# Honeynet snort_inline configuration file # Version 0.6 # Last modified 22 September, 2005 # # Standard Snort configuration file modified for inline # use. Most preprocessors currently do not work in inline # mode, as such they are not included. # ### Network variables var HOME_NET any var HONEYNET any var EXTERNAL_NET any var DNS_SERVERS any var SMTP_SERVERS any var TELNET_SERVERS any var HTTP_SERVERS any var SQL_SERVERS any # Ports you run web servers on # # Please note: [80,8080] does not work. # If you wish to define multiple HTTP ports, # ## var HTTP_PORTS 80 ## include somefile.rules ## var HTTP_PORTS 8080 ## include somefile.rules var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # bleeding config var SSH_PORTS 22 222 # Ports you do oracle attacks on var ORACLE_PORTS 1521 # AIM servers. AOL has a habit of adding new AIM servers, so instead of # modifying the signatures when they do, we add them to this list of servers. var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # Configure the snort decoder # ============================ # # Snort's decoder will alert on lots of things such as header # truncation or options of unusual length or infrequently used tcp options # # # Stop generic decode events: # # config disable_decode_alerts # # Stop generic decode drops: # #config disable_decode_drops # # Stop Alerts on experimental TCP options # #config disable_tcpopt_experimental_alerts # # Stop drops on experimental TCP options # #config disable_tcpopt_experimental_drops # # Stop Alerts on obsolete TCP options # #config disable_tcpopt_obsolete_alerts # # Stop drops on obsolete TCP options # #config disable_tcpopt_obsolete_drops # # Stop Alerts on T/TCP alerts # # In snort 2.0.1 and above, this only alerts when a TCP option is detected # that shows T/TCP being actively used on the network. If this is normal # behavior for your network, disable the next option. # #config disable_tcpopt_ttcp_alerts # # Stop drops on T/TCP alerts # #config disable_ttcp_drops # # Stop Alerts on all other TCPOption type events: # # config disable_tcpopt_alerts # # Stop drops on all other TCPOption type events: # #config disable_tcpopt_drops # # Stop Alerts on invalid ip options # # config disable_ipopt_alerts # # Stop drops on invalid ip options # #config disable_ipopt_drops # Configure Inline Resets # ======================== # # If running an iptables firewall with snort_inline we can now perform resets # via a physical device we grab the indev from iptables and use this for the # interface on which to send resets. This config option takes an argument for # the src mac address you want to use in the reset packet. This way the bridge # can remain stealthy. If the src mac option is not set we use the mac address # of the indev device. If we don't set this option we will default to sending # resets via raw socket, which needs an ipaddress to be assigned to the int. # config layer2resets ### Let's make sure we don't let bad packets out simply cause ### they have bad checksums. If this is not here, packets with ### bad checksums could get out. config checksum_mode: none # Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort_inline/rules ### Preprocessors # usage guidelines: if the plugin normalizes the packet so that the # detection engine can better interpret the data, the plugin can be # used with the snort_inline safely. If the plugin itself makes # the alert decisions, then we have to modify it to drop packets. # Done by IPTables. Iptables assembles fragments when we use connection # tracking; therefore, we don't have to use frag2 # preprocessor frag2 # Configure Flow tracking module # ------------------------------- # # The Flow tracking module is meant to start unifying the state keeping # mechanisms of snort into a single place. Right now, only a portscan detector # is implemented but in the long term, many of the stateful subsystems of # snort will be migrated over to becoming flow plugins. This must be enabled # for flow-portscan to work correctly. # # See README.flow for additional information # preprocessor flow: stats_interval 0 hash 2 # stream4: stateful inspection/stream reassembly for Snort #---------------------------------------------------------------------- # Use in concert with the -z [all|est] command line switch to defeat stick/snot # against TCP rules. Also performs full TCP stream reassembly, stateful # inspection of TCP streams, etc. Can statefully detect various portscan # types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8388608) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_state_problems - detect TCP state problems, this tends to be very # noisy because there are a lot of crappy ip stack # implementations out there # # disable_evasion_alerts - turn off the possibly noisy mitigation of # overlapping sequences. # # # min_ttl [number] - set a minium ttl that snort will accept to # stream reassembly # # ttl_limit [number] - differential of the initial ttl on a session versus # the normal that someone may be playing games. # Routing flap may cause lots of false positives. # # keepstats [machine|binary] - keep session statistics, add "machine" to # get them in a flat format for machine reading, add # "binary" to get them in a unified binary output # format # noinspect - turn off stateful inspection only # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # memcap [number] - limit stream4 memory usage to [number] bytes # log_flushed_streams - if an event is detected on a stream this option will # cause all packets that are stored in the stream4 # packet buffers to be flushed to disk. This only # works when logging in pcap mode! # # Stream4 uses Generator ID 111 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Stealth activity # 2 Evasive RST packet # 3 Evasive TCP packet retransmission # 4 TCP Window violation # 5 Data on SYN packet # 6 Stealth scan: full XMAS # 7 Stealth scan: SYN-ACK-PSH-URG # 8 Stealth scan: FIN scan # 9 Stealth scan: NULL scan # 10 Stealth scan: NMAP XMAS scan # 11 Stealth scan: Vecna scan # 12 Stealth scan: NMAP fingerprint scan stateful detect # 13 Stealth scan: SYN-FIN scan # 14 TCP forward overlap preprocessor stream4: disable_evasion_alerts # tcp stream reassembly directive # no arguments loads the default configuration # Only reassemble the client, # Only reassemble the default list of ports (See below), # Give alerts for "bad" streams # # Available options (comma delimited): # clientonly - reassemble traffic for the client side of a connection only # serveronly - reassemble traffic for the server side of a connection only # both - reassemble both sides of a session # noalerts - turn off alerts from the stream reassembly stage of stream4 # ports [list] - use the space separated list of ports in [list], "all" # will turn on reassembly for all ports, "default" will turn # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 # and 513 preprocessor stream4_reassemble: both # http_inspect: normalize and detect HTTP traffic and protocol anomalies # # lots of options available here. See doc/README.http_inspect. # unicode.map should be wherever your snort.conf lives, or given # a full path to where snort can find it. preprocessor http_inspect: global \ iis_unicode_map /etc/snort/unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 \ flow_depth 0 # rpc_decode: normalize RPC traffic # --------------------------------- # RPC may be sent in alternate encodings besides the usual 4-byte encoding # that is used by default. This plugin takes the port numbers that RPC # services are running on as arguments - it is assumed that the given ports # are actually running this type of service. If not, change the ports or turn # it off. # The RPC decode preprocessor uses generator ID 106 # # arguments: space separated list # alert_fragments - alert on any rpc fragmented TCP data # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet # no_alert_large_fragments - don't alert when the fragmented # sizes exceed the current packet size # no_alert_incomplete - don't alert when a single segment # exceeds the current packet size preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector # ------------------------- # Detects Back Orifice traffic on the network. Takes no arguments in 2.0. # # The Back Orifice detector uses Generator ID 105 and uses the # following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Back Orifice traffic detected preprocessor bo # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- # This preprocessor "normalizes" telnet negotiation strings from telnet and ftp # traffic. It works in much the same way as the http_decode preprocessor, # searching for traffic that breaks up the normal data stream of a protocol and # replacing it with a normalized representation of that traffic so that the # "content" pattern matching keyword can work without requiring modifications. # This preprocessor requires no arguments. # Portscan uses Generator ID 109 and does not generate any SID currently. preprocessor telnet_decode # Flow-Portscan: detect a variety of portscans # --------------------------------------- # Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan to # work. # # This module detects portscans based off of flow creation in the flow # preprocessors. The goal is to catch catch one->many hosts and one->many # ports scans. # # Flow-Portscan has numerous options available, please read # README.flow-portscan for help configuring this option. # Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID: # SID Event description # ----- ------------------- # 1 flow-portscan: Fixed Scale Scanner Limit Exceeded # 2 flow-portscan: Sliding Scale Scanner Limit Exceeded # 3 flow-portscan: Fixed Scale Talker Limit Exceeded # 4 flow-portscan: Sliding Scale Talker Limit Exceeded preprocessor flow-portscan: \ talker-sliding-scale-factor 0.50 \ talker-fixed-threshold 30 \ talker-sliding-threshold 30 \ talker-sliding-window 20 \ # talker-fixed-window 30 \ # scoreboard-rows-talker 30000 \ # server-watchnet [10.2.0.0/30] \ # server-ignore-limit 200 \ # server-rows 65535 \ # server-learning-time 14400 \ # server-scanner-limit 4 \ # scanner-sliding-window 20 \ # scanner-sliding-scale-factor 0.50 \ # scanner-fixed-threshold 15 \ # scanner-sliding-threshold 40 \ # scanner-fixed-window 15 \ # scoreboard-rows-scanner 30000 \ # src-ignore-net [192.168.1.1/32,192.168.0.0/24] \ # dst-ignore-net [10.0.0.0/30] \ alert-mode once \ output-mode msg \ tcp-penalties on ### Logging alerts of outbound attacks output alert_full: snort_inline-full output alert_fast: snort_inline-fast output alert_unified: filename /var/log/snort_inline/snort_inline_unified, limit 128 ### If you want to log the contents of the dropped packets, remove comment #output log_tcpdump: tcpdump.log # Include classification & priority settings include /etc/snort/classification.config include /etc/snort/reference.config # Rule sets are now managed through the Walleye UI, please use # the interface for addition/removal/modifications of rules. By # default, the user interface maintains ALL the rules in a rules # databases, then includes all the rules you enable in the rule # files below. If you are not using a specific rule file below, # then that rules file will be empty. Do NOT comment out unused # rules files. # No smtp or pop traffic on our home network include $RULE_PATH/bleeding.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/web-client.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/bleeding-game.rules include $RULE_PATH/bleeding-voip.rules include $RULE_PATH/bleeding-p2p.rules include $RULE_PATH/bleeding-policy.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/tftp.rules include $RULE_PATH/dos.rules include $RULE_PATH/content-replace.rules include $RULE_PATH/bleeding-dshield.rules include $RULE_PATH/bleeding-drop.rules include $RULE_PATH/bleeding-rbn.rules include $RULE_PATH/bleeding-compromised.rules include $RULE_PATH/bleeding-botcc.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules # include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules # include $RULE_PATH/pop3.rules # include $RULE_PATH/pop2.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/virus.rules include $RULE_PATH/nntp.rules include $RULE_PATH/misc.rules include $RULE_PATH/info.rules