snort.conf

网络安全入侵检测系统原码

# $Id: snort.conf,v 1.14 2001/01/05 19:27:33 roesch Exp $ 
####################################################################
# This file contains a sample snort configuration. You can take the 
# following steps to create your own custom configuration:
#
#  1) Set the HOME_NET variable for your network
#  2) Configure preprocessors
#  3) Configure output plugins 
#  4) Customize your rule set
#
####################################################################
# Step #1: Set the HOME_NET variable:
#
#    You must change the HOME_NET variable to reflect your local
#    network. The variable is currently setup for an RFC 1918 address
#    space.
#
#    You can specify it explicitly as: var HOME_NET 10.1.1.0/24
#    or use global variable $<intname>_ADDRESS which will be always 
#    initialized to IP address and netmask of the network interface 
#    which you run snort at.
#
#    You can specify lists of IP addresses by separating the IPs with commas 
#    like this:
#
#    [10.1.1.0/24,192.168.1.0/24]
#
#    MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
#
#var HOME_NET $eth0_ADDRESS

var HOME_NET 10.1.1.0/24

# Set up the external network addresses as well.  A good start may be 
# "any"...

var EXTERNAL_NET any

# Define the addresses of DNS servers and other hosts if you want to ignore 
# portscan false alarms from them...

#var DNS_SERVERS [192.168.1.1/32,10.1.1.1/32]

####################################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of the form
# 
#   preprocessor <name_of_processor>: <configuration_options>

# minfrag: detect small fragments
# -------------------------------
# minfrag takes the minimum fragment size (in bytes) threshold as its
# argument. Fragmented packets at of below this size will cause an
# alert to be generated.  The functionality of this preprocessor is 
# largely superceded by the defrag plugin below.

#preprocessor minfrag: 128

# defrag: defragmentation support
# -------------------------------
# IP defragmentation support from Dragos Ruiu. There are no
# configuration options at this time.

preprocessor defrag

# stream: TCP stream reassembly
# -----------------------------
# TCP stream reassembly preprocessor from Chris Cramer.  This
# preprocessor should always go after the defrag preprocessor, but
# before http_decode. The example below monitors ports 23 and 80, has
# a timeout after 10 seconds, and will send reassembled packets of max
# payload 16384 bytes through the detection engine. See
# README.tcpstream for more information and configuration
# options. Uncomment the following line and configure appropriately to
# enable this preprocessor.
#
# NOTE: This code should still be considered BETA!  It seems to be stable, but
# there are still some issues that remain to be resolved, so make sure
# you keep an eye on your Snort sensor if you enable this plugin

# preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384

# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote machines by
# converting any %XX character substitutions to their ASCII
# equivalent. This is very useful for doing things like defeating
# hostile attackers trying to stealth themselves from IDSs by mixing
# these substitutions in with the request. Specify the port
# numbers you want it to analyze as arguments.

preprocessor http_decode: 80 8080

# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen@linuxrc.net>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.

preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from 
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to 
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list. 
#
#preprocessor portscan-ignorehosts: $DNS_SERVERS

# Spade: the Statistical Packet Anomaly Detection Engine
#-------------------------------------------------------
#
# READ the README.Spade file before using this plugin!
#
# See http://www.silicondefense.com/spice/ for more info
#
# Spade is a Snort plugin to report unusual, possibly suspicious, packets.  
# Spade will review the packets received by Snort, find those of interest (TCP
# SYNs into your homenets, if any), and report those packets that it believes 
# are anomalous along with an anomaly score.  To enable spp_anomsensor, you 
# must have a line of this form in your snort configuration file:
#
# preprocessor spade: <anom-report-thresh> <state-file> <log-file> <prob-mode>
#                     <checkpoint-freq>
#
# DO NOT ENABLE THIS PLUGIN UNLESS YOU HAVE READ THE README.Spade FILE THAT
# COMES IN THIS DISTRIBUTION AND ARE COGENT OF THE PERFORMANCE IMPACT THAT THIS
# MODULE MAY HAVE UPON YOUR NORMAL SNORT CONFIGURATION!
#
# set this to a directory Spade can read and write to store its files
#
# var SPADEDIR .
#
# preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
#
# put a list of the networks you are interested in Spade observing packets 
# going to here
#
# preprocessor spade-homenet: 0.0.0.0/0
#
# this causes Spade to adjust the reporting threshold automatically
# the first argument is the target rate of alerts for normal circumstances 
# (0.01 = 1% or you can give it an hourly rate) after the first hour (or 
# however long the period is set to in the second argument), the reporting 
# threshold given above is ignored you can comment this out to have the
# threshold be static, or try one of the other adapt methods below
#
# preprocessor spade-adapt3: 0.01 60 168
#
# other possible Spade config lines:
# adapt method #1
#preprocessor spade-adapt: 20 2 0.5
# adapt method #2
#preprocessor spade-adapt2: 0.01 15 4 24 7
# offline threshold learning
#preprocessor spade-threshlearn: 200 24
# periodically report on the anom scores and count of packets seen
#preprocessor spade-survey:  $SPADEDIR/survey.txt 60
# print out known stats about packet feature
#preprocessor spade-stats: entropy uncondprob condprob


####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
# 
# output <name_of_plugin>: <configuration_options>
#
# Note that you can optionally define new rule types and associate one
# or more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# This example will create a rule type that will log to syslog 
# and a mysql database.
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }

# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
# output alert_syslog: LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: snort.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=snort dbname=snort host=localhost
# output database: log, postgresql, user=snort dbname=snort 
# output database: log, unixodbc, user=snort dbname=snort

# xml: xml logging
# ----------------
# See the README.xml file for more information about configuring
# and using this plugin.
# 
# output xml: log, file=/var/log/snortxml


####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at the following web sites:
#   http://www.snort.org
#   http://www.whitehats.com
#
# The snort web site has documentation about how to write your own
# custom snort rules. 
#
# The rules included with this distribution generate alerts based on
# on suspicious activity. Depending on your network environment, your
# security policies, and what you consider to be suspicious, some of
# these rules may either generate false positives ore may be detecting
# activity you consider to be acceptable; therefore, you are
# encouraged to comment out rules that are not applicable in your
# environment.
#
# Note that using all of the rules at the same time may lead to
# serious packet loss on slower machines. YMMV, use with caution,
# standard disclaimers apply. :)
#
# The following individuals contributed many of rules in this
# distribution.
#
# Credits:
#   Ron Gula <rgula@securitywizards.com> of Network Security Wizards
#   Martin Markgraf <martin@mail.du.gtn.com>  
#   CyberPsychotic <fygrave@tigerteam.net>
#   Nick Rogness <nick@rapidnet.com>
#   Jim Forster <jforster@rapidnet.com>
#   Scott McIntyre <scott@whoi.edu>
#   Tom Vandepoel <Tom.Vandepoel@ubizen.com>

include webcgi-lib
include webcf-lib
include webiis-lib
include webfp-lib
include webmisc-lib
include overflow-lib
include finger-lib
include ftp-lib
include smtp-lib
include telnet-lib
include misc-lib
include netbios-lib
include scan-lib
include ddos-lib
include backdoor-lib
include ping-lib
include rpc-lib