# Honeynet snort_inline configuration file
# Version 0.5
# Last modified 01 January, 2004
#
# Standard Snort configuration file modified for inline
# use. Most preprocessors currently do not work in inline
# mode, as such they are not included.
#
### Network variables
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
# Ports you run web servers on
#
# Please note: [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80
# Ports you do oracle attacks on
var ORACLE_PORTS 1521
### As of snort_inline 2.2.0 we drop
### packets with bad checksums. We can
config checksum_mode: all
# Path to your rules files (this can be a relative path)
var RULE_PATH /usr/src/snort_inline-2.3.0-RC1/rules
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop generic decode drops:
#
# config disable_decode_drops
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop drops on experimental TCP options
#
# config disable_tcpopt_experimental_drops
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop drops on obsolete TCP options
#
# config disable_tcpopt_obsolete_drops
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network. If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop drops on T/TCP alerts
#
# config disable_ttcp_drops
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop drops on all other TCPOption type events:
#
# config disable_tcpopt_drops
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
#
# Stop drops on invalid ip options
#
# config disable_ipopt_drops
# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
# config detection: search-method lowmem
# Configure Inline Resets
# ========================
#
# If running an iptables firewall with snort_inline we can now perform resets
# via a physical device we grab the indev from iptables and use this for the
# interface on which to send resets. This config option takes an argument for
# the src mac address you want to use in the reset packet. This way the bridge
# can remain stealthy. If the src mac option is not set we use the mac address
# of the indev device. If we don't set this option we will default to sending
# resets via raw socket, which needs an ipaddress to be assigned to the int.
#
# config layer2resets: 00:06:76:DD:5F:E3
### Preprocessors
# usage guidelines: if the plugin normalizes the packet so that the
# detection engine can better interpret the data, the plugin can be
# used with the snort_inline safely. If the plugin itself makes
# the alert decisions, then we have to modify it to drop packets.
# sticky-drop: drop all packets from the source of an attack for x number of seconds
# ----------------------------------------------------------------------------------
# For use in rule language and by the portscan2, clamav, and the sfportscan preprocessor to drop
# packets from attackers for x number of seconds because we don't like them messing with
# our stuff. Right now we only drop from source so if using the sticky-drop keyword make sure
# that the source of the attack is something you actually want to block.
#
# In the example below the first line tells stickydrop a max amount of entries for memory allocation
# In addition the first line tells stickydrop to log droped packets to the snort log dir stickyd.log
#
# The second line specifies timeouts for the two currently supported portscan preprocs and clamav
#
# The third line tells which sources to never drop, it is very, very important to add your home net
# and you dns servers to this list.
#
#example:
#preprocessor stickydrop: max_entries 3000,log
#preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000
#preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12 192.168.1.13
# Done by IPTables. Iptables assembles fragments when we use connection
# tracking; therefore, we don't have to use frag2
# preprocessor frag2
# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term, many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
#preprocessor flow: stats_interval 5 hash 2
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat stick/snot
# against TCP rules. Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc. Can statefully detect various portscan
# types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and generate alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this tends to be very
# noisy because there are a lot of crappy ip stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly noisy mitigation of
# overlapping sequences.
#
#
# min_ttl [number] - set a minium ttl that snort will accept to
# stream reassembly
#
# ttl_limit [number] - differential of the initial ttl on a session versus
# the normal that someone may be playing games.
# Routing flap may cause lots of false positives.
#
# keepstats [machine|binary] - keep session statistics, add "machine" to
# get them in a flat format for machine reading, add
# "binary" to get them in a unified binary output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to [number] seconds,
# default is 30 seconds
# memcap [number] - limit stream4 memory usage to [number] bytes
# log_flushed_streams - if an event is detected on a stream this option will
# cause all packets that are stored in the stream4
# packet buffers to be flushed to disk. This only
# works when logging in pcap mode!
#
# stream4inline - This forces stream4 to do packet reassembly on a sliding window, what this means
# is that we are doing reassembly in real-time, and no more of this postmortem uberpacket
# creation alert but can't drop non-sense. Be careful though we are performing
# session drops so this means that this option has to be used in conjunction with enforce_state
# to be effective otherwise what is the point. We are pretty sure we break the replace keyword
# with this one, so be careful.
#
# Stream4inline options:
# truncate: truncates a stream instead of flushing it. Use this for the sliding window.
# truncate_percentage: set the percentage to cut off of the stream when we truncate (default 33).
# window_size: size in bytes of the sliding window (default: 7000).
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap
preprocessor stream4: disable_evasion_alerts
#Stream4 with inline support example
#
#preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state, memcap 134217728, timeout 3600
#
# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See below),
# Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection only
# serveronly - reassemble traffic for the server side of a connection only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of stream4
# ports [list] - use the space separated list of ports in [list], "all"
# will turn on reassembly for all ports, "default" will turn
# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
# and 513
preprocessor stream4_reassemble: both
# ClamAV virusscanning preprocessor
#
# This preprocessor will scan the data in the packets for virusses.
# See README.clamav for details and limitations.
#
# Available options (comma delimited):
#
# ports: a space delimited list of ports that will be scanned.
# all: all ports
# n : single port to be scanned
# !n : not scan port n (to be used with 'all'
#
# toclientonly: scan only the traffic to the client (tcp only)
# toserveronly: scan only the traffic to the server (tcp only)
#
# action-drop : drop the infected packet (snort_inline only)
# action-reset: reset the connection (snort_inline only)
#
# dbdir: path to the clamav definitions directory.
#
# dbreload-time: time in seconds to refresh the read of the AV signatures
#
# Example:
# preprocessor clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav, dbreload-time 43200
#
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000