Linux 4 All: snort.conf

You can use this config as a starting point for your Snort configuration. Note that you will need to change the MySql variable… You should see it if you scroll down some. Also comment out or add any rules that you may or may not have. A good source for rules would be http://www.snort.org, or google for bleeding-edge rules. I personally use a combination of the two rulesets.

#--------------------------------------------------

#   http://www.snort.org     Snort 2.8.2 Ruleset

#     Contact: snort-sigs@lists.sourceforge.net

#--------------------------------------------------

# $Id$

#

# Step #1: Set the network variables:

#

# You must change the following variables

# to reflect your local network. The variable

# is currently setup for an RFC 1918 address space.

#

# You can specify it explicitly as:

#

# var HOME_NET 10.1.1.0/24

#

#

# var HOME_NET $eth0_ADDRESS

#

# You can specify lists of IP addresses for HOME_NET

# by separating the IPs with commas like this:

#

# var HOME_NET [10.1.1.0/24,192.168.1.0/24]

#

# MAKE SURE YOU DON’T PLACE ANY SPACES IN YOUR LIST!

#

# or you can specify the variable to be any IP address

# like this:



var HOME_NET any



# Set up the external network addresses as well.

var EXTERNAL_NET any



# List of DNS servers on your network

var DNS_SERVERS $HOME_NET



# List of SMTP servers on your network

var SMTP_SERVERS $HOME_NET



# List of web servers on your network

var HTTP_SERVERS $HOME_NET



# List of sql servers on your network

var SQL_SERVERS $HOME_NET



# List of telnet servers on your network

var TELNET_SERVERS $HOME_NET



# List of snmp servers on your network

var SNMP_SERVERS $HOME_NET



# Ports you run web servers on

portvar HTTP_PORTS 80



# Ports you want to look for SHELLCODE on.

portvar SHELLCODE_PORTS !80



# Ports you might see oracle attacks on

portvar ORACLE_PORTS 1521



# Path to your rules files (this can be a relative path)

var RULE_PATH /etc/snort/rules



# frag3: Target-based IP defragmentation

preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy first detect_anomalies



# Target Based stateful inspection/stream reassembly for Snort

preprocessor stream5_global: max_tcp 8192, track_tcp yes, \

track_udp no

preprocessor stream5_tcp: policy first, use_static_footprint_sizes



# http_inspect

preprocessor http_inspect: global \

iis_unicode_map unicode.map 1252



preprocessor http_inspect_server: server default \

profile all ports { 80 8080 8180 } oversize_dir_length 500



# rpc_decode: normalize RPC traffic

preprocessor rpc_decode: 111 32771



# bo: Back Orifice detector

preprocessor bo



# sfPortScan

preprocessor sfportscan: proto  { all } \

memcap { 10000000 } \

sense_level { low }

# database: log to a variety of databases



#######################################

#CHANGE THESE VALUES TO MATCH YOUR SETUP!!!!     #

#######################################



output database: alert, mysql, user=snort password=snort dbname=snort host=snort



# Include classification & priority settings

include classification.config



# Include reference systems

include reference.config



# Customize your rule set

include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules

include $RULE_PATH/x11.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules

include $RULE_PATH/other-ids.rules

include $RULE_PATH/web-attacks.rules

include $RULE_PATH/backdoor.rules

include $RULE_PATH/shellcode.rules

include $RULE_PATH/policy.rules

include $RULE_PATH/porn.rules

include $RULE_PATH/info.rules

include $RULE_PATH/icmp-info.rules

include $RULE_PATH/virus.rules

include $RULE_PATH/chat.rules

include $RULE_PATH/multimedia.rules

include $RULE_PATH/p2p.rules

Linux 4 All

Latest Posts

snort.conf

No comments:

Post a Comment