# # $Id: snort.conf.190,v 1.2 2002/11/30 15:44:29 raptor Exp $ # # snort.conf 1.9.0 - Sample Snort 1.9.0 Ruleset # Copyright (c) 2002 Raptor # # Sample configuration file for the Network # Intrusion Detection System (NIDS) Snort 1.9.0. # This is a slight modification of the snort.conf # distributed with Snort (see http://www.snort.org # for further information), with detailed comments. # # This file is organized in the following sections: # 1) Variables # 2) Preprocessors # 3) Output plugins # 4) Ruleset # # Change it to fit your local configuration. # # NOTE: this ruleset only works for 1.9.0 and later. # ######################################################### # Section #1 (Variables): HOME_NET is the monitored net # # Possible configuration choices: # a) Consider any IP address as HOME_NET. # var HOME_NET any # b) To reduce false positives, explicit network # specification is suggested. # var HOME_NET x.x.x.0/24 # c) You can also specify a list of network addresses. # var HOME_NET [x.x.x.0/24,y.y.y.0/24] # d) Finally, you can use global variable $_ADDRESS # which will be always initialized to network address # and netmask associated to the specified interface. # var HOME_NET $eth0_ADDRESS # var HOME_NET x.x.x.0/24 ######################################################### # Section #1 (Variables): EXTERNAL_NET is the external net # # a) Consider any IP address as EXTERNAL_NET. # var EXTERNAL_NET any # b) To reduce false positives, you can define # "not $HOME_NET" as external. # var EXTERNAL_NET !$HOME_NET # var EXTERNAL_NET !$HOME_NET ######################################################### # Section #1 (Variables): Server list # # This allows Snort to only look for attacks to systems # that have a service up, to improve performance. By # default, we always specify $HOME_NET as the argument. # # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of Web servers on your network var HTTP_SERVERS $HOME_NET # List of SQL servers on your network var SQL_SERVERS $HOME_NET # List of Telnet servers on your network var TELNET_SERVERS $HOME_NET ######################################################### # Section #1 (Variables): Service ports # # This allows Snort to look for attacks directed to a # specific application only on the ports that it runs on. # This also improves overall performance of Snort. # # Ports you run Web servers on var HTTP_PORTS 80 # Ports you want to look for shellcode on. var SHELLCODE_PORTS !$HTTP_PORTS # Ports you run Oracle servers on var ORACLE_PORTS 1521 ######################################################### # Section #1 (Variables): Other variables # # Miscellaneous variables. Change RULE_PATH definition # to reflect your Snort setup. # # AOL Instant Messenger servers var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] # Path to your rules files var RULE_PATH ../rules ######################################################### # Section #2 (Preprocessors): frag2 # # IP defragmentation support. This preprocessor performs # IP fragments reassembly and will also detect frag # attacks (usually DoS) against the monitored network. # The suggested configuration uses no arguments: this # means 60 secs timeout and 4MB of fragment buffer # (see original snort.conf for further details). # preprocessor frag2 ######################################################### # Section #2 (Preprocessors): stream4 # # Stateful inspection and stream reassembly for Snort. # This preprocessor defeats stick/snot attacks against # TCP rules and can statefully detect various portscan # flavours, TCP fingerprinting, and more (see original # snort.conf for further details). You can safely turn # off "detect_scans" if you feel it's too noisy. # preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble ######################################################### # Section #2 (Preprocessors): http_decode # # HTTP traffic normalizer. This preprocessor normalizes # HTTP requests by converting any %XX character to his # ASCII equivalent. Now supports unicode, iis_alt_unicode, # double_encode, iis_flip_slash and full_whitespace # (see original snort.conf for further details). # preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace ######################################################### # Section #2 (Preprocessors): rpc_decode # # RPC traffic normalizer. RPC may be sent in alternate # encodings besides the usual 4-byte encoding. This # preprocessor normalizes RPC traffic in much the same # way as http_decode. # preprocessor rpc_decode: 111 32771 ######################################################### # Section #2 (Preprocessors): bo # # Back Orifice detector. This preprocessor detects # BO traffic on the monitored network. It can also # brute force the key space of the protocol to # find Back Orifice traffic (this impacts on the # overall performance of Snort, so we disable it). # preprocessor bo: -nobrute ######################################################### # Section #2 (Preprocessors): telnet_decode # # Telnet negotiation strings normalizer. This preprocessor # normalizes Telnet negotiation strings from Telnet and # FTP traffic. It works in much the same way as # http_decode, searching for traffic that breaks the # normal data stream of a protocol and replacing it with # a normalized representation. This preprocessor requires # no arguments. # preprocessor telnet_decode ######################################################### # Section #2 (Preprocessors): portscan # # Portscan detector. This preprocessor detects UDP packets # or TCP SYN packets going to 4 different ports in less # than 3 seconds. "Stealth" TCP packets are always detected, # regardless of these settings. You can also use the # "portscan-ignorehosts" directive to ignore specific IP # addresses (like $HOME_NET). # preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $HOME_NET ######################################################### # Section #2 (Preprocessors): arpspoof (EXPERIMENTAL) # # ARP spoofing detector. Experimental ARP detection code, # detects ARP attacks, unicast ARP requests, and specific # ARP mapping monitoring. To make use of this preprocessor # you must specify the IP and MAC address for each host. # Specify one IP/MAC combo per line (see original # snort.conf for further details). # #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 ######################################################### # Section #2 (Preprocessors): asn1_decode (EXPERIMENTAL) # # ASN1 decoder. Another experimental preprocessor, detects # abuses of the ASN.1 protocol that higher level protocols # (like SSL, SNMP, x.509, etc) rely on. # #preprocessor asn1_decode ######################################################### # Section #2 (Preprocessors): fnord (EXPERIMENTAL) # # Polymorphic shellcode analyzer. Another experimental # preprocessor, will watch traffic for polymorphic # NOP-type sleds to defeat tools like ADMutate. # #preprocessor fnord ######################################################### # Section #2 (Preprocessors): conversation (EXPERIMENTAL) # # This preprocessor tracks conversations for TCP, UDP, # and ICMP traffic. It is a prerequisite for running # portscan2 below (see original snort.conf for further # details). # #preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 ######################################################### # Section #2 (Preprocessors): portscan2 (EXPERIMENTAL) # # Portscan2 detects portscans in a new and exciting way, # but for now we prefer to comment it out:). However, # check the original snort.conf for further details. # #preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60 ######################################################### # Section #2 (Preprocessors): perfmonitor (EXPERIMENTAL) # # Experimental performance statistics. No docs, highly # subject to change: it's better to comment it out. # #preprocessor perfmonitor: console flow events time 10 ######################################################### # Section #3 (Output plugins) # # Snort comes with a number of different output plugins. # Here we are configuring only "alert_syslog" and # "database". See http://aenigma.mediaservice.net to # learn of an advanced output plugin for database logging # and a full-featured real-time alerting system # (@AENIGMA Project). # output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=snort password=l33t dbname=db host=localhost ######################################################### # Section #4 (Ruleset): classification and priority # # Include classification and priority settings (default # configuration is fine). # include classification.config ######################################################### # Section #4 (Ruleset): reference systems # # Include reference systems (default configuration is # fine). # include reference.config ######################################################### # Section #4 (Ruleset): the actual rules! # # The Snort official website (http://www.snort.org) has # documentation about how to write your own custom rules. # # The rules included with the distribution generate # alerts based on suspicious activity. Depending on your # network environment and your security policies, some # of these rules may either generate false positives or # may be detecting activity you consider to be acceptable: # therefore, you are encouraged to comment out rules that # are not applicable in your environment. # # NOTE: using all of the rules at the same time may lead # to serious packet loss on slower machines. # include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules #include $RULE_PATH/web-attacks.rules #include $RULE_PATH/backdoor.rules #include $RULE_PATH/shellcode.rules #include $RULE_PATH/policy.rules #include $RULE_PATH/porn.rules #include $RULE_PATH/info.rules #include $RULE_PATH/icmp-info.rules #include $RULE_PATH/virus.rules #include $RULE_PATH/chat.rules #include $RULE_PATH/multimedia.rules #include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules