# # $Id: snort.conf.200,v 1.1 2003/05/02 13:11:30 raptor Exp $ # # snort.conf 2.0.0 - sample snort 2.0.0 ruleset template # Copyright (c) 2003 Marco Ivaldi # # Sample configuration file for the open-source network intrusion detection # system (NIDS) snort 2.0.0. This is a slight modification of the snort.conf # distributed with snort (see http://www.snort.org), with detailed comments. # # This file is organized in the following sections: # 1) Variables # 2) Snort engine # 3) Preprocessors # 4) Output plugins # 5) Ruleset # # Tested on OpenBSD and Linux, change it to fit your local configuration. # ######################################################### # Section #1 (Variables): HOME_NET is the monitored net # # Possible configuration choices: # # a) Consider any IP address as HOME_NET. # var HOME_NET any # # b) To reduce false positives, explicit network # specification is suggested. # var HOME_NET x.x.x.0/24 # # c) You can also specify a list of network addresses. # var HOME_NET [x.x.x.0/24,y.y.y.0/24] # # d) Finally, you can use global variable $_ADDRESS # which will be always initialized to network address # and netmask associated to the specified interface. # var HOME_NET $eth0_ADDRESS # var HOME_NET x.x.x.0/24 ######################################################### # Section #1 (Variables): EXTERNAL_NET is the external net # # Possible configuration choices: # # a) Consider any IP address as EXTERNAL_NET. # var EXTERNAL_NET any # # b) To reduce false positives, you can define # "not $HOME_NET" as external. # var EXTERNAL_NET !$HOME_NET # var EXTERNAL_NET !$HOME_NET ######################################################### # Section #1 (Variables): server list # # This allows Snort to only look for attacks to systems # that have a service up, to improve performance. By # default, we always specify $HOME_NET as the argument. # # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of Web servers on your network var HTTP_SERVERS $HOME_NET # List of SQL servers on your network var SQL_SERVERS $HOME_NET # List of Telnet servers on your network var TELNET_SERVERS $HOME_NET ######################################################### # Section #1 (Variables): service ports # # This allows Snort to look for attacks directed to a # specific application only on the ports that it runs on. # This also improves overall performance of Snort. # # Ports you run Web servers on var HTTP_PORTS 80 # Ports you want to look for shellcode on. var SHELLCODE_PORTS !$HTTP_PORTS # Ports you run Oracle servers on var ORACLE_PORTS 1521 ######################################################### # Section #1 (Variables): other variables # # Miscellaneous variables. Change RULE_PATH definition # to reflect your Snort setup. # # AOL Instant Messenger servers var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] # Path to your rules files var RULE_PATH ../rules ######################################################### # Section #2 (Snort engine): decoder # # Snort packet decoder setup (NEW). # # Stop all decode alerts: # config disable_decode_alerts # # Stop alerts on experimental TCP options: # config disable_tcpopt_experimental_alerts # # Stop alerts on obsolete TCP options: # config disable_tcpopt_obsolete_alerts # # Stop alerts on T/TCP packets: # config disable_ttcp_alerts # # Stop alerts on all other TCPOption type events: # config disable_tcpopt_alerts # # Stop alerts on invalid ip options: # config disable_ipopt_alerts ######################################################### # Section #2 (Snort engine): detection engine # # Snort detection engine setup (NEW). Use a different # pattern matcher in case you have a machine with very # limited resources. # # config detection: search-method lowmem ######################################################### # Section #3 (Preprocessors): frag2 # # IP defragmentation support. This preprocessor performs IP # fragments reassembly and will also detect frag attacks # (usually DoS) against the monitored network. The suggested # configuration uses no arguments: this means 60 secs timeout # and 4MB of fragment buffer (see original snort.conf for # further details). # preprocessor frag2 ######################################################### # Section #3 (Preprocessors): stream4 # # Stateful inspection and stream reassembly for Snort. # This preprocessor defeats stick/snot attacks against TCP # rules and can statefully detect various portscan flavours, # TCP fingerprinting, and more (see original snort.conf # for further details). You can safely turn off "detect_scans" # if you feel it's too noisy. # preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble ######################################################### # Section #3 (Preprocessors): http_decode # # HTTP traffic normalizer. This preprocessor normalizes HTTP # requests by converting any %XX character to his ASCII # equivalent. Now supports unicode, iis_alt_unicode, double_encode, # iis_flip_slash and full_whitespace (see original snort.conf # for further details). # preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace ######################################################### # Section #3 (Preprocessors): rpc_decode # # RPC traffic normalizer. RPC may be sent in alternate encodings # besides the usual 4-byte encoding. This preprocessor # normalizes RPC traffic in much the same way as http_decode. # preprocessor rpc_decode: 111 32771 ######################################################### # Section #3 (Preprocessors): bo # # Back Orifice detector. This preprocessor detects BO traffic # on the monitored network. Takes no argument in Snort 2.0. # preprocessor bo ######################################################### # Section #3 (Preprocessors): telnet_decode # # Telnet negotiation strings normalizer. This preprocessor # normalizes Telnet negotiation strings from Telnet and FTP # traffic. It works in much the same way as http_decode, # searching for traffic that breaks the normal data stream # of a protocol and replacing it with a normalized representation. # This preprocessor requires no arguments. # preprocessor telnet_decode ######################################################### # Section #3 (Preprocessors): portscan # # Portscan detector. This preprocessor detects UDP packets or # TCP SYN packets going to 4 different ports in less than 3 # seconds. "Stealth" TCP packets are always detected, regardless # of these settings. You can also use the "portscan-ignorehosts" # directive to ignore specific IP addresses (like $HOME_NET). # preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $HOME_NET ######################################################### # Section #3 (Preprocessors): arpspoof (EXPERIMENTAL) # # ARP spoofing detector. Experimental ARP detection code, detects # ARP attacks, unicast ARP requests, and specific ARP mapping # monitoring. To make use of this preprocessor you must specify # the IP and MAC address for each host. Specify one IP/MAC combo # per line (see original snort.conf for further details). # #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 ######################################################### # Section #3 (Preprocessors): conversation (EXPERIMENTAL) # # This preprocessor tracks conversations for TCP, UDP, and ICMP # traffic. It is a prerequisite for running portscan2 below # (see original snort.conf for further details). # #preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000 ######################################################### # Section #3 (Preprocessors): portscan2 (EXPERIMENTAL) # # Portscan2 detects portscans in a new and exciting way, but # for now we prefer to comment it out :) However, check the # original snort.conf for further details. # #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60 #preprocessor portscan2-ignorehosts: $HOME_NET ######################################################### # Section #3 (Preprocessors): perfmonitor (EXPERIMENTAL) # # Experimental performance statistics. No docs, highly subject # to change: it's better to comment it out. # #preprocessor perfmonitor: console flow events time 10 ######################################################### # Section #4 (Output plugins) # # Snort comes with a number of different output plugins. Here # we are configuring only "alert_syslog" and "database". See # http://aenigma.mediaservice.net to learn more about an advanced # output plugin for database logging and a full-featured real-time # alerting system (@Aenigma Project). # output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=snort password=l33t dbname=db host=localhost ######################################################### # Section #5 (Ruleset): classification and priority # # Include classification and priority settings (default # configuration is fine). # include classification.config ######################################################### # Section #5 (Ruleset): reference systems # # Include reference systems (default configuration is fine). # include reference.config ######################################################### # Section #5 (Ruleset): the actual rules! # # The Snort official website (http://www.snort.org) has # documentation about how to write your own custom rules. # # The rules included with the distribution generate alerts # based on suspicious activity. Depending on your network # environment and your security policies, some of these rules # may either generate false positives or may be detecting # activity you consider to be acceptable: therefore, you are # encouraged to comment out rules that are not applicable to # your environment and security policies. # # NOTE: using all of the rules at the same time may lead to # serious packet loss on slower machines. # include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules #include $RULE_PATH/web-attacks.rules #include $RULE_PATH/backdoor.rules #include $RULE_PATH/shellcode.rules #include $RULE_PATH/policy.rules #include $RULE_PATH/porn.rules #include $RULE_PATH/info.rules #include $RULE_PATH/icmp-info.rules #include $RULE_PATH/virus.rules #include $RULE_PATH/chat.rules #include $RULE_PATH/multimedia.rules #include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules