# # snort.conf # # Zoidial, Inc. # Eric Thern # # Default setup # # March, 2002 -- initial # January, 2003 -- updated for 1.9.x # May, 2003 -- updated for 2.0.x # # set these up for your network # # multiple IP's can be done like this: # [10.0.0.1,10.0.0.2,127.0.0.1] # netblocks: # [10.0.0.0/24,192.168.0.0/24,127.0.0.0/8] # single host: # 10.0.0.1 # # you can keep all of these like they are, although I highly suggest # you update $HOME_NET, otherwise you get a lot of garbage. # var HOME_NET any var EXTERNAL_NET any # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # Configure your service ports. This allows snort to look for attacks # destined to a specific application only on the ports that application # runs on. For example, if you run a web server on port 8081, set your # HTTP_PORTS variable like this: # # var HTTP_PORTS 8081 # # Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. # We will adding support for a real list of ports in the future. # Ports you run web servers on var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 # AIM servers. AOL has a habit of adding new AIM servers, so instead of # modifying the signatures when they do, we add them to this list of # servers. var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] # Path to your rules files (this can be a relative path) var RULE_PATH rules ### ### PREPROCESSORS ### preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor rpc_decode: 111 32771 preprocessor telnet_decode preprocessor portscan: $HOME_NET 6 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS # arpspoof #---------------------------------------- # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, # unicast ARP requests, and specific ARP mapping monitoring. To make use # of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line. # Also takes a "-unicast" option to turn on unicast ARP request detection. #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 ### ### Output Plugins ### ### ### the log adding script uses log_local6 and log_info ### don't edit this unless you change things by hand. ### output alert_syslog: LOG_LOCAL6 LOG_INFO # xml: xml logging # ---------------- # See the README.xml file for more information about configuring # and using this plugin. # #output xml: log, file=/var/log/snortxml/snortxml #output alert_unified: filename snort.alert, limit 128 #output log_unified: filename snort.log, limit 128 include rules/classification.config include rules/reference.config ### ### Rulesets ### include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules #include $RULE_PATH/web-coldfusion.rules #include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules #include $RULE_PATH/icmp.rules #include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules #include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop3.rules #include $RULE_PATH/pop2.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules #include $RULE_PATH/porn.rules include $RULE_PATH/info.rules #include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules #include $RULE_PATH/chat.rules #include $RULE_PATH/multimedia.rules #include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules