EditAttachPrintable
r112 - 02 Dec 2009 - 12:02:20 - JamesMcQuaidYou are here: TWiki >  Main Web > AllProjects > SnortConfSamples

Snort.Conf Samples

  • SnortConfSamples

The goal of this page is to make a set of sample snort.conf files, and some samples for using other common tools with data from Emerging Threats. These will represent different size and goal installs of snort. We do not intend to provide snort.conf files that you can use without modification or understanding, but guides to help you benefit from the experience of the community as a whole.

We welcome submissions and tips to improve these files, as well as ideas for new types of configs to add.

This page is maintained by JamesMcQuaid

* Diagram portraying home network defended by multiple layers of Snort Inline:
EmergingNetworkTopology.gif

HoneywallSamples (includes Honeywall and Smoothwall Snort config files, installation and usage tutorials, and DNS Blackhole files)

  • snort_inline.conf: This Snort Inline configuration will use over 900 MB of RAM. Most rules are set to drop; do not use Honeywall's autogenerated replace rules. Will Metcalf, the current maintainer of snort_inline, does not recommend blindly converting as many rules as possible to use replace. Will has said to not use replace in rules that contain the keyword flowbits:noalert because they are used in protocol identification/behavior, and are later checked in separate rules that alert/drop.

  • In response to apparent attempt at evading Snort rules processing, the following configuration parameter is being tested:
preprocessor stream5_tcp: policy first, use_static_footprint_sizes, require_3whs

EmergingFirewallRules

RussianBusinessNetwork (includes resources for blocking the RBN)

FirekeeperforFirefox

Want some guidance on using the Emerging Threats Rulesets for the first time? http://doc.emergingthreats.net/bin/view/Main/NewUserGuide

Need tips on writing rules? http://doc.emergingthreats.net/bin/view/Main/SnortSigs101

What Every Snort User Should Do: What to add to your local ruleset that's not in the main rulesets: http://doc.emergingthreats.net/bin/view/Main/WhatEverySnortUserShouldDo

Check out the sample emerging.conf. Recommend either adding this to your snort.conf, or including it. http://www.emergingthreats.net/rules/emerging.conf

  • brandjackers.txt: Organized crime brandjacking Adobe, Kaspersky, McAfee? and Symantec.
Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r112 < r111 < r110 < r109 < r108 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback