include /etc/snort/vars var EXTERNAL_NET any var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var SSH_PORTS 22 222 var ORACLE_PORTS 1521 # AIM servers. AOL has a habit of adding new AIM servers, so instead of # modifying the signatures when they do, we add them to this list of servers. var AIM_SERVERS [64.12.24.0/23,64.12.25.0/24,64.12.26.0/24,64.12.28.0/23,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /usr/local/lib/snort preprocessor flow: memcap 83886080, rows 8198, stats_interval 0 hash 2 # preprocessor frag2: memcap 33554432 preprocessor frag3_global: memcap 67108864, prealloc_nodes 21676, max_frags 131072 preprocessor frag3_engine: policy linux detect_anomalies bind_to xxx.xxx.x.0/24 preprocessor frag3_engine: policy first detect_anomalies bind_to xxx.xx.x.0/24 preprocessor frag3_engine: policy last detect_anomalies preprocessor stream4: detect_scans, detect_state_problems, disable_evasion_alerts, state_protection, memcap 33608864 preprocessor stream4_reassemble: both, favor_new, ports: all, emergency_ports 21 23 25 42 53 80 110 111 135 136 137 139 143 222 445 513 1433 1521 3306 preprocessor http_inspect: global iis_unicode_map /var/smoothwall/snort/unicode.map 1252 preprocessor http_inspect_server: server $HOME_NET profile all ports { 80 1863 3128 5050 8080 8180 13324 13325 32771 56885 } oversize_dir_length 300 flow_depth 1460 preprocessor http_inspect_server: server default profile all ports { 80 1863 3128 5050 8080 8180 13324 13325 32771 56885 } oversize_dir_length 300 flow_depth 1460 preprocessor rpc_decode: 111 32771 alert_fragments preprocessor bo preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS preprocessor perfmonitor: time 60 file /var/log/snort/snort.stats pktcnt 500 preprocessor arpspoof preprocessor xlink2state: ports { 25 691 } preprocessor sfportscan: proto { all } \ scan_type { all } \ memcap { 67108864 } \ sense_level { high } # output alert_syslog: LOG_AUTH LOG_ALERT # output log_tcpdump: tcpdump.log # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 include $RULE_PATH/classification.config include $RULE_PATH/reference.config include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/chat.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/dos.rules include $RULE_PATH/experimental.rules include $RULE_PATH/exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/icmp.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/imap.rules include $RULE_PATH/info.rules include $RULE_PATH/local.rules include $RULE_PATH/misc.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/mysql.rules include $RULE_PATH/netbios.rules include $RULE_PATH/nntp.rules include $RULE_PATH/oracle.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/p2p.rules include $RULE_PATH/policy.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/porn.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/scan.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/smtp.rules include $RULE_PATH/snmp.rules include $RULE_PATH/specific-threats.rules include $RULE_PATH/spyware-dns.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/sql.rules include $RULE_PATH/telnet.rules include $RULE_PATH/tftp.rules include $RULE_PATH/user-agent.rules include $RULE_PATH/virus.rules # include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules # include $RULE_PATH/bleeding-botcc-BLOCK.rules # include $RULE_PATH/bleeding-drop-BLOCK.rules include $RULE_PATH/bleeding.rules include $RULE_PATH/bleeding-attack_response.rules include $RULE_PATH/bleeding-botcc.rules include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding-drop.rules include $RULE_PATH/bleeding-dshield.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-game.rules include $RULE_PATH/bleeding-inappropriate.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-p2p.rules include $RULE_PATH/bleeding-policy.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding-spyware-dns.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-voip.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/community-bot.rules include $RULE_PATH/community-exploit.rules include $RULE_PATH/community-icmp.rules include $RULE_PATH/community-imap.rules include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/community-mail-client.rules include $RULE_PATH/community-misc.rules include $RULE_PATH/community-nntp.rules include $RULE_PATH/community-dos.rules include $RULE_PATH/community-oracle.rules include $RULE_PATH/community-policy.rules include $RULE_PATH/community-sip.rules include $RULE_PATH/community-smtp.rules include $RULE_PATH/community-game.rules include $RULE_PATH/community-ftp.rules include $RULE_PATH/community-sql-injection.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/community-web-attacks.rules include $RULE_PATH/community-web-cgi.rules include $RULE_PATH/community-web-client.rules include $RULE_PATH/community-web-dos.rules include $RULE_PATH/community-web-iis.rules include $RULE_PATH/community-web-misc.rules include $RULE_PATH/community-web-php.rules