#!/bin/sh
#
# MetU
# Feb. 2006
# <metu@snortattack.org>
#  ____                   _        _   _             _      ___
# / ___| _ __   ___  _ __| |_ __ _| |_| |_ __ _  ___| | __ / _ \ _ __ __ _
# \___ \| '_ \ / _ \| '__| __/ _` | __| __/ _` |/ __| |/ /| | | | '__/ _` |
#  ___) | | | | (_) | |  | || (_| | |_| || (_| | (__|   < | |_| | | | (_| |
# |____/|_| |_|\___/|_|   \__\__,_|\__|\__\__,_|\___|_|\_(_)___/|_|  \__, |
#                                                                    |___/
# Define Main Variable :
#
#################################
include homenet.fst
include mysqlpws.fst
#################################
#
# Clamav definitions :
#
# For Debian :
#
#preprocessor clamav: ports all !22 !443, toserveronly, action-drop, dbdir /var/lib/clamav, dbreload-time 3600
# 
# For Fedora Core 2 / 3 :
#
#preprocessor clamav: ports all !22 !443, toserveronly, dbdir /var/clamav, dbreload-time 3600, action-drop
#
# For Fedora Core 4 / 5 :
#
#preprocessor clamav: ports all !22 !443, toserveronly, dbdir /var/lib/clamav, dbreload-time 3600, action-drop

##### Define Variable : #####

var EXTERNAL_NET !$HOME_NET
var HONEYNET $HOME_NET
var SSH_PORTS 22
var DNS_SERVERS $HOME_NET


var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,\
64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH /etc/snort_inline/rules

### Configure Preprocessor : ###

config checksum_mode: none
config checksum_drop : all
config detection: search-method lowmem

preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt 500

#Flow,Frag and stream
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies

#Version for 2.6.1.5
preprocessor stream4: disable_evasion_alerts,midstream_drop_alerts, stream4inline, norm_wscale_max 5, disable_norm_wscale_alerts yes, disable_ooo_alerts yes

#Version for 2.8.0.1
preprocessor stream4: disable_evasion_alerts, enable_udp_sessions, memcap 336088640, stream4inline, norm_window


preprocessor stream4_reassemble: both, ports all

#Clamav
include clamav.fst

#HTTP Inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
                        ports  { 80 8080 3128 }  \
                        no_alerts \
                        non_strict \
                        non_rfc_char  { 0x00 }  \
                        flow_depth 0  \
                        apache_whitespace yes \
                        directory no \
                        iis_backslash no \
                        u_encode yes \
                        ascii no \
                        chunk_length 500000 \
                        bare_byte yes \
                        double_decode yes \
                        iis_unicode yes \
                        iis_delimiter yes \
                        multi_slash no

#Other preprocs
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode

#Flow Portscan
preprocessor flow-portscan: \
        talker-sliding-scale-factor 0.50 \
        talker-fixed-threshold 30 \
        talker-sliding-threshold 30 \
        talker-sliding-window 20 \
        talker-fixed-window 30 \
        scoreboard-rows-talker 30000 \
        server-watchnet $HOME_NET \
        server-ignore-limit 200 \
        server-rows 65535 \
        server-learning-time 14400 \
        server-scanner-limit 4 \
        scanner-sliding-window 20 \
        scanner-sliding-scale-factor 0.50 \
        scanner-fixed-threshold 15 \
        scanner-sliding-threshold 40 \
        scanner-fixed-window 15 \
        scoreboard-rows-scanner 30000 \
#       src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
#       dst-ignore-net [10.0.0.0/30] \
        alert-mode once \
        output-mode msg \
        tcp-penalties on


### Configure Output : ###

#output database: alert, mysql, dbname=snort user=snort host=localhost password=$MYSQLPWS detail=full
output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID

#output alert_full: snort_inline-full.log
#output alert_fast: snort_inline-fast.log

include $RULE_PATH/classification.config
include $RULE_PATH/reference.config

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/emerging-virus.rules
include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/emerging-exploit.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-scan.rules
include $RULE_PATH/emerging-web.rules
include $RULE_PATH/community-exploit.rules
include $RULE_PATH/community-ftp.rules
include $RULE_PATH/community-web-misc.rules
#BlackList
include $RULE_PATH/emerging-rbn.rules
include $RULE_PATH/emerging-botcc.rules