"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/etc/snort.conf" (30 Oct 2020, 26798 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Generic config files source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "snort.conf": 2.9.16.1_vs_2.9.17.

    1 #--------------------------------------------------
    2 #   VRT Rule Packages Snort.conf
    3 #
    4 #   For more information visit us at:
    5 #     http://www.snort.org                   Snort Website
    6 #     http://vrt-blog.snort.org/    Sourcefire VRT Blog
    7 #
    8 #     Mailing list Contact:      snort-users@lists.snort.org
    9 #     False Positive reports:    fp@sourcefire.com
   10 #     Snort bugs:                bugs@snort.org
   11 #
   12 #     Compatible with Snort Versions:
   13 #     VERSIONS : 2.9.17
   14 #
   15 #     Snort build options:
   16 #     OPTIONS : --enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3
   17 #
   18 #     Additional information:
   19 #     This configuration file enables active response, to run snort in
   20 #     test mode -T you are required to supply an interface -i <interface>
   21 #     or test mode will fail to fully validate the configuration and
   22 #     exit with a FATAL error
   23 #--------------------------------------------------
   24 
   25 ###################################################
   26 # This file contains a sample snort configuration. 
   27 # You should take the following steps to create your own custom configuration:
   28 #
   29 #  1) Set the network variables.
   30 #  2) Configure the decoder
   31 #  3) Configure the base detection engine
   32 #  4) Configure dynamic loaded libraries
   33 #  5) Configure preprocessors
   34 #  6) Configure output plugins
   35 #  7) Customize your rule set
   36 #  8) Customize preprocessor and decoder rule set
   37 #  9) Customize shared object rule set
   38 ###################################################
   39 
   40 ###################################################
   41 # Step #1: Set the network variables.  For more information, see README.variables
   42 ###################################################
   43 
   44 # Setup the network addresses you are protecting
   45 ipvar HOME_NET any
   46 
   47 # Set up the external network addresses. Leave as "any" in most situations
   48 ipvar EXTERNAL_NET any
   49 
   50 # List of DNS servers on your network 
   51 ipvar DNS_SERVERS $HOME_NET
   52 
   53 # List of SMTP servers on your network
   54 ipvar SMTP_SERVERS $HOME_NET
   55 
   56 # List of web servers on your network
   57 ipvar HTTP_SERVERS $HOME_NET
   58 
   59 # List of sql servers on your network 
   60 ipvar SQL_SERVERS $HOME_NET
   61 
   62 # List of telnet servers on your network
   63 ipvar TELNET_SERVERS $HOME_NET
   64 
   65 # List of ssh servers on your network
   66 ipvar SSH_SERVERS $HOME_NET
   67 
   68 # List of ftp servers on your network
   69 ipvar FTP_SERVERS $HOME_NET
   70 
   71 # List of sip servers on your network
   72 ipvar SIP_SERVERS $HOME_NET
   73 
   74 # List of ports you run web servers on
   75 portvar HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
   76 
   77 # List of ports you want to look for SHELLCODE on.
   78 portvar SHELLCODE_PORTS !80
   79 
   80 # List of ports you might see oracle attacks on
   81 portvar ORACLE_PORTS 1024:
   82 
   83 # List of ports you want to look for SSH connections on:
   84 portvar SSH_PORTS 22
   85 
   86 # List of ports you run ftp servers on
   87 portvar FTP_PORTS [21,2100,3535]
   88 
   89 # List of ports you run SIP servers on
   90 portvar SIP_PORTS [5060,5061,5600]
   91 
   92 # List of file data ports for file inspection
   93 portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
   94 
   95 # List of GTP ports for GTP preprocessor
   96 portvar GTP_PORTS [2123,2152,3386]
   97 
   98 # other variables, these should not be modified
   99 ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
  100 
  101 # Path to your rules files (this can be a relative path)
  102 # Note for Windows users:  You are advised to make this an absolute path,
  103 # such as:  c:\snort\rules
  104 var RULE_PATH ../rules
  105 var SO_RULE_PATH ../so_rules
  106 var PREPROC_RULE_PATH ../preproc_rules
  107 
  108 # If you are using reputation preprocessor set these
  109 # Currently there is a bug with relative paths, they are relative to where snort is
  110 # not relative to snort.conf like the above variables
  111 # This is completely inconsistent with how other vars work, BUG 89986
  112 # Set the absolute path appropriately
  113 var WHITE_LIST_PATH ../rules
