bpfire/config/snort/snort.conf

###################################################
#
# This file contains the default snort configuration.
# for all IPCop Versions
# Unless you are totally happy with this file,please
# only change whats needed
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
# $Id: snort.conf,v 1.6.2.1 2005/04/28 18:38:49 gespinasse Exp $
#
###################################################
# Only area a user needs to edit
include /etc/snort/vars
var EXTERNAL_NET    !$HOME_NET
var SMTP_SERVERS    $HOME_NET
var HTTP_SERVERS    $HOME_NET
var SQL_SERVERS     $HOME_NET
var TELNET_SERVERS  $HOME_NET
var HTTP_PORTS      80
var SHELLCODE_PORTS !80
var ORACLE_PORTS    1521
var AIM_SERVERS     [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH       /etc/snort

###################################################
# Do NOT Edit past this line
###################################################
config detection: search-method lowmem
preprocessor flow: memcap 2097152, stats_interval 0, hash 2
preprocessor frag2: memcap 2097152
preprocessor stream4: memcap 2097152, detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble: noalerts
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 }
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: \
	scoreboard-memcap-talker 1048576 \
	scoreboard-rows-talker 10000 \
	talker-sliding-scale-factor 0.50 \
	talker-fixed-threshold 30 \
	talker-sliding-threshold 30 \
	talker-sliding-window 20 \
	talker-fixed-window 30 \
	scoreboard-memcap-scanner 1048576 \
	scoreboard-rows-scanner 10000 \
	scanner-sliding-window 20 \
	scanner-sliding-scale-factor 0.50 \
	scanner-fixed-threshold 15 \
	scanner-sliding-threshold 40 \
	scanner-fixed-window 15 \
	unique-memcap 1048576 \
	unique-rows 10000 \
	server-memcap 1048576 \
	server-rows 10000 \
	server-watchnet $HOME_NET \
	server-ignore-limit 100 \
	server-learning-time 3600 \
	server-scanner-limit 4 \
	alert-mode once \
	output-mode msg \
	tcp-penalties on
preprocessor xlink2state: ports { 25 691 }
#=========================================
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
#=========================================
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules