webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 11:13:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated snort to Version 2.8.4

Browse Source
This commit is contained in:
Stefan Schantl
2009-04-24 12:01:17 +02:00
parent 4fafa702e8
commit 8581d1ef9e
5 changed files with 712 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

168
config/snort/snort.conf
View File

@@ -1,5 +1,5 @@
#--------------------------------------------------
# http://www.snort.org Snort 2.8.3.2 Ruleset
# http://www.snort.org Snort 2.8.4 Ruleset
# Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id$
@@ -221,19 +221,6 @@ dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
# the form
# preprocessor <name_of_processor>: <configuration_options>
# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term, many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
#preprocessor flow: stats_interval 0 hash 2
# frag3: Target-based IP defragmentation
# --------------------------------------
#
@@ -294,131 +281,14 @@ dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat stick/snot
# against TCP rules. Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc. Can statefully detect various portscan
# types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and generate alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this tends to be very
# noisy because there are a lot of crappy ip stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly noisy mitigation of
# overlapping sequences.
#
# ttl_limit [number] - differential of the initial ttl on a session versus
# the normal that someone may be playing games.
# Routing flap may cause lots of false positives.
#
# keepstats [machine|binary] - keep session statistics, add "machine" to
# get them in a flat format for machine reading, add
# "binary" to get them in a unified binary output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to [number] seconds,
# default is 30 seconds
# max_sessions [number] - limit the number of sessions stream4 keeps
# track of
# memcap [number] - limit stream4 memory usage to [number] bytes (does
# not include session tracking, which is set by the
# max_sessions option)
# log_flushed_streams - if an event is detected on a stream this option will
# cause all packets that are stored in the stream4
# packet buffers to be flushed to disk. This only
# works when logging in pcap mode!
# server_inspect_limit [bytes] - Byte limit on server side inspection.
# enable_udp_sessions - turn on tracking of "sessions" over UDP. Requires
# configure --enable-stream4udp. UDP sessions are
# only created when there is a rule for the sender or
# responder that has a flow or flowbits keyword.
# max_udp_sessions [number] - limit the number of simultaneous UDP sessions
# to track
# udp_ignore_any - Do not inspect UDP packets unless there is a port specific
# rule for a given port. This is a performance improvement
# and turns off inspection for udp xxx any -> xxx any rules
# cache_clean_sessions [number] - Cleanup the session cache by number sessions
# at a time. The larger the value, the
# more sessions are purged from the cache when
# the session limit or memcap is reached.
# Defaults to 5.
#
#
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap
#preprocessor stream4: disable_evasion_alerts
# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See below),
# Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection only
# serveronly - reassemble traffic for the server side of a connection only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of stream4
# ports [list] - use the space separated list of ports in [list], "all"
# will turn on reassembly for all ports, "default" will turn
# on reassembly for ports 21, 23, 25, 42, 53, 80, 110,
# 111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521,
# 2401, and 3306
# favor_old - favor an old segment (based on sequence number) over a new one.
# This is the default.
# favor_new - favor an new segment (based on sequence number) over an old one.
# overlap_limit [number] - limit on overlaping segments for a session.
# flush_on_alert - flushes stream when an alert is generated for a session.
# flush_behavior [mode] -
# default - use old static flushpoints (default)
# large_window - use new larger static flushpoints
# random - use random flushpoints defined by flush_base,
# flush_seed and flush_range
# flush_base [number] - lowest allowed random flushpoint (512 by default)
# flush_range [number] - number is the space within which random flushpoints
# are generated (default 1213)
# flush_seed [number] - seed for the random number generator, defaults to
# Snort PID + time
#
# Using the default random flushpoints, the smallest flushpoint is 512,
# and the largest is 1725 bytes.
#preprocessor stream4_reassemble
# stream5: Target Based stateful inspection/stream reassembly for Snort
# ---------------------------------------------------------------------
# Stream5 is a target-based stream engine for Snort. Its functionality
# replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
# cannot be used simultaneously. Comment out the stream4 configurations
# above to use Stream5.
# Stream5 is a target-based stream engine for Snort. It handles both
# TCP and UDP connection tracking as well as TCP reassembly.
#
# See README.stream5 for details on the configuration options.
#
# Example config (that emulates Stream4 with UDP support compiled in)
# Example config
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
@@ -723,11 +593,21 @@ preprocessor sfportscan: proto { all } \
# dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
#
#preprocessor dcerpc: \
# autodetect \
# max_frag_size 3000 \
# memcap 100000
# DCE/RPC 2
#----------------------------------------
# See doc/README.dcerpc2 for explanations of what the
# preprocessor does and how to configure it.
#
preprocessor dcerpc2
preprocessor dcerpc2_server: default
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
# DNS
#----------------------------------------
@@ -759,14 +639,17 @@ preprocessor dns: \
# inspected. Once the traffic is determined to be encrypted, no further
# inspection of the data on the connection is made.
#
# Important note: Stream4 or Stream5 should be explicitly told to reassemble
# If you don't necessarily trust all of the SSL capable servers on your
# network, you should remove the "trustservers" option from the configuration.
#
# Important note: Stream5 should be explicitly told to reassemble
# traffic on the ports that you intend to inspect SSL
# encrypted traffic on.
#
# To add reassembly on port 443 to Stream5, use 'port both 443' in the
# Stream5 configuration.
preprocessor ssl: noinspect_encrypted
preprocessor ssl: noinspect_encrypted, trustservers
####################################################################
@@ -937,7 +820,6 @@ include /etc/snort/rules/reference.config
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
@@ -945,7 +827,6 @@ include /etc/snort/rules/reference.config
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
@@ -955,12 +836,10 @@ include /etc/snort/rules/reference.config
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
@@ -977,7 +856,6 @@ include /etc/snort/rules/reference.config
# include $RULE_PATH/spyware-put.rules
# include $RULE_PATH/specific-threats.rules
#include $RULE_PATH/experimental.rules
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules