r96 - 15 May 2008 - 05:37:20 - JamesMcQuaidYou are here: TWiki >  Main Web > AllProjects > SnortConfSamples

Snort.Conf Samples

The goal of this project is to make a set of sample snort.conf files. These will represent different size and goal installs of snort. We do not intend to provide snort.conf files that you can use without modification or understanding, but guides to help you benefit from the experience of the community as a whole.

We welcome submissions and tips to improve these files, as well as ideas for new types of configs to add.

This project is maintained by JamesMcQuaid

-- MattJonkman - 20 Mar 2007

* Diagram portraying home network defended by multiple layers of Snort Inline:
BleedingNetworkTopology.gif

Honeywall Roo 1.4: Honeywall 1.4 has emerged from beta. 'Out of the box' it functions with a reduced Snort Inline ruleset. To use the Emerging Threats rules, you must: 1) copy the Emerging Threats rules into the Snort-inline folder, and 2) log in as root (su -) at the console, run /user/sbin/menu, and Generate IPS Rules. The strategy in this topology is to leverage Snort Inline to protect Smoothwall and the workstations. You can use Snort arrays to spread the load and eliminate a single point of failure.

Honeywall Outer Gateway: This configuration will utilize 1200 MB of 1.5 GB of RAM.

  • snort_inline_Outer.conf: This Snort Inline configuration emphasizes defense against port scanning and DNS exploits. Local rules protect various Linux services and prohibit remote administration.

  • blacklist.txt: The /etc/blacklist.txt file specifies incoming traffic to be blocked based upon source IP address. Based upon the Bleeding All Firewall rules.

  • fencelist.txt: The /etc/fencelist.txt file specifies outgoing traffic to be blocked based upon destination IP address. Updated 4-12-2008.

  • crontab: crontab file for Honeywall which schedules reboot.pl and clean.pl

  • clean.pl.txt: Clean out Honeywall's logging directories on a schedule if you have limited hard disk space.

Honeywall Inner Gateway: At boot, this configuration will utilize 1650 MB of 2 GB of RAM. It is suitable for home use; with a greater number of users, you will require more RAM.

  • snort_inline_inner.conf: This Snort Inline configuration will use over 900 MB of RAM. All rules are set to drop. As this configuration uses the bleeding-scan.rules, you can defer the use of local rules limiting traffic on specific ports and Flow Portscan to the inner inline gateway.

Smoothwall Express 3.0: be certain to apply the two patch packages now available.

  • snort_smoothwall3.conf: This configuration uses Stream5 and a large number of rules, but runs on a machine with 1 GB of RAM.

  • config-ipblock_Smoothwall3: IP blocks for Smoothwall 3: includes Russian Business Network IP addresses. This file can only handle several hundred IP ranges, after which the batch file will no longer be processed. The config file in the var/ipblock folder is processed as a batch file. After the config file attains a certain size, the following error is logged in the var/log/messages file: "smoothd ipbatch buffer size exceeded". This error may also be observed in the web interface in logs.cgi under SmoothD?. If you wish to block larger numbers of malicious IP addresses, you must use another firewall. Updated 4-6-2008.

  • config-hosts: 155,555 RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Visit David Glosser's excellent DNS BlackHole? Project at http://malwaredomains.com/ for the latest intelligence and for information on implementing DNS Blackhole on a normal DNS server. Updated 5-12-2008.

  • hosts: Protect your home from 155,555 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback. Updated 5-12-2008.

  • dedupe.pl.txt: Rename to dedupe.pl. Sorts and removes duplicate entries in Smoothwall's /var/smoothwall/hosts/config file; populates configNew file (which you then rename to config). With slight modification, you can also use this to dedupe IP address lists.

DNS Bind: now testing this on Free BSD.

  • bindzone: Experimental. Do not use this bind zone file in a production environment unless you have tested it. A viable alternative to corporate whitelisting. Contains 155,555 domains and objects. Updated 5-12-2008.

Customizing your Home Firewall:

  • bogons: Complete list of bogons on 10-21-2007

  • You can position the inline stateful packet inspection device AlphaShield? at each workstation to diminish the likelihood of the propagation of a worm in the event that an internal machine is infected. The Comodo, Kaspersky, and Sunbelt Windows firewalls also offer you configuration options to obtain this result.

  • badblogspotsubdomains.txt: Plain text list of subdomains were created by an automated process following Google's captcha application was cracked. Updated 3-16-2008.

Russian Business Network:

Firekeeper for Firefox:

Deprecated:

Honeywall Roo 1.1:

  • snort_inline.conf: Honeywall snort-inline configuration: Bleeding Snort config for Honeywall Roo 1.1

Smoothwall Express 2.0: If you are still using Smoothwall 2.0, you will be well served to migrate to Smoothwall 3.0 as soon as possible.

