Re: Looking for POM for Inline

[Will Metcalf <william.metcalf () gmail com>]

pitch the -i br0 you don't need it.  What do your iptables rules look like?

Regards,

Will


On Fri, 28 Jan 2005 15:04:54 -0500, Bill Warren <bwarren () optivel com> wrote:
> $SNORT -QDc /etc/snort/etc/snort_inline.conf -Q -l $DIR/$DATE -i br0
>
> I have also tried 2 different snort.conf files and I still can't drop
> anything!  I am missing something simple.
>
> Bill
>
>
> Will Metcalf wrote:
>
> > how are you starting snort?
> >
> > Regards,
> >
> > Will
> >
> >
> > On Fri, 28 Jan 2005 12:02:49 -0500, Bill Warren <bwarren () optivel com> wrote:
> >
> >
> > > I am trying to get Snort 2.3 up and inline running.  I am running Debian
> > > Sarge with kernel 2.6.8-2-686.  The bridge is up and running and so is
> > > Snort.  I think I need the POM files for the kernel.  Does somebody have
> > > a link to where I can get the patch.
> > >
> > > Thanks,
> > > Bill
> > > --
> > >
> > > **********************************
> > > Bill Warren
> > > Optivel, Inc.
> > > E-mail: bwarren () optivel com
> > > Voice:  317.275.2305
> > > Fax:    317.275.2301
> > > Web:    http://www.optivel.com
> > > **********************************
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> > > Tool for open source databases. Create drag-&-drop reports. Save time
> > > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> > > Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
>
> **********************************
> Bill Warren
> Optivel, Inc.
> E-mail: bwarren () optivel com
> Voice:  317.275.2305
> Fax:    317.275.2301
> Web:    http://www.optivel.com
> **********************************
>
>
> #--------------------------------------------------
> #   http://www.snort.org     Snort 2.3.0 Ruleset
> #     Contact: snort-sigs () lists sourceforge net
> #--------------------------------------------------
> # $Id: snort.conf,v 1.144.2.6 2005/01/13 20:36:20 jhewlett Exp $
> #
> ###################################################
> # This file contains a sample snort configuration.
> # You can take the following steps to create your own custom configuration:
> #
> #  1) Set the network variables for your network
> #  2) Configure preprocessors
> #  3) Configure output plugins
> #  4) Customize your rule set
> #
> ###################################################
> # Step #1: Set the network variables:
> #
> # You must change the following variables to reflect your local network. The
> # variable is currently setup for an RFC 1918 address space.
> #
> # You can specify it explicitly as:
> #
> # var HOME_NET 10.1.1.0/24
> #
> # or use global variable $<interfacename>_ADDRESS which will be always
> # initialized to IP address and netmask of the network interface which you run
> # snort at.  Under Windows, this must be specified as
> # $(<interfacename>_ADDRESS), such as:
> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> #
> # var HOME_NET $eth0_ADDRESS
> #
> # You can specify lists of IP addresses for HOME_NET
> # by separating the IPs with commas like this:
> #
> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> #
> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> #
> # or you can specify the variable to be any IP address
> # like this:
>
> var HOME_NET any
> var HOMENET any
>
> # Set up the external network addresses as well.  A good start may be "any"
> var EXTERNAL_NET any
>
> # Configure your server lists.  This allows snort to only look for attacks to
> # systems that have a service up.  Why look for HTTP attacks if you are not
> # running a web server?  This allows quick filtering based on IP addresses
> # These configurations MUST follow the same configuration scheme as defined
> # above for $HOME_NET.
>
> # List of DNS servers on your network
> var DNS_SERVERS $HOME_NET
>
> # List of SMTP servers on your network
> var SMTP_SERVERS $HOME_NET
>
> # List of web servers on your network
> var HTTP_SERVERS $HOME_NET
>
> # List of sql servers on your network
> var SQL_SERVERS $HOME_NET
>
> # List of telnet servers on your network
> var TELNET_SERVERS $HOME_NET
>
> # List of snmp servers on your network
> var SNMP_SERVERS $HOME_NET
>
> # Configure your service ports.  This allows snort to look for attacks destined
> # to a specific application only on the ports that application runs on.  For
> # example, if you run a web server on port 8081, set your HTTP_PORTS variable
> # like this:
> #
> # var HTTP_PORTS 8081
> #
> # Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
> # We will adding support for a real list of ports in the future.
>
> # Ports you run web servers on
> #
> # Please note:  [80,8080] does not work.
> # If you wish to define multiple HTTP ports,
> #
> ## var HTTP_PORTS 80
> ## include somefile.rules
> ## var HTTP_PORTS 8080
> ## include somefile.rules
> var HTTP_PORTS 80
>
> # Ports you want to look for SHELLCODE on.
> var SHELLCODE_PORTS !80
>
> # Ports you do oracle attacks on
> var ORACLE_PORTS 1521
>
> # other variables
> #
> # AIM servers.  AOL has a habit of adding new AIM servers, so instead of
> # modifying the signatures when they do, we add them to this list of servers.
> var AIM_SERVERS 
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>
> # Path to your rules files (this can be a relative path)
> # Note for Windows users:  You are advised to make this an absolute path,
> # such as:  c:\snort\rules
> var RULE_PATH /etc/snort/rules
>
> # Configure the snort decoder
> # ============================
> #
> # Snort's decoder will alert on lots of things such as header
> # truncation or options of unusual length or infrequently used tcp options
> #
> #
> # Stop generic decode events:
> #
> # config disable_decode_alerts
> #
> # Stop Alerts on experimental TCP options
> #
> # config disable_tcpopt_experimental_alerts
> #
> # Stop Alerts on obsolete TCP options
> #
> # config disable_tcpopt_obsolete_alerts
> #
> # Stop Alerts on T/TCP alerts
> #
> # In snort 2.0.1 and above, this only alerts when a TCP option is detected
> # that shows T/TCP being actively used on the network.  If this is normal
> # behavior for your network, disable the next option.
> #
> # config disable_tcpopt_ttcp_alerts
> #
> # Stop Alerts on all other TCPOption type events:
> #
> # config disable_tcpopt_alerts
> #
> # Stop Alerts on invalid ip options
> #
> # config disable_ipopt_alerts
>
> # Configure the detection engine
> # ===============================
> #
> # Use a different pattern matcher in case you have a machine with very limited
> # resources:
> #
> # config detection: search-method lowmem
>
> # Configure Inline Resets
> # ========================
> #
> # If running an iptables firewall with snort in InlineMode() we can now
> # perform resets via a physical device. We grab the indev from iptables
> # and use this for the interface on which to send resets. This config
> # option takes an argument for the src mac address you want to use in the
> # reset packet.  This way the bridge can remain stealthy. If the src mac
> # option is not set we use the mac address of the indev device. If we
> # don't set this option we will default to sending resets via raw socket,
> # which needs an ipaddress to be assigned to the int.
> #
> # config layer2resets: 00:06:76:DD:5F:E3
>
> ###################################################
> # Step #2: Configure preprocessors
> #
> # General configuration for preprocessors is of
> # the form
> # preprocessor <name_of_processor>: <configuration_options>
>
> # Configure Flow tracking module
> # -------------------------------
> #
> # The Flow tracking module is meant to start unifying the state keeping
> # mechanisms of snort into a single place. Right now, only a portscan detector
> # is implemented but in the long term,  many of the stateful subsystems of
> # snort will be migrated over to becoming flow plugins. This must be enabled
> # for flow-portscan to work correctly.
> #
> # See README.flow for additional information
> #
> preprocessor flow: stats_interval 0 hash 2
>
> # frag2: IP defragmentation support
> # -------------------------------
> # This preprocessor performs IP defragmentation.  This plugin will also detect
> # people launching fragmentation attacks (usually DoS) against hosts.  No
> # arguments loads the default configuration of the preprocessor, which is a 60
> # second timeout and a 4MB fragment buffer.
>
> # The following (comma delimited) options are available for frag2
> #    timeout [seconds] - sets the number of [seconds] that an unfinished
> #                        fragment will be kept around waiting for completion,
> #                        if this time expires the fragment will be flushed
> #    memcap [bytes] - limit frag2 memory usage to [number] bytes
> #                      (default:  4194304)
> #
> #    min_ttl [number] - minimum ttl to accept
> #
> #    ttl_limit [number] - difference of ttl to accept without alerting
> #                         will cause false positves with router flap
> #
> # Frag2 uses Generator ID 113 and uses the following SIDS
> # for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Oversized fragment (reassembled frag > 64k bytes)
> #   2       Teardrop-type attack
>
> preprocessor frag2
>
> # stream4: stateful inspection/stream reassembly for Snort
> #----------------------------------------------------------------------
> # Use in concert with the -z [all|est] command line switch to defeat stick/snot
> # against TCP rules.  Also performs full TCP stream reassembly, stateful
> # inspection of TCP streams, etc.  Can statefully detect various portscan
> # types, fingerprinting, ECN, etc.
>
> # stateful inspection directive
> # no arguments loads the defaults (timeout 30, memcap 8388608)
> # options (options are comma delimited):
> #   detect_scans - stream4 will detect stealth portscans and generate alerts
> #                  when it sees them when this option is set
> #   detect_state_problems - detect TCP state problems, this tends to be very
> #                           noisy because there are a lot of crappy ip stack
> #                           implementations out there
> #
> #   disable_evasion_alerts - turn off the possibly noisy mitigation of
> #                            overlapping sequences.
> #
> #
> #   min_ttl [number]       - set a minium ttl that snort will accept to
> #                            stream reassembly
> #
> #   ttl_limit [number]     - differential of the initial ttl on a session versus
> #                             the normal that someone may be playing games.
> #                             Routing flap may cause lots of false positives.
> #
> #   keepstats [machine|binary] - keep session statistics, add "machine" to
> #                         get them in a flat format for machine reading, add
> #                         "binary" to get them in a unified binary output
> #                         format
> #   noinspect - turn off stateful inspection only
> #   timeout [number] - set the session timeout counter to [number] seconds,
> #                      default is 30 seconds
> #   memcap [number] - limit stream4 memory usage to [number] bytes
> #   log_flushed_streams - if an event is detected on a stream this option will
> #                         cause all packets that are stored in the stream4
> #                         packet buffers to be flushed to disk.  This only
> #                         works when logging in pcap mode!
> #
> # Stream4 uses Generator ID 111 and uses the following SIDS
> # for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Stealth activity
> #   2       Evasive RST packet
> #   3       Evasive TCP packet retransmission
> #   4       TCP Window violation
> #   5       Data on SYN packet
> #   6       Stealth scan: full XMAS
> #   7       Stealth scan: SYN-ACK-PSH-URG
> #   8       Stealth scan: FIN scan
> #   9       Stealth scan: NULL scan
> #   10      Stealth scan: NMAP XMAS scan
> #   11      Stealth scan: Vecna scan
> #   12      Stealth scan: NMAP fingerprint scan stateful detect
> #   13      Stealth scan: SYN-FIN scan
> #   14      TCP forward overlap
>
> preprocessor stream4: disable_evasion_alerts
>
> # tcp stream reassembly directive
> # no arguments loads the default configuration
> #   Only reassemble the client,
> #   Only reassemble the default list of ports (See below),
> #   Give alerts for "bad" streams
> #
> # Available options (comma delimited):
> #   clientonly - reassemble traffic for the client side of a connection only
> #   serveronly - reassemble traffic for the server side of a connection only
> #   both - reassemble both sides of a session
> #   noalerts - turn off alerts from the stream reassembly stage of stream4
> #   ports [list] - use the space separated list of ports in [list], "all"
> #                  will turn on reassembly for all ports, "default" will turn
> #                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
> #                  and 513
>
> preprocessor stream4_reassemble
>
> # http_inspect: normalize and detect HTTP traffic and protocol anomalies
> #
> # lots of options available here. See doc/README.http_inspect.
> # unicode.map should be wherever your snort.conf lives, or given
> # a full path to where snort can find it.
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> #
> #  Example unique server configuration
> #
> #preprocessor http_inspect_server: server 1.1.1.1 \
> #    ports { 80 3128 8080 } \
> #    flow_depth 0 \
> #    ascii no \
> #    double_decode yes \
> #    non_rfc_char { 0x00 } \
> #    chunk_length 500000 \
> #    non_strict \
> #    oversize_dir_length 300 \
> #    no_alerts
>
> # rpc_decode: normalize RPC traffic
> # ---------------------------------
> # RPC may be sent in alternate encodings besides the usual 4-byte encoding
> # that is used by default. This plugin takes the port numbers that RPC
> # services are running on as arguments - it is assumed that the given ports
> # are actually running this type of service. If not, change the ports or turn
> # it off.
> # The RPC decode preprocessor uses generator ID 106
> #
> # arguments: space separated list
> # alert_fragments - alert on any rpc fragmented TCP data
> # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
> # no_alert_large_fragments - don't alert when the fragmented
> #                            sizes exceed the current packet size
> # no_alert_incomplete - don't alert when a single segment
> #                       exceeds the current packet size
>
> preprocessor rpc_decode: 111 32771
>
> # bo: Back Orifice detector
> # -------------------------
> # Detects Back Orifice traffic on the network.  Takes no arguments in 2.0.
> #
> # The Back Orifice detector uses Generator ID 105 and uses the
> # following SIDS for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Back Orifice traffic detected
>
> preprocessor bo
>
> # telnet_decode: Telnet negotiation string normalizer
> # ---------------------------------------------------
> # This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
> # traffic.  It works in much the same way as the http_decode preprocessor,
> # searching for traffic that breaks up the normal data stream of a protocol and
> # replacing it with a normalized representation of that traffic so that the
> # "content" pattern matching keyword can work without requiring modifications.
> # This preprocessor requires no arguments.
> # Portscan uses Generator ID 109 and does not generate any SID currently.
>
> preprocessor telnet_decode
>
> # Flow-Portscan: detect a variety of portscans
> # ---------------------------------------
> # Note:  The Flow preprocessor (above) must first be enabled for Flow-Portscan to
> # work.
> #
> # This module detects portscans based off of flow creation in the flow
> # preprocessors.  The goal is to catch one->many hosts and one->many
> # ports scans.
> #
> # Flow-Portscan has numerous options available, please read
> # README.flow-portscan for help configuring this option.
>
> # Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
> #   2       flow-portscan: Sliding Scale Scanner Limit Exceeded
> #   3       flow-portscan: Fixed Scale Talker Limit Exceeded
> #   4       flow-portscan: Sliding Scale Talker Limit Exceeded
>
> # preprocessor flow-portscan: \
> #       talker-sliding-scale-factor 0.50 \
> #       talker-fixed-threshold 30 \
> #       talker-sliding-threshold 30 \
> #       talker-sliding-window 20 \
> #       talker-fixed-window 30 \
> #       scoreboard-rows-talker 30000 \
> #       server-watchnet [10.2.0.0/30] \
> #       server-ignore-limit 200 \
> #       server-rows 65535 \
> #       server-learning-time 14400 \
> #       server-scanner-limit 4 \
> #       scanner-sliding-window 20 \
> #       scanner-sliding-scale-factor 0.50 \
> #       scanner-fixed-threshold 15 \
> #       scanner-sliding-threshold 40 \
> #       scanner-fixed-window 15 \
> #       scoreboard-rows-scanner 30000 \
> #       src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
> #       dst-ignore-net [10.0.0.0/30] \
> #       alert-mode once \
> #       output-mode msg \
> #       tcp-penalties on
>
> # sfPortscan
> # ----------
> # Author: Dan Roelker
> # Portscan detection module.  Detects various types of portscans and
> # portsweeps.  For more information on detection philosophy, alert types,
> # and detailed portscan information, please refer to the README.sfportscan.
> #
> # -configuration options-
> #     proto { tcp udp icmp ip_proto all }
> #       The arguments to the proto option are the types of protocol scans that
> #       the user wants to detect.  Arguments should be separated by spaces and
> #       not commas.
> #     scan_type { portscan portsweep decoy_portscan distributed_portscan all }
> #       The arguments to the scan_type option are the scan types that the
> #       user wants to detect.  Arguments should be separated by spaces and not
> #       commas.
> #     sense_level { low|medium|high }
> #       There is only one argument to this option and it is the level of
> #       sensitivity in which to detect portscans.  The 'low' sensitivity
> #       detects scans by the common method of looking for response errors, such
> #       as TCP RSTs or ICMP unreachables.  This level requires the least
> #       tuning.  The 'medium' sensitivity level detects portscans and
> #       filtered portscans (portscans that receive no response).  This
> #       sensitivity level usually requires tuning out scan events from NATed
> #       IPs, DNS cache servers, etc.  The 'high' sensitivity level has
> #       lower thresholds for portscan detection and a longer time window than
> #       the 'medium' sensitivity level.  Requires more tuning and may be noisy
> #       on very active networks.  However, this sensitivity levels catches the
> #       most scans.
> #     memcap { positive integer }
> #       The maximum number of bytes to allocate for portscan detection.  The
> #       higher this number the more nodes that can be tracked.
> #     logfile { filename }
> #       This option specifies the file to log portscan and detailed portscan
> #       values to.  If there is not a leading /, then snort logs to the
> #       configured log directory.  Refer to README.sfportscan for details on
> #       the logged values in the logfile.
> #     watch_ip { Snort IP List }
> #     ignore_scanners { Snort IP List }
> #     ignore_scanned { Snort IP List }
> #       These options take a snort IP list as the argument.  The 'watch_ip'
> #       option specifies the IP(s) to watch for portscan.  The
> #       'ignore_scanners' option specifies the IP(s) to ignore as scanners.
> #       Note that these hosts are still watched as scanned hosts.  The
> #       'ignore_scanners' option is used to tune alerts from very active
> #       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned' option
> #       specifies the IP(s) to ignore as scanned hosts.  Note that these hosts
> #       are still watched as scanner hosts.  The 'ignore_scanned' option is
> #       used to tune alerts from very active hosts such as syslog servers, etc.
> #
> preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          sense_level { low }
>
> # arpspoof
> #----------------------------------------
> # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
> # unicast ARP requests, and specific ARP mapping monitoring.  To make use of
> # this preprocessor you must specify the IP and hardware address of hosts on
> # the same layer 2 segment as you.  Specify one host IP MAC combo per line.
> # Also takes a "-unicast" option to turn on unicast ARP request detection.
> # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
>
> #  SID     Event description
> # -----   -------------------
> #   1       Unicast ARP request
> #   2       Etherframe ARP mismatch (src)
> #   3       Etherframe ARP mismatch (dst)
> #   4       ARP cache overwrite attack
>
> #preprocessor arpspoof
> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
> # Performance Statistics
> # ----------------------
> # Documentation for this is provided in the Snort Manual.  You should read it.
> # It is included in the release distribution as doc/snort_manual.pdf
> #
> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
>
> ####################################################################
> # Step #3: Configure output plugins
> #
> # Uncomment and configure the output plugins you decide to use.  General
> # configuration for output plugins is of the form:
> #
> # output <name_of_plugin>: <configuration_options>
> #
> # alert_syslog: log alerts to syslog
> # ----------------------------------
> # Use one or more syslog facilities as arguments.  Win32 can also optionally
> # specify a particular hostname/port.  Under Win32, the default hostname is
> # '127.0.0.1', and the default port is 514.
> #
> # [Unix flavours should use this format...]
> # output alert_syslog: LOG_AUTH LOG_ALERT
> #
> # [Win32 can use any of these formats...]
> # output alert_syslog: LOG_AUTH LOG_ALERT
> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>
> # log_tcpdump: log packets in binary tcpdump format
> # -------------------------------------------------
> # The only argument is the output file name.
> #
> # output log_tcpdump: tcpdump.log
>
> # database: log to a variety of databases
> # ---------------------------------------
> # See the README.database file for more information about configuring
> # and using this plugin.
> #
> # output database: log, mysql, user=root password=test dbname=db host=localhost
> # output database: alert, postgresql, user=snort dbname=snort
> # output database: log, odbc, user=snort dbname=snort
> # output database: log, mssql, dbname=snort user=snort password=test
> # output database: log, oracle, dbname=snort user=snort password=test
>
> # unified: Snort unified binary format alerting and logging
> # -------------------------------------------------------------
> # The unified output plugin provides two new formats for logging and generating
> # alerts from Snort, the "unified" format.  The unified format is a straight
> # binary format for logging data out of Snort that is designed to be fast and
> # efficient.  Used with barnyard (the new alert/log processor), most of the
> # overhead for logging and alerting to various slow storage mechanisms such as
> # databases or the network can now be avoided.
> #
> # Check out the spo_unified.h file for the data formats.
> #
> # Two arguments are supported.
> #    filename - base filename to write to (current time_t is appended)
> #    limit    - maximum size of spool file in MB (default: 128)
> #
> # output alert_unified: filename snort.alert, limit 128
> # output log_unified: filename snort.log, limit 128
>
> # You can optionally define new rule types and associate one or more output
> # plugins specifically to that type.
> #
> # This example will create a type that will log to just tcpdump.
> # ruletype suspicious
> # {
> #   type log
> #   output log_tcpdump: suspicious.log
> # }
> #
> # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
> # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
> #
> # This example will create a rule type that will log to syslog and a mysql
> # database:
> # ruletype redalert
> # {
> #   type alert
> #   output alert_syslog: LOG_AUTH LOG_ALERT
> #   output database: log, mysql, user=snort dbname=snort host=localhost
> # }
> #
> # EXAMPLE RULE FOR REDALERT RULETYPE:
> # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
> #   (msg:"Someone is being LEET"; flags:A+;)
>
> #
> # Include classification & priority settings
> # Note for Windows users:  You are advised to make this an absolute path,
> # such as:  c:\snort\etc\classification.config
> #
>
> include classification.config
>
> #
> # Include reference systems
> # Note for Windows users:  You are advised to make this an absolute path,
> # such as:  c:\snort\etc\reference.config
> #
>
> include reference.config
>
> ####################################################################
> # Step #4: Customize your rule set
> #
> # Up to date snort rules are available at http://www.snort.org
> #
> # The snort web site has documentation about how to write your own custom snort
> # rules.
> #
> # The rules included with this distribution generate alerts based on on
> # suspicious activity. Depending on your network environment, your security
> # policies, and what you consider to be suspicious, some of these rules may
> # either generate false positives ore may be detecting activity you consider to
> # be acceptable; therefore, you are encouraged to comment out rules that are
> # not applicable in your environment.
> #
> # The following individuals contributed many of rules in this distribution.
> #
> # Credits:
> #   Ron Gula <rgula () securitywizards com> of Network Security Wizards
> #   Max Vision <vision () whitehats com>
> #   Martin Markgraf <martin () mail du gtn com>
> #   Fyodor Yarochkin <fygrave () tigerteam net>
> #   Nick Rogness <nick () rapidnet com>
> #   Jim Forster <jforster () rapidnet com>
> #   Scott McIntyre <scott () whoi edu>
> #   Tom Vandepoel <Tom.Vandepoel () ubizen com>
> #   Brian Caswell <bmc () snort org>
> #   Zeno <admin () cgisecurity com>
> #   Ryan Russell <ryan () securityfocus com>
>
> #=========================================
> # Include all relevant rulesets here
> #
> # The following rulesets are disabled by default:
> #
> #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
> #   chat, multimedia, and p2p
> #
> # These rules are either site policy specific or require tuning in order to not
> # generate false positive alerts in most enviornments.
> #
> # Please read the specific include file for more information and
> # README.alert_order for how rule ordering affects how alerts are triggered.
> #=========================================
>
> #include $RULE_PATH/local.rules
> #include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> #include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
>
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
>
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> #include $RULE_PATH/misc.rules
> #include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
>
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
>
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/backdoor.rules
> # include $RULE_PATH/shellcode.rules
> # include $RULE_PATH/policy.rules
> include $RULE_PATH/porn.rules
> # include $RULE_PATH/info.rules
> # include $RULE_PATH/icmp-info.rules
> include $RULE_PATH/virus.rules
> # include $RULE_PATH/chat.rules
> # include $RULE_PATH/multimedia.rules
> include $RULE_PATH/p2p.rules
> # include $RULE_PATH/experimental.rules
>
> # Include any thresholding or suppression commands. See threshold.conf in the
> # <snort src>/etc directory for details. Commands don't necessarily need to be
> # contained in this conf, but a separate conf makes it easier to maintain them.
> # Note for Windows users:  You are advised to make this an absolute path,
> # such as:  c:\snort\etc\threshold.conf
> # Uncomment if needed.
> # include threshold.conf
>
>
> #
> # Honeynet snort_inline configuration file
> # Version 0.5
> # Last modified 27 April, 2003
> #
> # Standard Snort configuration file modified for inline
> # use.
> #
>
> ### Network variables
> var HOME_NET any
> var EXTERNAL_NET any
>
> ### Ports variables
> var SHELLCODE_PORTS !80
> var HTTP_PORTS 80
> var ORACLE_PORTS 1521
>
> ### Preprocessors
> # Usage guidelines:  If the plugin normalizes the packet so that the
> # detection engine can better interpret the data, the plugin can be
> # used with the snort_inline safely.  If the plugin itself makes
> # the alert decisions, then we have to modify the plugin to drop
> # packets.
>
> # Many false positives
> # preprocessor fnord
> # preprocessor asn1_decode
>
> # Done by IPTables
> # preprocessor frag2
> # preprocessor portscan
>
> # Not yet modified for snort_inline
> # preprocessor stream4: detect_scans, disable_evasion_alerts
> # preprocessor stream4_reassemble
>
> # Enabled
> #preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
> preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
> preprocessor rpc_decode: 111 32771
> preprocessor telnet_decode
> preprocessor bo: -nobrute
>
> ### Logging alerts of outbound attacks
> output alert_full: snort_inline-full
> output alert_fast: snort_inline-fast
>
> ### Rules found in local directory
> var RULE_PATH /etc/snort/rules
>
> ### Include classification & reference
> include $RULE_PATH/classification.config
> include $RULE_PATH/reference.config
>
> ### The Drop Rules
> # Enabled
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> #include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/nntp.rules
>
> ### Disabled
>
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/backdoor.rules
> # include $RULE_PATH/shellcode.rules
> # include $RULE_PATH/policy.rules
> # include $RULE_PATH/porn.rules
> # include $RULE_PATH/info.rules
> # include $RULE_PATH/icmp-info.rules
> # include $RULE_PATH/chat.rules
> # include $RULE_PATH/multimedia.rules
> # include $RULE_PATH/p2p.rules
> # include $RULE_PATH/experimental.rules
> # include $RULE_PATH/local.rules
> # include $RULE_PATH/bad-traffic.rules
> # include $RULE_PATH/attack-responses.rules
> # include $RULE_PATH/scan.rules
> # include $RULE_PATH/misc.rules
>
> #include $RULE_PATH/spyware/parasites.rules


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users