snort.conf

入侵检测系统.linux下与MySql连用的例子

#--------------------------------------------------
#   http://www.snort.org     Snort 1.8.0 Ruleset
#     Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.8.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.62 2001/08/12 04:31:01 roesch Exp $
#
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your 
# own custom configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently 
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as: 
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS 
# which will be always initialized to IP address and 
# netmask of the network interface which you run
# snort at.
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET any

# Set up the external network addresses as well.  
# A good start may be "any"

var EXTERNAL_NET any

# Set up your SMTP servers, or simply configure them 
# to HOME_NET 

var SMTP $HOME_NET

# Set up your web servers, or simply configure them 
# to HOME_NET

var HTTP_SERVERS $HOME_NET

# Set up your sql servers, or simply configure them
# to HOME_NET

var SQL_SERVERS $HOME_NET
 
# Define the addresses of DNS servers and other hosts 
# if you want to ignore portscan false alarms from them...

var DNS_SERVERS $HOME_NET

###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>

# minfrag: detect small fragments
# -------------------------------
# minfrag has been deprecated as of build 26

# defrag: defragmentation support
# -------------------------------
# IP defragmentation support from Dragos Ruiu. There
# are no configuration options at this time.

#preprocessor defrag
preprocessor frag2

# stream2: TCP stream reassembly
# -------------------------------------
# TCP stream reassembly preprocessor from Chris Cramer.  
# This preprocessor should always go after the defrag 
# preprocessor, but before application layer decoders. 
# The example below monitors ports 23 and 80, has a 
# timeout after 10 seconds, and will send reassembled 
# packets of max payload 16384 bytes through the 
# detection engine. See README.tcpstream for more 
# information and configuration options. Uncomment 
# the following line and configure appropriately to 
# enable this preprocessor.
#
# NOTE: This code should still be considered BETA!
# It seems to be stable, but there are still some
# issues that remain to be resolved, so make sure you
# keep an eye on your Snort sensor if you enable this plugin
# The older version which definitely had issues w/ packet
# loss is still in the code base, to use it in place of the
# new version, use "preprocessor stream: ..."

#preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384

# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat 
# stick/snot against TCP rules.  Also performs full TCP stream 
# reassembly, stateful inspection of TCP streams, etc.  Can statefully
# detect various portscan types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8MB)
# options (options are comma delimited):
#   detect_scans - stream4 will detect stealth portscans and generate alerts
#                  when it sees them when this option is set
#   detect_state_problems - detect TCP state problems, this tends to be very
#                           noisy because there are a lot of crappy ip stack
#                           implementations out there
#   keepstats [machine] - keep session statistics, add "machine" to get them in
#                         a flat format for machine reading
#   noinspect - turn off stateful inspection only
#   timeout [number] - set the session timeout counter to [number] seconds,
#                      default is 30 seconds
#   memcap [number] - limit stream4 memory usage to [number] bytes

preprocessor stream4: detect_scans

# tcp stream reassembly directive
# no arguments loads the default configuration (clientonly, ports default, 
# alerts on) 
# options (still comma delimited):
#   clientonly - reassemble traffic for the client side of a connection only
#   serveronly - reassemble traffic for the server side of a connection only
#   both - reassemble both sides of a session
#   noalerts - turn off alerts from the stream reassembly stage of stream4
#   ports [list] - use the space separated list of ports in [list], "all" 
#                  will turn on reassembly for all ports, "default" will turn
#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
#                  and 513

preprocessor stream4_reassemble

# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote 
# machines by converting any %XX character 
# substitutions to their ASCII equivalent. This is
# very useful for doing things like defeating hostile
# attackers trying to stealth themselves from IDSs by
# mixing these substitutions in with the request. 
# Specify the port numbers you want it to analyze as arguments.
# You may also specify -unicode to turn off detection of 
# UNICODE directory traversal, etc attacks.  Use -cginull to
# turn off detection of CGI NULL code attacks.

preprocessor http_decode: 80 -unicode -cginull


# unidecode: normalize HTTP/detect UNICODE attacks 
# ------------------------------------------------
# Works much the same as http_decode, but does a better
# job of categorizing and identifying UNICODE attacks,
# recommended as a potential replacement for http_decode.

# preprocessor unidecode: 80 -unicode -cginull


# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual
# 4-byte encoding that is used by default.  This preprocessor
# normalized RPC traffic in much the same way as the http_decode
# preprocessor.  This plugin takes the ports numbers that RPC 
# services are running on as arguments.

preprocessor rpc_decode: 111 

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  This preprocessor
# uses the Back Orifice "encryption" algorithm to search for 
# traffic conforming to the Back Orifice protocol (not BO2K).
# This preprocessor can take two arguments.  The first is "-nobrute"
# which turns off the plugin's brute forcing routine (brute forces 
# the key space of the protocol to find BO traffic).  The second
# argument that can be passed to the routine is a number to use
# as the default key when trying to decrypt the traffic.  The 
# default value is 31337 (just like BO).  Be aware that turning on
# the brute forcing option runs the risk of impacting the overall
# performance of Snort, you've been warned...

preprocessor bo: -nobrute

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from
# telnet and ftp traffic.  It works in much the same way as the 
# http_decode preprocessor, searching for traffic that breaks up
# the normal data stream of a protocol and replacing it with 
# a normalized representation of that traffic so that the "content"
# pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.

preprocessor telnet_decode

# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen@linuxrc.net>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.

preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
#preprocessor portscan-ignorehosts: $DNS_SERVERS

# Spade: the Statistical Packet Anomaly Detection Engine
#-------------------------------------------------------
# READ the README.Spade file before using this plugin!
#
# See http://www.silicondefense.com/spice/ for more info
#
# Spade is a Snort plugin to report unusual, possibly