# Honeynet snort_inline configuration file
# Version 0.5
# Last modified 01 January, 2004
#
# Standard Snort configuration file modified for inline
# use. Most preprocessors currently do not work in inline
# mode, as such they are not included.
#
### Network variables
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
# Ports you run web servers on
#
# Please note: [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80
# Ports you do oracle attacks on
var ORACLE_PORTS 1521
### As of snort_inline 2.2.0 we drop
### packets with bad checksums. We can
config checksum_mode: all
# Path to your rules files (this can be a relative path)
var RULE_PATH /usr/src/snort_inline-2.3.0-RC1/rules
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop generic decode drops:
#
# config disable_decode_drops
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop drops on experimental TCP options
#
# config disable_tcpopt_experimental_drops
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop drops on obsolete TCP options
#
# config disable_tcpopt_obsolete_drops
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network. If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop drops on T/TCP alerts
#
# config disable_ttcp_drops
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop drops on all other TCPOption type events:
#
# config disable_tcpopt_drops
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
#
# Stop drops on invalid ip options
#
# config disable_ipopt_drops
# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
# config detection: search-method lowmem
# Configure Inline Resets
# ========================
#
# If running an iptables firewall with snort_inline we can now perform resets
# via a physical device we grab the indev from iptables and use this for the
# interface on which to send resets. This config option takes an argument for
# the src mac address you want to use in the reset packet. This way the bridge
# can remain stealthy. If the src mac option is not set we use the mac address
# of the indev device. If we don't set this option we will default to sending
# resets via raw socket, which needs an ipaddress to be assigned to the int.
#
# config layer2resets: 00:06:76:DD:5F:E3
### Preprocessors
# usage guidelines: if the plugin normalizes the packet so that the
# detection engine can better interpret the data, the plugin can be
# used with the snort_inline safely. If the plugin itself makes
# the alert decisions, then we have to modify it to drop packets.
# sticky-drop: drop all packets from the source of an attack for x number of seconds
# ----------------------------------------------------------------------------------
# For use in rule language and by the portscan2, clamav, and the sfportscan preprocessor to drop
# packets from attackers for x number of seconds because we don't like them messing with
# our stuff. Right now we only drop from source so if using the sticky-drop keyword make sure
# that the source of the attack is something you actually want to block.
#
# In the example below the first line tells stickydrop a max amount of entries for memory allocation
# In addition the first line tells stickydrop to log droped packets to the snort log dir stickyd.log
#
# The second line specifies timeouts for the two currently supported portscan preprocs and clamav
#
# The third line tells which sources to never drop, it is very, very important to add your home net
# and you dns servers to this list.
#
#example:
#preprocessor stickydrop: max_entries 3000,log
#preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000
#preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12 192.168.1.13
# Done by IPTables. Iptables assembles fragments when we use connection
# tracking; therefore, we don't have to use frag2
# preprocessor frag2
# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term, many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 5 hash 2
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat stick/snot
# against TCP rules. Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc. Can statefully detect various portscan
# types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and generate alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this tends to be very
# noisy because there are a lot of crappy ip stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly noisy mitigation of
# overlapping sequences.
#
#
# min_ttl [number] - set a minium ttl that snort will accept to
# stream reassembly
#
# ttl_limit [number] - differential of the initial ttl on a session versus
# the normal that someone may be playing games.
# Routing flap may cause lots of false positives.
#
# keepstats [machine|binary] - keep session statistics, add "machine" to
# get them in a flat format for machine reading, add
# "binary" to get them in a unified binary output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to [number] seconds,
