# $Id: snort.conf-medium.txt,v 1.4 2005/06/18 06:30:03 jonkman Exp $ # # # # This is a sample snort.conf for the following type of situation # # Medium level of traffic, sustained under 30meg/second, peaks no higher than 80meg/second. # Running the Bleeding Snort Signatures # Output to Mysql and syslog var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var HTTP_PORTS 80 #CHANGE THIS IF USING A PROXY SERVER, etc var SHELLCODE_PORTS !$HTTP_PORTS var ORACLE_PORTS 1521 var HOME_NET 192.168.1.0/24 #CHANGE THIS var TELNET_SERVERS $HOME_NET #CHANGE THIS var SQL_SERVERS $HOME_NET #CHANGE THIS var HTTP_SERVERS $HOME_NET #CHANGE THIS var SMTP_SERVERS $HOME_NET #CHANGE THIS var DNS_SERVERS $HOME_NET #CHANGE THIS var RULE_PATH . var EXTERNAL_NET !$HOME_NET var SSH_PORTS 22 #CHANGE IF YOU RUN SSH ON AN UNUSUAL PORT #To get anything new from Bleeding Snort include $RULE_PATH/bleeding.conf #Output plugins output database: alert, mysql, user=sensors password= dbname= host= sensor_name= detail=full output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID #Flow and stream preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts,detect_scans preprocessor stream4_reassemble: both, ports all #XLink2State mini proc preprocessor xlink2state: ports { 25 691 } #HTTP Inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ ports { 80 8080 3128 } \ no_alerts \ non_strict \ non_rfc_char { 0x00 } \ flow_depth 0 \ apache_whitespace yes \ directory no \ iis_backslash no \ u_encode yes \ ascii no \ chunk_length 500000 \ bare_byte yes \ double_decode yes \ iis_unicode yes \ iis_delimiter yes \ multi_slash no #Other preprocs preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode #Flow Portscan preprocessor flow-portscan: \ talker-sliding-scale-factor 0.50 \ talker-fixed-threshold 30 \ talker-sliding-threshold 30 \ talker-sliding-window 20 \ talker-fixed-window 30 \ scoreboard-rows-talker 30000 \ server-watchnet $HOME_NET \ server-ignore-limit 200 \ server-rows 65535 \ server-learning-time 14400 \ server-scanner-limit 4 \ scanner-sliding-window 20 \ scanner-sliding-scale-factor 0.50 \ scanner-fixed-threshold 15 \ scanner-sliding-threshold 40 \ scanner-fixed-window 15 \ scoreboard-rows-scanner 30000 \ # src-ignore-net [192.168.1.1/32,192.168.0.0/24] \ # dst-ignore-net [10.0.0.0/30] \ alert-mode once \ output-mode msg \ tcp-penalties on #Required files include classification.config include reference.config #Rulesets, all optional #General include $RULE_PATH/bleeding.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/x11.rules include $RULE_PATH/misc.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules # include $RULE_PATH/shellcode.rules include $RULE_PATH/community-ftp.rules include $RULE_PATH/community-misc.rules #Mostly Spyware include $RULE_PATH/bleeding-malware.rules #Network issues include $RULE_PATH/bad-traffic.rules include $RULE_PATH/snmp.rules #Exploits and direct attacks include $RULE_PATH/exploit.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/community-exploit.rules #Scans and recon include $RULE_PATH/scan.rules include $RULE_PATH/bleeding-scan.rules #Unusual stuff include $RULE_PATH/finger.rules #R-services, etc include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules #DOS include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/bleeding-dos.rules #Web issues include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/community-web-cgi.rules include $RULE_PATH/community-web-client.rules include $RULE_PATH/community-web-dos.rules include $RULE_PATH/community-web-misc.rules #SQL and DB sigs include $RULE_PATH/sql.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/community-sql-injection.rules #Informational stuff #include $RULE_PATH/icmp.rules include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules #Windows stuff include $RULE_PATH/netbios.rules #Compromise responses include $RULE_PATH/attack-responses.rules include $RULE_PATH/bleeding-attack_response.rules #Mail sigs include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/community-mail-client.rules #Trojans, Viruses, and spyware include $RULE_PATH/backdoor.rules include $RULE_PATH/virus.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/community-virus.rules #Policy Sigs include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/chat.rules include $RULE_PATH/p2p.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/bleeding-policy.rules include $RULE_PATH/bleeding-p2p.rules include $RULE_PATH/bleeding-inappropriate.rules include $RULE_PATH/community-game.rules include $RULE_PATH/community-inappropriate.rules #Experimental include $RULE_PATH/experimental.rules