# $Id: snort.conf,v 1.14 2001/01/05 19:27:33 roesch Exp $ ##################################################################### This file contains a sample snort configuration. You can take the # following steps to create your own custom configuration:##  1) Set the HOME_NET variable for your network#  2) Configure preprocessors#  3) Configure output plugins #  4) Customize your rule set###################################################################### Step #1: Set the HOME_NET variable:##    You must change the HOME_NET variable to reflect your local#    network. The variable is currently setup for an RFC 1918 address#    space.##    You can specify it explicitly as: var HOME_NET 10.1.1.0/24#    or use global variable $<intname>_ADDRESS which will be always #    initialized to IP address and netmask of the network interface #    which you run snort at.##    You can specify lists of IP addresses by separating the IPs with commas #    like this:##    [10.1.1.0/24,192.168.1.0/24]##    MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!###var HOME_NET $eth0_ADDRESSvar HOME_NET 10.1.1.0/24# Set up the external network addresses as well.  A good start may be # "any"...var EXTERNAL_NET any# Define the addresses of DNS servers and other hosts if you want to ignore # portscan false alarms from them...#var DNS_SERVERS [192.168.1.1/32,10.1.1.1/32]##################################################################### Step #2: Configure preprocessors## General configuration for preprocessors is of the form# #   preprocessor <name_of_processor>: <configuration_options># minfrag: detect small fragments# -------------------------------# minfrag takes the minimum fragment size (in bytes) threshold as its# argument. Fragmented packets at of below this size will cause an# alert to be generated.  The functionality of this preprocessor is # largely superceded by the defrag plugin below.#preprocessor minfrag: 128# defrag: defragmentation support# -------------------------------# IP defragmentation support from Dragos Ruiu. There are no# configuration options at this time.preprocessor defrag# stream: TCP stream reassembly# -----------------------------# TCP stream reassembly preprocessor from Chris Cramer.  This# preprocessor should always go after the defrag preprocessor, but# before http_decode. The example below monitors ports 23 and 80, has# a timeout after 10 seconds, and will send reassembled packets of max# payload 16384 bytes through the detection engine. See# README.tcpstream for more information and configuration# options. Uncomment the following line and configure appropriately to# enable this preprocessor.## NOTE: This code should still be considered BETA!  It seems to be stable, but# there are still some issues that remain to be resolved, so make sure# you keep an eye on your Snort sensor if you enable this plugin# preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384# http_decode: normalize HTTP requests# ------------------------------------# http_decode normalizes HTTP requests from remote machines by# converting any %XX character substitutions to their ASCII# equivalent. This is very useful for doing things like defeating# hostile attackers trying to stealth themselves from IDSs by mixing# these substitutions in with the request. Specify the port# numbers you want it to analyze as arguments.preprocessor http_decode: 80 8080# portscan: detect a variety of portscans# ---------------------------------------# portscan preprocessor by Patrick Mullen <p_mullen@linuxrc.net># This preprocessor detects UDP packets or TCP SYN packets going to# four different ports in less than three seconds. "Stealth" TCP# packets are always detected, regardless of these settings.preprocessor portscan: $HOME_NET 4 3 portscan.log# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from # specific networks or hosts to reduce false alerts. It is typical# to see many false alerts from DNS servers so you may want to # add your DNS servers here. You can all multiple hosts/networks# in a whitespace-delimited list. ##preprocessor portscan-ignorehosts: $DNS_SERVERS# Spade: the Statistical Packet Anomaly Detection Engine#-------------------------------------------------------## READ the README.Spade file before using this plugin!## See http://www.silicondefense.com/spice/ for more info## Spade is a Snort plugin to report unusual, possibly suspicious, packets.  # Spade will review the packets received by Snort, find those of interest (TCP# SYNs into your homenets, if any), and report those packets that it believes # are anomalous along with an anomaly score.  To enable spp_anomsensor, you # must have a line of this form in your snort configuration file:## preprocessor spade: <anom-report-thresh> <state-file> <log-file> <prob-mode>#                     <checkpoint-freq>## DO NOT ENABLE THIS PLUGIN UNLESS YOU HAVE READ THE README.Spade FILE THAT# COMES IN THIS DISTRIBUTION AND ARE COGENT OF THE PERFORMANCE IMPACT THAT THIS# MODULE MAY HAVE UPON YOUR NORMAL SNORT CONFIGURATION!## set this to a directory Spade can read and write to store its files## var SPADEDIR .## preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000## put a list of the networks you are interested in Spade observing packets # going to here## preprocessor spade-homenet: 0.0.0.0/0## this causes Spade to adjust the reporting threshold automatically# the first argument is the target rate of alerts for normal circumstances # (0.01 = 1% or you can give it an hourly rate) after the first hour (or # however long the period is set to in the second argument), the reporting # threshold given above is ignored you can comment this out to have the# threshold be static, or try one of the other adapt methods below## preprocessor spade-adapt3: 0.01 60 168## other possible Spade config lines:# adapt method #1#preprocessor spade-adapt: 20 2 0.5# adapt method #2#preprocessor spade-adapt2: 0.01 15 4 24 7# offline threshold learning#preprocessor spade-threshlearn: 200 24# periodically report on the anom scores and count of packets seen#preprocessor spade-survey:  $SPADEDIR/survey.txt 60# print out known stats about packet feature#preprocessor spade-stats: entropy uncondprob condprob##################################################################### Step #3: Configure output plugins## Uncomment and configure the output plugins you decide to use.# General configuration for output plugins is of the form:# # output <name_of_plugin>: <configuration_options>## Note that you can optionally define new rule types and associate one# or more output plugins specifically to that type.## This example will create a type that will log to just tcpdump.# ruletype suspicious# {#   type log#   output log_tcpdump: suspicious.log# }## This example will create a rule type that will log to syslog # and a mysql database.# ruletype redalert# {#   type alert#   output alert_syslog: LOG_AUTH LOG_ALERT#   output database: log, mysql, user=snort dbname=snort host=localhost# }# alert_syslog: log alerts to syslog# ----------------------------------# Use one or more syslog facilities as arguments## output alert_syslog: LOG_AUTH LOG_ALERT# log_tcpdump: log packets in binary tcpdump format# -------------------------------------------------# The only argument is the output file name.## output log_tcpdump: snort.log# database: log to a variety of databases# ---------------------------------------# See the README.database file for more information about configuring# and using this plugin.## output database: log, mysql, user=snort dbname=snort host=localhost# output database: log, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort# xml: xml logging# ----------------# See the README.xml file for more information about configuring# and using this plugin.# # output xml: log, file=/var/log/snortxml##################################################################### Step #4: Customize your rule set## Up to date snort rules are available at the following web sites:#   http://www.snort.org#   http://www.whitehats.com## The snort web site has documentation about how to write your own# custom snort rules. ## The rules included with this distribution generate alerts based on# on suspicious activity. Depending on your network environment, your# security policies, and what you consider to be suspicious, some of# these rules may either generate false positives ore may be detecting# activity you consider to be acceptable; therefore, you are# encouraged to comment out rules that are not applicable in your# environment.## Note that using all of the rules at the same time may lead to# serious packet loss on slower machines. YMMV, use with caution,# standard disclaimers apply. :)## The following individuals contributed many of rules in this# distribution.## Credits:#   Ron Gula <rgula@securitywizards.com> of Network Security Wizards#   Martin Markgraf <martin@mail.du.gtn.com>  #   CyberPsychotic <fygrave@tigerteam.net>#   Nick Rogness <nick@rapidnet.com>#   Jim Forster <jforster@rapidnet.com>#   Scott McIntyre <scott@whoi.edu>#   Tom Vandepoel <Tom.Vandepoel@ubizen.com>include webcgi-libinclude webcf-libinclude webiis-libinclude webfp-libinclude webmisc-libinclude overflow-libinclude finger-libinclude ftp-libinclude smtp-libinclude telnet-libinclude misc-libinclude netbios-libinclude scan-libinclude ddos-libinclude backdoor-libinclude ping-libinclude rpc-lib