 # var INTERNAL 192.168.2.0/24
34 # include /etc/snort/vision.rules
36 # include other rules here if you wish.