# default is 30 seconds
# memcap [number] - limit stream4 memory usage to [number] bytes
# log_flushed_streams - if an event is detected on a stream this option will
# cause all packets that are stored in the stream4
# packet buffers to be flushed to disk. This only
# works when logging in pcap mode!
#
# stream4inline - This forces stream4 to do packet reassembly on a sliding window, what this means
# is that we are doing reassembly in real-time, and no more of this postmortem uberpacket
# creation alert but can't drop non-sense. Be careful though we are performing
# session drops so this means that this option has to be used in conjunction with enforce_state
# to be effective otherwise what is the point. We are pretty sure we break the replace keyword
# with this one, so be careful.
#
# Stream4inline options:
# truncate: truncates a stream instead of flushing it. Use this for the sliding window.
# truncate_percentage: set the percentage to cut off of the stream when we truncate (default 33).
# window_size: size in bytes of the sliding window (default: 7000).
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap
preprocessor stream4: disable_evasion_alerts
#Stream4 with inline support example
#
#preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state, memcap 134217728, timeout 3600
#
# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See below),
# Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection only
# serveronly - reassemble traffic for the server side of a connection only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of stream4
# ports [list] - use the space separated list of ports in [list], "all"
# will turn on reassembly for all ports, "default" will turn
# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
# and 513
preprocessor stream4_reassemble: both
# ClamAV virusscanning preprocessor
#
# This preprocessor will scan the data in the packets for virusses.
# See README.clamav for details and limitations.
#
# Available options (comma delimited):
#
# ports: a space delimited list of ports that will be scanned.
# all: all ports
# n : single port to be scanned
# !n : not scan port n (to be used with 'all'
#
# toclientonly: scan only the traffic to the client (tcp only)
# toserveronly: scan only the traffic to the server (tcp only)
#
# action-drop : drop the infected packet (snort_inline only)
# action-reset: reset the connection (snort_inline only)
#
# dbdir: path to the clamav definitions directory.
#
# dbreload-time: time in seconds to refresh the read of the AV signatures
#
# Example:
# preprocessor clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav, dbreload-time 43200
#
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
preprocessor rpc_decode: 111 32771
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
#
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected
preprocessor bo
# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
# traffic. It works in much the same way as the http_decode preprocessor,
# searching for traffic that breaks up the normal data stream of a protocol and
# replacing it with a normalized representation of that traffic so that the
# "content" pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID currently.
preprocessor telnet_decode
# sfPortscan
# ----------
# Author: Dan Roelker
# Portscan detection module. Detects various types of portscans and
# portsweeps. For more information on detection philosophy, alert types,
# and detailed portscan information, please refer to the README.sfportscan.
#
# -configuration options-
# proto { tcp udp icmp ip_proto all }
# The arguments to the proto option are the types of protocol scans that
# the user wants to detect. Arguments should be separated by spaces and
# not commas.
# scan_type { portscan portsweep decoy_portscan distributed_portscan all }
# The arguments to the scan_type option are the scan types that the
# user wants to detect. Arguments should be separated by spaces and not
# commas.
# sense_level { low|medium|high }
# There is only one argument to this option and it is the level of
# sensitivity in which to detect portscans. The 'low' sensitivity
# detects scans by the common method of looking for response errors, such
# as TCP RSTs or ICMP unreachables. This level requires the least
# tuning. The 'medium' sensitivity level detects portscans and
# filtered portscans (portscans that receive no response). This
# sensitivity level usually requires tuning out scan events from NATed
# IPs, DNS cache servers, etc. The 'high' sensitivity level has
# lower thresholds for portscan detection and a longer time window than
# the 'medium' sensitivity level. Requires more tuning and may be noisy
# on very active networks. However, this sensitivity levels catches the
# most scans.
# memcap { positive integer }
# The maximum number of bytes to allocate for portscan detection. The
# higher this number the more nodes that can be tracked.
# logfile { filename }
# This option specifies the file to log portscan and detailed portscan
# values to. If there is not a leading /, then snort logs to the
# configured log directory. Refer to README.sfportscan for details on
# the logged values in the logfile.
# watch_ip { Snort IP List }
# ignore_scanners { Snort IP List }
# ignore_scanned { Snort IP List }
# These options take a snort IP list as the argument. The 'watch_ip'
# option specifies the IP(s) to watch for portscan. The
# 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
# Note that these hosts are still watched as scanned hosts. The
# 'ignore_scanners' option is used to tune alerts from very active
# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
# specifies the IP(s) to ignore as scanned hosts. Note that these hosts
# are still watched as scanner hosts. The 'ignore_scanned' option is
# used to tune alerts from very active hosts such as syslog servers, etc.
#
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual. You should read it.
# It is included in the release distribution as doc/snort_manual.pdf
#
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000
### Logging alerts of outbound attacks
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast
### If you want to log the contents of the dropped packets, remove comment
#output log_tcpdump: tcpdump.log
# Include classification & priority settings
#var RULE_PATH /usr/src/snort_inline-2.3.0-RC1/rules
include /usr/src/snort_inline-2.3.0-RC1/etc/classification.config
include /usr/src/snort_inline-2.3.0-RC1/etc/reference.config
### The Drop Rules
# Enabled
#include $RULE_PATH/exploit.rules ( mostly not web stuff )
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/nntp.rules
### Disabled
# include $RULE_PATH/other-ids.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules