snort-lib

该软件是一个有名的基于网络的入侵检测系统

# $Id: snort-lib,v 1.18 2000/03/17 06:28:01 roesch Exp $ 
# These rules are trying to log data to "sensitive" ports, plus alert on truly
# suspicious activity.  Note that you must change the addresses to reflect
# your local network, these rules are currently setup for an RFC 1918 address
# space.

# Some of these rules may not be suspicious in your network environment, and
# using all of the rules at the same time may lead to serious packet loss
# on slower machines.  YMMV, use with caution, standard disclaimers apply. :)

# If you need help writing a specific rule, feel free to drop me a line!

#  -Marty (roesch@clark.net) 

# Credits:

# Ron Gula <rgula@securitywizards.com> of Network Security Wizards
# Martin Markgraf <martin@mail.du.gtn.com>  
# CyberPsychotic <fygrave@tigerteam.net>
# Nick Rogness <nick@rapidnet.com>
# Jim Forster <jforster@rapidnet.com>
# Scott McIntyre <scott@whoi.edu>
# Tom Vandepoel <Tom.Vandepoel@ubizen.com>

# syslog alert plugin
# format=>  plugin_name: syslog_facilities (multiple entries ok)

# output alert_syslog: LOG_AUTH LOG_ALERT

# tcpdump format binary logging plugin
# format => plugin_name: output_file_name

# output log_tcpdump: snort.log

# Database logging plugin.  See the documentation in the spo_log_database.c
# file for more information on configuring and using this module.  Pick 
# your favorite!

# output log_database: postgresql, user=snort dbname=snort 
# output log_database: mysql, user=snort dbname=snort host=localhost
# output log_database: unixodbc, user=snort dbname=snort

# Woo hoo!  Ip defragmentation support from Dragos Ruiu!  It doesn't work well
# under Solaris yet (there are some word alignment issues), but all most
# other platforms are reported stable right now.  Uncomment the following
# line to activate ip defrag.

preprocessor defrag

# http_decode takes the port numbers that it's going to analyze as arguments
# traffic on these ports will be sent through the http_decode routine for
# normalization

preprocessor http_decode: 80 8080

# minfrag takes the minimum fragment size (in bytes) threshold as its argument
# fragmented packets at of below this size will cause an alert to be generated

preprocessor minfrag: 128

# set the HOME_NET variable for your own network

###############################################################################
# SET THIS VARIABLE TO COVER YOUR OWN NETWORK RANGE!!!!
###############################################################################
var HOME_NET 10.1.1.0/24

# set your DNS server IP (or whatever) so you don't show "portscans" from 
# that address

###############################################################################
# SET THIS VARIABLE TO AS IT APPLIES TO YOUR NETWORK!!!!
###############################################################################
var DNS_SERVER 192.168.1.1/32

# portscan plugin by Patrick Mullen <p_mullen@linuxrc.net>

# This detects UDP packets or TCP SYN packets
# going to seven different ports in less than two seconds.
# "Stealth" TCP packets are always detected, regardless
# of these settings.

preprocessor portscan: $HOME_NET 4 3 /var/log/portscan.log

# ignorehosts is set to ignore TCP SYN and UDP "scans" from
# your home net by default to reduce false alerts.  However,
# for maximum benefit it should be tweaked to only include a
# whitespace-delimited list of only your noisiest servers/hosts.

preprocessor portscan-ignorehosts: $DNS_SERVER

include webcgi-lib
include webcf-lib
include webiis-lib
include webfp-lib
include webmisc-lib
include overflow-lib
include finger-lib
include ftp-lib
include smtp-lib
include telnet-lib
include misc-lib
include netbios-lib
include scan-lib
include ddos-lib
include backdoor-lib
include ping-lib
include rpc-lib