  114 var BLACK_LIST_PATH ../rules
  115 
  116 ###################################################
  117 # Step #2: Configure the decoder.  For more information, see README.decode
  118 ###################################################
  119 
  120 # Stop generic decode events:
  121 config disable_decode_alerts
  122 
  123 # Stop Alerts on experimental TCP options
  124 config disable_tcpopt_experimental_alerts
  125 
  126 # Stop Alerts on obsolete TCP options
  127 config disable_tcpopt_obsolete_alerts
  128 
  129 # Stop Alerts on T/TCP alerts
  130 config disable_tcpopt_ttcp_alerts
  131 
  132 # Stop Alerts on all other TCPOption type events:
  133 config disable_tcpopt_alerts
  134 
  135 # Stop Alerts on invalid ip options
  136 config disable_ipopt_alerts
  137 
  138 # Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
  139 # config enable_decode_oversized_alerts
  140 
  141 # Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
  142 # config enable_decode_oversized_drops
  143 
  144 # Configure IP / TCP checksum mode
  145 config checksum_mode: all
  146 
  147 # Configure maximum number of flowbit references.  For more information, see README.flowbits
  148 # config flowbits_size: 64
  149 
  150 # Configure ports to ignore 
  151 # config ignore_ports: tcp 21 6667:6671 1356
  152 # config ignore_ports: udp 1:17 53
  153 
  154 # Configure active response for non inline operation. For more information, see REAMDE.active
  155 # config response: eth0 attempts 2
  156 
  157 # Configure DAQ related options for inline operation. For more information, see README.daq
  158 #
  159 # config daq: <type>
  160 # config daq_dir: <dir>
  161 # config daq_mode: <mode>
  162 # config daq_var: <var>
  163 #
  164 # <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
  165 # <mode> ::= read-file | passive | inline
  166 # <var> ::= arbitrary <name>=<value passed to DAQ
  167 # <dir> ::= path as to where to look for DAQ module so's
  168 
  169 # Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options
  170 #
  171 # config set_gid:
  172 # config set_uid:
  173 
  174 # Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README
  175 #
  176 # config snaplen:
  177 #
  178 
  179 # Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)
  180 #
  181 # config bpf_file:
  182 #
  183 
  184 # Configure default log directory for snort to log to.  For more information see snort -h command line options (-l)
  185 #
  186 # config logdir:
  187 
  188 
  189 ###################################################
  190 # Step #3: Configure the base detection engine.  For more information, see  README.decode
  191 ###################################################
  192 
  193 # Configure PCRE match limitations
  194 config pcre_match_limit: 3500
  195 config pcre_match_limit_recursion: 1500
  196 
  197 # Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Config
  198 config detection: search-method ac-split search-optimize max-pattern-len 20
  199 
  200 # Configure the event queue.  For more information, see README.event_queue
  201 config event_queue: max_queue 8 log 5 order_events content_length
  202 
  203 ###################################################
  204 ## Configure GTP if it is to be used.
  205 ## For more information, see README.GTP
  206 ####################################################
  207 
  208 # config enable_gtp
  209 
  210 ###################################################
  211 # Per packet and rule latency enforcement
  212 # For more information see README.ppm
  213 ###################################################
  214 
  215 # Per Packet latency configuration
  216 #config ppm: max-pkt-time 250, \
  217 #   fastpath-expensive-packets, \
  218 #   pkt-log
  219 
  220 # Per Rule latency configuration
  221 #config ppm: max-rule-time 200, \
  222 #   threshold 3, \
  223 #   suspend-expensive-rules, \
  224 #   suspend-timeout 20, \
  225 #   rule-log alert
  226 
  227 ###################################################
  228 # Configure Perf Profiling for debugging
  229 # For more information see README.PerfProfiling
  230 ###################################################
  231 
  232 #config profile_rules: print all, sort avg_ticks
  233 #config profile_preprocs: print all, sort avg_ticks
  234 
  235 ###################################################
  236 # Configure protocol aware flushing
  237 # For more information see README.stream5
  238 ###################################################
  239 config paf_max: 16000
  240 
  241 ###################################################
  242 # Step #4: Configure dynamic loaded libraries.  
  243 # For more information, see Snort Manual, Configuring Snort - Dynamic Modules
  244 ###################################################
  245 
  246 # path to dynamic preprocessor libraries
  247 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
  248 
  249 # path to base preprocessor engine
  250 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
  251 
  252 # path to dynamic rules libraries
  253 dynamicdetection directory /usr/local/lib/snort_dynamicrules
  254 
  255 ###################################################
  256 # Step #5: Configure preprocessors
  257 # For more information, see the Snort Manual, Configuring Snort - Preprocessors
  258 ###################################################
  259 
  260 # GTP Control Channle Preprocessor. For more information, see README.GTP
  261 # preprocessor gtp: ports { 2123 3386 2152 }
  262 
  263 # Inline packet normalization. For more information, see README.normalize
  264 # Does nothing in IDS mode
  265 preprocessor normalize_ip4
  266 preprocessor normalize_tcp: ips ecn stream
  267 preprocessor normalize_icmp4
  268 preprocessor normalize_ip6
  269 preprocessor normalize_icmp6
  270 
  271 # Target-based IP defragmentation.  For more inforation, see README.frag3
  272 preprocessor frag3_global: max_frags 65536
  273 preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
  274 
  275 # Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
  276 preprocessor stream5_global: track_tcp yes, \
  277    track_udp yes, \
  278    track_icmp no, \ 
  279    max_tcp 262144, \
  280    max_udp 131072, \
  281    max_active_responses 2, \
  282    min_response_seconds 5
  283 preprocessor stream5_tcp: log_asymmetric_traffic no, policy windows, \
  284    detect_anomalies, require_3whs 180, \
  285    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
  286     ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
  287         161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \
  288         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
  289     ports both 80 81 311 383 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7907 7000 7001 7144 7145 7510 7802 7777 7779 \
  290         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
  291         7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555
  292 preprocessor stream5_udp: timeout 180
  293 
  294 # performance statistics.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
  295 # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
  296 
  297 # HTTP normalization and anomaly detection.  For more information, see README.http_inspect
  298 preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
  299 preprocessor http_inspect_server: server default \
  300     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
  301     chunk_length 500000 \
  302     server_flow_depth 0 \
  303     client_flow_depth 0 \
  304     post_depth 65495 \
  305     oversize_dir_length 500 \
  306     max_header_length 750 \
  307     max_headers 100 \
  308     max_spaces 200 \
  309     small_chunk_length { 10 5 } \
  310     ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 } \
  311     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
  312     enable_cookie \
  313     extended_response_inspection \
  314     inspect_gzip \
  315     normalize_utf \
  316     unlimited_decompress \
  317     normalize_javascript \
  318     apache_whitespace no \
  319     ascii no \
  320     bare_byte no \
  321     directory no \
  322     double_decode no \
  323     iis_backslash no \
  324     iis_delimiter no \
  325     iis_unicode no \
  326     multi_slash no \
  327     utf_8 no \
  328     u_encode yes \
  329     webroot no
  330 
  331 # ONC-RPC normalization and anomaly detection.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
  332 preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
  333 
  334 # Back Orifice detection.
  335 preprocessor bo
  336 
  337 # FTP / Telnet normalization and anomaly detection.  For more information, see README.ftptelnet
  338 preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
  339 preprocessor ftp_telnet_protocol: telnet \
  340     ayt_attack_thresh 20 \
  341     normalize ports { 23 } \
  342     detect_anomalies
  343 preprocessor ftp_telnet_protocol: ftp server default \
  344     def_max_param_len 100 \
  345     ports { 21 2100 3535 } \
  346     telnet_cmds yes \
  347     ignore_telnet_erase_cmds yes \
  348     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
  349     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
  350     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
  351     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
  352     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
  353     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
  354     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
  355     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
  356     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
  357     ftp_cmds { XSEN XSHA1 XSHA256 } \
  358     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
  359     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
  360     alt_max_param_len 256 { CWD RNTO } \
  361     alt_max_param_len 400 { PORT } \
  362     alt_max_param_len 512 { SIZE } \
  363     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
  364     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
  365     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
  366     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
  367     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
  368     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
  369     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ 
  370     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
  371     cmd_validity ALLO < int [ char R int ] > \    
  372     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
  373     cmd_validity MACB < string > \
  374     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
  375     cmd_validity MODE < char ASBCZ > \
  376     cmd_validity PORT < host_port > \
  377     cmd_validity PROT < char CSEP > \
  378     cmd_validity STRU < char FRPO [ string ] > \    
  379     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
  380 preprocessor ftp_telnet_protocol: ftp client default \
  381     max_resp_len 256 \
  382     bounce yes \
  383     ignore_telnet_erase_cmds yes \
  384     telnet_cmds yes
  385 
  386 
  387 # SMTP normalization and anomaly detection.  For more information, see README.SMTP
  388 preprocessor smtp: ports { 25 465 587 691 } \
  389     inspection_type stateful \
  390     b64_decode_depth 0 \
  391     qp_decode_depth 0 \
  392     bitenc_decode_depth 0 \
  393     uu_decode_depth 0 \
  394     log_mailfrom \
  395     log_rcptto \
  396     log_filename \
  397     log_email_hdrs \
  398     normalize cmds \
  399     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
  400     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
  401     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
  402     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
  403     max_command_line_len 512 \
  404     max_header_line_len 1000 \
  405     max_response_line_len 512 \
  406     alt_max_command_line_len 260 { MAIL } \
  407     alt_max_command_line_len 300 { RCPT } \
  408     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
  409     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
  410     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
  411     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ 
  412     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
  413     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
  414     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
  415     xlink2state { enabled }
  416 
  417 # Portscan detection.  For more information, see README.sfportscan
  418 # preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { low }
  419 
  420 # ARP spoof detection.  For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
  421 # preprocessor arpspoof
  422 # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
  423 
  424 # SSH anomaly detection.  For more information, see README.ssh
  425 preprocessor ssh: server_ports { 22 } \
  426                   autodetect \
  427                   max_client_bytes 19600 \
  428                   max_encrypted_packets 20 \
  429                   max_server_version_len 100 \
  430                   enable_respoverflow enable_ssh1crc32 \
  431                   enable_srvoverflow enable_protomismatch
  432 
  433 # SMB / DCE-RPC normalization and anomaly detection.  For more information, see README.dcerpc2
  434 preprocessor dcerpc2: memcap 102400, events [co ]
  435 preprocessor dcerpc2_server: default, policy WinXP, \
  436     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
  437     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
  438     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
  439 
  440 # DNS anomaly detection.  For more information, see README.dns
  441 preprocessor dns: ports { 53 } enable_rdata_overflow
  442 
  443 # SSL anomaly detection and traffic bypass.  For more information, see README.ssl
  444 preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
  445 
  446 # SDF sensitive data preprocessor.  For more information see README.sensitive_data
  447 preprocessor sensitive_data: alert_threshold 25
  448 
  449 # SIP Session Initiation Protocol preprocessor.  For more information see README.sip
  450 preprocessor sip: max_sessions 40000, \
  451    ports { 5060 5061 5600 }, \
  452    methods { invite \
  453              cancel \
  454              ack \
  455              bye \
  456              register \
  457              options \
  458              refer \
  459              subscribe \
  460              update \
  461              join \
  462              info \
  463              message \
  464              notify \
  465              benotify \
  466              do \
  467              qauth \
  468              sprack \
  469              publish \
  470              service \
  471              unsubscribe \
  472              prack }, \
  473    max_uri_len 512, \
  474    max_call_id_len 80, \
  475    max_requestName_len 20, \
  476    max_from_len 256, \
  477    max_to_len 256, \
  478    max_via_len 1024, \
  479    max_contact_len 512, \
  480    max_content_len 2048 
  481 
  482 # IMAP preprocessor.  For more information see README.imap
  483 preprocessor imap: \
  484    ports { 143 } \
  485    b64_decode_depth 0 \
  486    qp_decode_depth 0 \
  487    bitenc_decode_depth 0 \
  488    uu_decode_depth 0
  489 
  490 # POP preprocessor. For more information see README.pop
  491 preprocessor pop: \
  492    ports { 110 } \
  493    b64_decode_depth 0 \
  494    qp_decode_depth 0 \
  495    bitenc_decode_depth 0 \
  496    uu_decode_depth 0
  497 
  498 # Modbus preprocessor. For more information see README.modbus
  499 preprocessor modbus: ports { 502 }
  500 
  501 # DNP3 preprocessor. For more information see README.dnp3
  502 preprocessor dnp3: ports { 20000 } \
  503    memcap 262144 \
  504    check_crc
  505 
  506 # Reputation preprocessor. For more information see README.reputation
  507 preprocessor reputation: \
  508    memcap 500, \
  509    priority whitelist, \
  510    nested_ip inner, \
  511    whitelist $WHITE_LIST_PATH/white_list.rules, \
  512    blacklist $BLACK_LIST_PATH/black_list.rules 
  513 
  514 ###################################################
  515 # Step #6: Configure output plugins
  516 # For more information, see Snort Manual, Configuring Snort - Output Modules
  517 ###################################################
  518 
  519 # unified2 
  520 # Recommended for most installs
  521 # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
  522 
  523 # Additional configuration for specific types of installs
  524 # output alert_unified2: filename snort.alert, limit 128, nostamp
  525 # output log_unified2: filename snort.log, limit 128, nostamp 
  526 
  527 # syslog
  528 # output alert_syslog: LOG_AUTH LOG_ALERT
  529 
  530 # pcap
  531 # output log_tcpdump: tcpdump.log
  532 
  533 # metadata reference data.  do not modify these lines
  534 include classification.config
  535 include reference.config
  536 
  537 
  538 ###################################################
  539 # Step #7: Customize your rule set
  540 # For more information, see Snort Manual, Writing Snort Rules
  541 #
  542 # NOTE: All categories are enabled in this conf file
  543 ###################################################
  544 
  545 # site specific rules
  546 include $RULE_PATH/local.rules
  547 
  548 include $RULE_PATH/app-detect.rules
  549 include $RULE_PATH/attack-responses.rules
  550 include $RULE_PATH/backdoor.rules
  551 include $RULE_PATH/bad-traffic.rules
  552 include $RULE_PATH/blacklist.rules
  553 include $RULE_PATH/botnet-cnc.rules
  554 include $RULE_PATH/browser-chrome.rules
  555 include $RULE_PATH/browser-firefox.rules
  556 include $RULE_PATH/browser-ie.rules
  557 include $RULE_PATH/browser-other.rules
  558 include $RULE_PATH/browser-plugins.rules
  559 include $RULE_PATH/browser-webkit.rules
  560 include $RULE_PATH/chat.rules
  561 include $RULE_PATH/content-replace.rules
  562 include $RULE_PATH/ddos.rules
  563 include $RULE_PATH/dns.rules
  564 include $RULE_PATH/dos.rules
  565 include $RULE_PATH/experimental.rules
  566 include $RULE_PATH/exploit-kit.rules
  567 include $RULE_PATH/exploit.rules
  568 include $RULE_PATH/file-executable.rules
  569 include $RULE_PATH/file-flash.rules
  570 include $RULE_PATH/file-identify.rules
  571 include $RULE_PATH/file-image.rules
  572 include $RULE_PATH/file-multimedia.rules
  573 include $RULE_PATH/file-office.rules
  574 include $RULE_PATH/file-other.rules
  575 include $RULE_PATH/file-pdf.rules
  576 include $RULE_PATH/finger.rules
  577 include $RULE_PATH/ftp.rules
  578 include $RULE_PATH/icmp-info.rules
  579 include $RULE_PATH/icmp.rules
  580 include $RULE_PATH/imap.rules
  581 include $RULE_PATH/indicator-compromise.rules
  582 include $RULE_PATH/indicator-obfuscation.rules
  583 include $RULE_PATH/indicator-shellcode.rules
  584 include $RULE_PATH/info.rules
  585 include $RULE_PATH/malware-backdoor.rules
  586 include $RULE_PATH/malware-cnc.rules
  587 include $RULE_PATH/malware-other.rules
  588 include $RULE_PATH/malware-tools.rules
  589 include $RULE_PATH/misc.rules
  590 include $RULE_PATH/multimedia.rules
  591 include $RULE_PATH/mysql.rules
  592 include $RULE_PATH/netbios.rules
  593 include $RULE_PATH/nntp.rules
  594 include $RULE_PATH/oracle.rules
  595 include $RULE_PATH/os-linux.rules
  596 include $RULE_PATH/os-other.rules
  597 include $RULE_PATH/os-solaris.rules
  598 include $RULE_PATH/os-windows.rules
  599 include $RULE_PATH/other-ids.rules
  600 include $RULE_PATH/p2p.rules
  601 include $RULE_PATH/phishing-spam.rules
  602 include $RULE_PATH/policy-multimedia.rules
  603 include $RULE_PATH/policy-other.rules
  604 include $RULE_PATH/policy.rules
  605 include $RULE_PATH/policy-social.rules
  606 include $RULE_PATH/policy-spam.rules
  607 include $RULE_PATH/pop2.rules
  608 include $RULE_PATH/pop3.rules
  609 include $RULE_PATH/protocol-finger.rules
  610 include $RULE_PATH/protocol-ftp.rules
  611 include $RULE_PATH/protocol-icmp.rules
  612 include $RULE_PATH/protocol-imap.rules
  613 include $RULE_PATH/protocol-pop.rules
  614 include $RULE_PATH/protocol-services.rules
  615 include $RULE_PATH/protocol-voip.rules
  616 include $RULE_PATH/pua-adware.rules
  617 include $RULE_PATH/pua-other.rules
  618 include $RULE_PATH/pua-p2p.rules
  619 include $RULE_PATH/pua-toolbars.rules
  620 include $RULE_PATH/rpc.rules
  621 include $RULE_PATH/rservices.rules
  622 include $RULE_PATH/scada.rules
  623 include $RULE_PATH/scan.rules
  624 include $RULE_PATH/server-apache.rules
  625 include $RULE_PATH/server-iis.rules
  626 include $RULE_PATH/server-mail.rules
  627 include $RULE_PATH/server-mssql.rules
  628 include $RULE_PATH/server-mysql.rules
  629 include $RULE_PATH/server-oracle.rules
  630 include $RULE_PATH/server-other.rules
  631 include $RULE_PATH/server-webapp.rules
  632 include $RULE_PATH/shellcode.rules
  633 include $RULE_PATH/smtp.rules
  634 include $RULE_PATH/snmp.rules
  635 include $RULE_PATH/specific-threats.rules
  636 include $RULE_PATH/spyware-put.rules
  637 include $RULE_PATH/sql.rules
  638 include $RULE_PATH/telnet.rules
  639 include $RULE_PATH/tftp.rules
  640 include $RULE_PATH/virus.rules
  641 include $RULE_PATH/voip.rules
  642 include $RULE_PATH/web-activex.rules
  643 include $RULE_PATH/web-attacks.rules
  644 include $RULE_PATH/web-cgi.rules
  645 include $RULE_PATH/web-client.rules
  646 include $RULE_PATH/web-coldfusion.rules
  647 include $RULE_PATH/web-frontpage.rules
  648 include $RULE_PATH/web-iis.rules
  649 include $RULE_PATH/web-misc.rules
  650 include $RULE_PATH/web-php.rules
  651 include $RULE_PATH/x11.rules
  652 
  653 ###################################################
  654 # Step #8: Customize your preprocessor and decoder alerts
  655 # For more information, see README.decoder_preproc_rules
  656 ###################################################
  657 
  658 # decoder and preprocessor event rules
  659 # include $PREPROC_RULE_PATH/preprocessor.rules
  660 # include $PREPROC_RULE_PATH/decoder.rules
  661 # include $PREPROC_RULE_PATH/sensitive-data.rules
  662 
  663 ###################################################
  664 # Step #9: Customize your Shared Object Snort Rules
  665 # For more information, see http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html
  666 ###################################################
  667 
  668 # dynamic library rules
  669 # include $SO_RULE_PATH/bad-traffic.rules
  670 # include $SO_RULE_PATH/chat.rules
  671 # include $SO_RULE_PATH/dos.rules
  672 # include $SO_RULE_PATH/exploit.rules
  673 # include $SO_RULE_PATH/icmp.rules
  674 # include $SO_RULE_PATH/imap.rules
  675 # include $SO_RULE_PATH/misc.rules
  676 # include $SO_RULE_PATH/multimedia.rules
  677 # include $SO_RULE_PATH/netbios.rules
  678 # include $SO_RULE_PATH/nntp.rules
  679 # include $SO_RULE_PATH/p2p.rules
  680 # include $SO_RULE_PATH/smtp.rules
  681 # include $SO_RULE_PATH/snmp.rules
  682 # include $SO_RULE_PATH/specific-threats.rules
  683 # include $SO_RULE_PATH/web-activex.rules
  684 # include $SO_RULE_PATH/web-client.rules
  685 # include $SO_RULE_PATH/web-iis.rules
  686 # include $SO_RULE_PATH/web-misc.rules
  687 
  688 # Event thresholding or suppression commands. See threshold.conf 
  689 include threshold.conf