include /etc/snort/vars var EXTERNAL_NET any var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var SSH_PORTS 22 222 var ORACLE_PORTS 1521 # AIM servers. AOL has a habit of adding new AIM servers, so instead of # modifying the signatures when they do, we add them to this list of servers. var AIM_SERVERS [64.12.24.0/23,64.12.25.0/24,64.12.26.0/24,64.12.28.0/23,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /usr/local/lib/snort preprocessor flow: memcap 83886080, rows 8198, stats_interval 0 hash 2 # preprocessor frag2: memcap 33554432 preprocessor frag3_global: memcap 67108864, prealloc_nodes 21676, max_frags 131072 preprocessor frag3_engine: policy linux detect_anomalies bind_to xxx.xxx.x.0/24 preprocessor frag3_engine: policy first detect_anomalies bind_to xxx.xx.x.0/24 preprocessor frag3_engine: policy last detect_anomalies preprocessor stream4: detect_scans, detect_state_problems, disable_evasion_alerts, state_protection, memcap 33608864 preprocessor stream4_reassemble: both, favor_new, ports: all, emergency_ports 21 23 25 42 53 80 110 111 135 136 137 139 143 222 445 513 1433 1521 3306 preprocessor http_inspect: global iis_unicode_map /var/smoothwall/snort/unicode.map 1252 preprocessor http_inspect_server: server $HOME_NET profile all ports { 80 1863 3128 5050 8080 8180 13324 13325 32771 56885 } oversize_dir_length 300 flow_depth 1460 preprocessor http_inspect_server: server default profile all ports { 80 1863 3128 5050 8080 8180 13324 13325 32771 56885 } oversize_dir_length 300 flow_depth 1460 preprocessor rpc_decode: 111 32771 alert_fragments preprocessor bo preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS preprocessor perfmonitor: time 60 file /var/log/snort/snort.stats pktcnt 500 preprocessor arpspoof preprocessor xlink2state: ports { 25 691 } preprocessor sfportscan: proto { all } \ scan_type { all } \ memcap { 67108864 } \ sense_level { high } # output alert_syslog: LOG_AUTH LOG_ALERT # output log_tcpdump: tcpdump.log # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 include $RULE_PATH/classification.config include $RULE_PATH/reference.config