  • snort.in: snort.in for Smoothwall Express 2.0 Fixes 1-9

  • snort.conf: snort.conf for Smoothwall Express 2.0 Fixes 1-9

  • dnsmasq.conf: DNSMasq config for Smoothwall 2.0's blackhole

  • tldblackhole.conf: Top Level Domains for Smoothwall 2.0; add to top of blackhole.conf; edit to suit your preferences

  • BadMP3SitesBlackhole.txt: Evil MP3 sites targeting the kids with malware. Use in Smoothwall 2.0's blackhole.conf file.

  • BleedingNetworkTopologySplit?.gif:
    BleedingNetworkTopologySplit.gif

Topic attachments
I Attachment Action Size Date Who Comment
txttxt 4000RBNDomainsAndObjects.txt manage 83.1 K 24 Jan 2008 - 02:19 JamesMcQuaid 4,000 RBN Domains and Objects
docdoc A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.doc manage 474.5 K 24 Jan 2008 - 01:47 JamesMcQuaid Bleeding topology for the home: Honeywall Roo 1.1 and 1.2
elseodt A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.odt manage 203.4 K 06 May 2007 - 13:42 JamesMcQuaid Bleeding topology for the home (Roo 1.0)
pdfpdf A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.pdf manage 429.1 K 24 Jan 2008 - 01:47 JamesMcQuaid Bleeding topology for the home: Honeywall Roo 1.1 and 1.2
txttxt A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.txt manage 19.6 K 26 Aug 2007 - 02:03 JamesMcQuaid Bleeding topology for the home
pdfpdf A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network_roo-1.0.hw-139.pdf manage 95.1 K 26 Aug 2007 - 19:21 JamesMcQuaid Bleeding topology for the home (Roo 1.0)
txttxt A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network_roo-1.0.hw-139.txt manage 19.6 K 26 Aug 2007 - 19:22 JamesMcQuaid Bleeding topology for the home (Roo 1.0)
elseEXT Atrivo-Smoothwall-config manage 3.3 K 31 Mar 2008 - 01:56 JamesMcQuaid  
elseEXT Atrivo-domains manage 521.9 K 31 Mar 2008 - 01:38 JamesMcQuaid  
txttxt BadMP3SitesBlackhole.txt manage 12.8 K 24 Jan 2008 - 02:29 JamesMcQuaid Evil MP3 sites targeting the kids with malware. Use in Smoothwall 2.0's blackhole.conf file.
txttxt BlackholeForFirekeeper.txt manage 2917.4 K 24 Jan 2008 - 01:52 JamesMcQuaid Snort in the browser evil domain blocking
txttxt BlackholeForFirekeeperInstructions.txt manage 0.9 K 24 Jan 2008 - 01:52 JamesMcQuaid Blackhole DNS in Firefox
gifgif BleedingNetworkTopology.gif manage 115.7 K 12 Apr 2008 - 20:16 JamesMcQuaid  
gifgif BleedingNetworkTopologySplit.gif manage 97.9 K 12 Apr 2008 - 20:15 JamesMcQuaid  
txttxt ChineseAttackIPs.txt manage 15.8 K 06 Nov 2007 - 12:28 JamesMcQuaid Note "The Russians Go Chinese": http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829
txttxt ChineseAttackIPsForSmoothwall.txt manage 13.2 K 14 Oct 2007 - 20:44 JamesMcQuaid Chinese hacking gang ambushed on 10-13-2007. Discussion included. Block list for Smoothwall.
pdfpdf Creating_A_Bootable_ISO_CD.pdf manage 772.6 K 14 May 2008 - 01:22 JamesMcQuaid  
pdfpdf InstallAndConfigureHoneywall.pdf manage 5476.8 K 14 May 2008 - 01:53 JamesMcQuaid  
txttxt RBNAttackIPs.txt manage 15.8 K 24 Jan 2008 - 02:55 JamesMcQuaid Recent DOS attacks
txttxt RussianBusinessNetworkIPs.txt manage 159.8 K 12 May 2008 - 13:41 JamesMcQuaid  
txttxt RussianBusinessNetworkIPsSmoothwall.txt manage 3.9 K 08 Nov 2007 - 11:11 JamesMcQuaid (includes more new addresses): Block the Russian Business Network:
txttxt SmoothwallSnortHowTo.txt manage 2.1 K 24 Jan 2008 - 02:33 JamesMcQuaid How to set up snort on Smoothwall Express 2.0 Fixes 1-9
txttxt TopLevelDomains.txt manage 0.4 K 24 Jan 2008 - 02:27 JamesMcQuaid Top Level Domains
pdfpdf UsingHoneywall.pdf manage 5200.0 K 15 May 2008 - 05:35 JamesMcQuaid  
txttxt badblogspotsubdomains.txt manage 186.8 K 16 Mar 2008 - 15:25 JamesMcQuaid These subdomains were created by an automated process following Google's captcha application was cracked.
txttxt badblogspotsubdomains_bindformat.txt manage 1136.2 K 16 Mar 2008 - 16:05 JamesMcQuaid In zone file Bind format.
elseEXT bindzone manage 12661.3 K 12 May 2008 - 14:09 JamesMcQuaid  
elseconf blackhole.conf manage 3497.7 K 24 Jan 2008 - 12:40 JamesMcQuaid  
txttxt blacklist.txt manage 29.1 K 13 Apr 2008 - 10:05 JamesMcQuaid  
elserules bleeding-edge-SMOOTHWALL-ALL.rules manage 0.4 K 06 Apr 2008 - 14:09 JamesMcQuaid  
elseconf bleeding.conf manage 2.6 K 07 Apr 2008 - 11:36 JamesMcQuaid  
elseEXT bogons manage 112.2 K 24 Jan 2008 - 02:34 JamesMcQuaid Complete list of bogons on 10-21-2007
txttxt clean.pl.txt manage 2.1 K 24 Jan 2008 - 03:24 JamesMcQuaid Clean out Honeywall's logging directories on a schedule if you have limited hard disk space.
elseEXT config manage 34.6 K 24 Jan 2008 - 12:37 JamesMcQuaid  
elseEXT config-hosts manage 5065.9 K 12 May 2008 - 13:47 JamesMcQuaid  
elseEXT config-ipblock manage 7.9 K 31 Mar 2008 - 01:45 JamesMcQuaid  
elseEXT config-ipblock_Smoothwall3 manage 8.2 K 06 Apr 2008 - 17:40 JamesMcQuaid  
txttxt config-ipblock_Smoothwall3.txt manage 43.7 K 27 Oct 2007 - 21:48 JamesMcQuaid Some bogon IPs block for Smoothwall 3; includes RBN, Chinese hackers and trojans. Add to your list based upon available RAM and strategy (bad sites, attackers, etc.)
txttxt config.txt manage 30.8 K 24 Oct 2007 - 11:55 JamesMcQuaid Bogon IPs block for Smoothwall; includes RBN, Chinese hackers and trojans.
elseEXT configNew manage 5047.8 K 19 Apr 2008 - 20:09 JamesMcQuaid  
elseEXT crontab manage 0.6 K 24 Jan 2008 - 02:23 JamesMcQuaid crontab file for Honeywall which schedules reboot.pl and clean.pl
txttxt dedupe.pl.txt manage 1.2 K 08 Apr 2008 - 03:04 JamesMcQuaid  
elseconf dnsmasq.conf manage 0.1 K 24 Jan 2008 - 02:45 JamesMcQuaid DNSMasq config for Smoothwall 2.0's blackhole
txttxt fencelist.txt manage 31.2 K 13 Apr 2008 - 10:05 JamesMcQuaid  
elseEXT hosts manage 4458.3 K 12 May 2008 - 13:53 JamesMcQuaid  
txttxt reboot.pl.txt manage 1.1 K 24 Jan 2008 - 02:24 JamesMcQuaid Reboot Honeywall on a schedule
elseconf snort.conf manage 6.3 K 24 Jan 2008 - 02:32 JamesMcQuaid snort.conf for Smoothwall Express 2.0 Fixes 1-9
elsein snort.in manage 2.8 K 24 Jan 2008 - 02:30 JamesMcQuaid snort.in for Smoothwall Express 2.0 Fixes 1-9
elseconf snort_Outer.conf manage 39.5 K 07 Apr 2008 - 01:00 JamesMcQuaid  
elseconf snort_inline.conf manage 13.9 K 24 Jan 2008 - 01:48 JamesMcQuaid Honeywall snort-inline configuration: Bleeding Snort config for Honeywall Roo 1.1
elseconf snort_inline_Outer.conf manage 13.7 K 12 Apr 2008 - 20:42 JamesMcQuaid  
elseconf snort_inline_inner.conf manage 14.1 K 12 Apr 2008 - 20:42 JamesMcQuaid  
elseconf snort_inline_roo-1.0.hw-139.conf manage 15.8 K 26 Aug 2007 - 19:22 JamesMcQuaid Snort.conf for Roo 1.0
elseconf snort_inner.conf manage 38.7 K 12 Apr 2008 - 20:44 JamesMcQuaid  
elseconf snort_smoothwall3.conf manage 38.5 K 08 Apr 2008 - 02:43 JamesMcQuaid  
elseconf tldblackhole.conf manage 2.1 K 24 Jan 2008 - 12:42 JamesMcQuaid  
elseEXT zone manage 10101.7 K 23 Mar 2008 - 22:21 JamesMcQuaid  
Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r96 < r95 < r94 < r93 < r92 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback