snortrules.txt

IPv4下发伪造包的程序

#--------------------------------------------------
#   http://www.snort.org     Snort 1.7.0 Ruleset
#      Current Database Updated -- 03/15/2001
#  Contact:  Jim Forster - jforster@rapidnet.com
#--------------------------------------------------
# NOTE:This ruleset only works for 1.7.0 and later
#--------------------------------------------------
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your 
# own custom configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently 
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as: 
# var HOME_NET 10.1.1.0/24
# or use global variable $<intname>_ADDRESS which
# will be always initialized to IP address and 
# netmask of the network interface which you run
# snort at.
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
#
#var HOME_NET $eth0_ADDRESS

var HOME_NET 10.1.1.0/24

# Set up the external network addresses as well.  
# A good start may be "any"...

var EXTERNAL_NET any

# Set up your SMTP servers, or simply configure them 
# to HOME_NET 

var SMTP $HOME_NET

# Set up your web servers, or simply configure them 
# to HOME_NET
var HTTP_SERVERS $HOME_NET
 
# Set up your SQL servers, or simply configure them
# to HOME_NET
var SQL_SERVERS $HOME_NET

# Define the addresses of DNS servers and other hosts 
# if you want to ignore portscan false alarms from them...

#var DNS_SERVERS [192.168.1.1/32,10.1.1.1/32]

###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>

# minfrag: detect small fragments
# -------------------------------
# minfrag takes the minimum fragment size (in bytes)
# threshold as its argument. Fragmented packets at of
# below this size will cause an alert to be generated.
# The functionality of this preprocessor is largely
# superceded by the defrag plugin below.

#preprocessor minfrag: 128

# defrag: defragmentation support
# -------------------------------
# IP defragmentation support from Dragos Ruiu. There
# are no configuration options at this time.

preprocessor defrag

# stream: TCP stream reassembly
# -----------------------------
# TCP stream reassembly preprocessor from Chris Cramer.  
# This preprocessor should always go after the defrag 
# preprocessor, but before http_decode. The example 
# below monitors ports 23 and 80, has a timeout after
# 10 seconds, and will send reassembled packets of max
# payload 16384 bytes through the detection engine. See
# README.tcpstream for more information and configuration
# options. Uncomment the following line and configure 
# appropriately to enable this preprocessor.
#
# NOTE: This code should still be considered BETA!
# It seems to be stable, but there are still some
# issues that remain to be resolved, so make sure you
# keep an eye on your Snort sensor if you enable this plugin

# preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384

# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote 
# machines by converting any %XX character 
# substitutions to their ASCII equivalent. This is
# very useful for doing things like defeating hostile
# attackers trying to stealth themselves from IDSs by
# mixing these substitutions in with the request. 
# Specify the port numbers you want it to analyze as arguments.

preprocessor http_decode: 80 8080

# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen@linuxrc.net>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.

preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
#preprocessor portscan-ignorehosts: $DNS_SERVERS

# Spade: the Statistical Packet Anomaly Detection Engine
#-------------------------------------------------------
#
# READ the README.Spade file before using this plugin!
#
# See http://www.silicondefense.com/spice/ for more info
#
# Spade is a Snort plugin to report unusual, possibly 
# suspicious, packets. Spade will review the packets 
# received by Snort, find those of interest (TCP SYNs 
# into your homenets, if any), and report those packets
# that it believes are anomalous along with an anomaly 
# score.  To enable spp_anomsensor, you must have a