#!/bin/sh # # MetU # Feb. 2006 # # ____ _ _ _ _ ___ # / ___| _ __ ___ _ __| |_ __ _| |_| |_ __ _ ___| | __ / _ \ _ __ __ _ # \___ \| '_ \ / _ \| '__| __/ _` | __| __/ _` |/ __| |/ /| | | | '__/ _` | # ___) | | | | (_) | | | || (_| | |_| || (_| | (__| < | |_| | | | (_| | # |____/|_| |_|\___/|_| \__\__,_|\__|\__\__,_|\___|_|\_(_)___/|_| \__, | # |___/ # Define Main Variable : # ################################# include homenet.fst include mysqlpws.fst ################################# # # Clamav definitions : # # For Debian : # #preprocessor clamav: ports all !22 !443, toserveronly, action-drop, dbdir /var/lib/clamav, dbreload-time 3600 # # For Fedora Core 2 / 3 : # #preprocessor clamav: ports all !22 !443, toserveronly, dbdir /var/clamav, dbreload-time 3600, action-drop # # For Fedora Core 4 / 5 : # #preprocessor clamav: ports all !22 !443, toserveronly, dbdir /var/lib/clamav, dbreload-time 3600, action-drop ##### Define Variable : ##### var EXTERNAL_NET !$HOME_NET var HONEYNET $HOME_NET var SSH_PORTS 22 var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,\ 64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort_inline/rules include $RULE_PATH/classification.config include $RULE_PATH/reference.config ### Configure Preprocessor : ### config checksum_mode: none config checksum_drop : all config detection: search-method lowmem preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt 500 #Flow,Frag and stream preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies #Version for 2.6.1.5 preprocessor stream4: disable_evasion_alerts,midstream_drop_alerts, stream4inline, norm_wscale_max 5, disable_norm_wscale_alerts yes, disable_ooo_alerts yes #Version for 2.8.0.1 preprocessor stream4: disable_evasion_alerts, enable_udp_sessions, memcap 336088640, stream4inline, norm_window preprocessor stream4_reassemble: both #Clamav include clamav.fst preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode ### Configure Output : ### #output database: alert, mysql, dbname=snort user=snort host=localhost password=$MYSQLPWS detail=full output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID #output alert_full: snort_inline-full.log #output alert_fast: snort_inline-fast.log include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/emerging-attack_response.rules #include $RULE_PATH/emerging-botcc-BLOCK.rules include $RULE_PATH/emerging-botcc.rules #include $RULE_PATH/emerging-game.rules #include $RULE_PATH/emerging-inappropriate.rules include $RULE_PATH/emerging-malware.rules #include $RULE_PATH/malware.rules #include $RULE_PATH/snortattack-italian-law.rules #include $RULE_PATH/socialnet.rules #include $RULE_PATH/emerging-p2p.rules #include $RULE_PATH/emerging-policy.rules include $RULE_PATH/emerging.rules include $RULE_PATH/emerging-virus.rules #include $RULE_PATH/chat.rules include $RULE_PATH/community-bot.rules #include $RULE_PATH/community-game.rules #include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/community-mail-client.rules #include $RULE_PATH/community-policy.rules #include $RULE_PATH/community-sip.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/community-web-client.rules #include $RULE_PATH/multimedia.rules include $RULE_PATH/netbios.rules #include $RULE_PATH/p2p.rules #include $RULE_PATH/policy.rules #include $RULE_PATH/porn.rules include $RULE_PATH/rpc.rules include $RULE_PATH/spyware-put.rules #include $RULE_PATH/virus.rules include $RULE_PATH/web-client.rules include $RULE_PATH/x11.rules #BlackList include $RULE_PATH/emerging-rbn.rules include $RULE_PATH/emerging-botcc.rules