source: packages/net/snort/patches/750-lightweight-config.patch @ 28667

Last change on this file since 28667 was 28667, checked in by nico, 5 years ago

packages/snort: various fixes

  • use basic, mysql & pgsql VARIANTs
  • add a build dependency on librpc when building against uClibc (closes: #10132)
  • ship empty, useless, but working config & ruleset
  • ship dynamic engine & preprocessors, disabled by default
  • make it listen on loopback by default
  • Property svn:eol-style set to native
File size: 10.8 KB
  • etc/snort.conf

    a b  
    66# 
    77################################################### 
    88# This file contains a sample snort configuration.  
     9# Most preprocessors and rules were disabled to save memory. 
    910# You can take the following steps to create your own custom configuration: 
    1011# 
    1112#  1) Set the variables for your network 
     
    4344# or you can specify the variable to be any IP address 
    4445# like this: 
    4546 
    46 var HOME_NET any 
     47var HOME_NET 192.168.1.0/24 
    4748 
    4849# Set up the external network addresses as well.  A good start may be "any" 
    49 var EXTERNAL_NET any 
     50var EXTERNAL_NET !$HOME_NET 
    5051 
    5152# Configure your server lists.  This allows snort to only look for attacks to 
    5253# systems that have a service up.  Why look for HTTP attacks if you are not 
    var AIM_SERVERS [64.12.24.0/23,64.12.28. 
    107108# Path to your rules files (this can be a relative path) 
    108109# Note for Windows users:  You are advised to make this an absolute path, 
    109110# such as:  c:\snort\rules 
    110 var RULE_PATH ../rules 
    111 var PREPROC_RULE_PATH ../preproc_rules 
     111var RULE_PATH /etc/snort/rules 
     112var PREPROC_RULE_PATH /etc/snort/preproc_rules 
    112113 
    113114# Configure the snort decoder 
    114115# ============================ 
    var PREPROC_RULE_PATH ../preproc_rules 
    191192# Load all dynamic preprocessors from the install path 
    192193# (same as command line option --dynamic-preprocessor-lib-dir) 
    193194# 
    194 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ 
     195#dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ 
    195196# 
    196197# Load a specific dynamic preprocessor library from the install path 
    197198# (same as command line option --dynamic-preprocessor-lib) 
    198199# 
    199 # dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so 
     200# dynamicpreprocessor file /usr/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so 
    200201# 
    201202# Load a dynamic engine from the install path 
    202203# (same as command line option --dynamic-engine-lib) 
    203204# 
    204 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so 
     205#dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so 
    205206# 
    206207# Load all dynamic rules libraries from the install path 
    207208# (same as command line option --dynamic-detection-lib-dir) 
    208209# 
    209 # dynamicdetection directory /usr/local/lib/snort_dynamicrule/ 
     210# dynamicdetection directory /usr/lib/snort_dynamicrules/ 
    210211# 
    211212# Load a specific dynamic rule library from the install path 
    212213# (same as command line option --dynamic-detection-lib) 
    213214# 
    214 # dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so 
     215# dynamicdetection file /usr/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so 
    215216# 
    216217 
    217218################################################### 
    preprocessor stream5_tcp: policy first,  
    307308# lots of options available here. See doc/README.http_inspect. 
    308309# unicode.map should be wherever your snort.conf lives, or given 
    309310# a full path to where snort can find it. 
    310 preprocessor http_inspect: global \ 
    311     iis_unicode_map unicode.map 1252  
     311#preprocessor http_inspect: global \ 
     312#    iis_unicode_map unicode.map 1252 
    312313 
    313 preprocessor http_inspect_server: server default \ 
    314     profile all ports { 80 8080 8180 } oversize_dir_length 500 
     314#preprocessor http_inspect_server: server default \ 
     315#    profile all ports { 80 8080 8180 } oversize_dir_length 500 
    315316 
    316317# 
    317318#  Example unique server configuration 
    preprocessor http_inspect_server: server 
    345346# no_alert_incomplete - don't alert when a single segment 
    346347#                       exceeds the current packet size 
    347348 
    348 preprocessor rpc_decode: 111 32771 
     349#preprocessor rpc_decode: 111 32771 
    349350 
    350351# bo: Back Orifice detector 
    351352# ------------------------- 
    preprocessor rpc_decode: 111 32771 
    368369#   3       Back Orifice Server Traffic Detected 
    369370#   4       Back Orifice Snort Buffer Attack 
    370371 
    371 preprocessor bo 
     372#preprocessor bo 
    372373 
    373374# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow 
    374375# --------------------------------------------------------------------------- 
    preprocessor bo 
    391392# or use commandline option 
    392393# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so> 
    393394 
    394 preprocessor ftp_telnet: global \ 
    395    encrypted_traffic yes \ 
    396    inspection_type stateful 
    397  
    398 preprocessor ftp_telnet_protocol: telnet \ 
    399    normalize \ 
    400    ayt_attack_thresh 200 
     395#preprocessor ftp_telnet: global \ 
     396#   encrypted_traffic yes \ 
     397#   inspection_type stateful 
     398 
     399#preprocessor ftp_telnet_protocol: telnet \ 
     400#   normalize \ 
     401#   ayt_attack_thresh 200 
    401402 
    402403# This is consistent with the FTP rules as of 18 Sept 2004. 
    403404# CWD can have param length of 200 
    404405# MODE has an additional mode of Z (compressed) 
    405406# Check for string formats in USER & PASS commands 
    406407# Check nDTM commands that set modification time on the file. 
    407 preprocessor ftp_telnet_protocol: ftp server default \ 
    408    def_max_param_len 100 \ 
    409    alt_max_param_len 200 { CWD } \ 
    410    cmd_validity MODE < char ASBCZ > \ 
    411    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ 
    412    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ 
    413    telnet_cmds yes \ 
    414    data_chan 
    415  
    416 preprocessor ftp_telnet_protocol: ftp client default \ 
    417    max_resp_len 256 \ 
    418    bounce yes \ 
    419    telnet_cmds yes 
     408#preprocessor ftp_telnet_protocol: ftp server default \ 
     409#   def_max_param_len 100 \ 
     410#   alt_max_param_len 200 { CWD } \ 
     411#   cmd_validity MODE < char ASBCZ > \ 
     412#   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ 
     413#   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ 
     414#   telnet_cmds yes \ 
     415#   data_chan 
     416 
     417#preprocessor ftp_telnet_protocol: ftp client default \ 
     418#   max_resp_len 256 \ 
     419#   bounce yes \ 
     420#   telnet_cmds yes 
    420421 
    421422# smtp: SMTP normalizer, protocol enforcement and buffer overflow 
    422423# --------------------------------------------------------------------------- 
    preprocessor ftp_telnet_protocol: ftp cl 
    434435# or use commandline option 
    435436# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so> 
    436437 
    437 preprocessor smtp: \ 
    438   ports { 25 587 691 } \ 
    439   inspection_type stateful \ 
    440   normalize cmds \ 
    441   normalize_cmds { EXPN VRFY RCPT } \ 
    442   alt_max_command_line_len 260 { MAIL } \ 
    443   alt_max_command_line_len 300 { RCPT } \ 
    444   alt_max_command_line_len 500 { HELP HELO ETRN } \ 
    445   alt_max_command_line_len 255 { EXPN VRFY } 
     438#preprocessor smtp: \ 
     439#  ports { 25 587 691 } \ 
     440#  inspection_type stateful \ 
     441#  normalize cmds \ 
     442#  normalize_cmds { EXPN VRFY RCPT } \ 
     443#  alt_max_command_line_len 260 { MAIL } \ 
     444#  alt_max_command_line_len 300 { RCPT } \ 
     445#  alt_max_command_line_len 500 { HELP HELO ETRN } \ 
     446#  alt_max_command_line_len 255 { EXPN VRFY } 
    446447 
    447448# sfPortscan 
    448449# ---------- 
    preprocessor smtp: \ 
    498499#       false alerts, especially under heavy load with dropped packets; which is why 
    499500#       the option is off by default. 
    500501# 
    501 preprocessor sfportscan: proto  { all } \ 
    502                          memcap { 10000000 } \ 
    503                          sense_level { low } 
     502#preprocessor sfportscan: proto  { all } \ 
     503#                         memcap { 10000000 } \ 
     504#                         sense_level { low } 
    504505 
    505506# arpspoof 
    506507#---------------------------------------- 
    preprocessor sfportscan: proto { all }  
    605606# See doc/README.dcerpc2 for explanations of what the 
    606607# preprocessor does and how to configure it. 
    607608# 
    608 preprocessor dcerpc2 
    609 preprocessor dcerpc2_server: default 
     609#preprocessor dcerpc2 
     610#preprocessor dcerpc2_server: default 
    610611 
    611612 
    612613# DNS 
    preprocessor dcerpc2_server: default 
    623624# or use commandline option 
    624625# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so> 
    625626 
    626 preprocessor dns: \ 
    627     ports { 53 } \ 
    628     enable_rdata_overflow 
     627#preprocessor dns: \ 
     628#    ports { 53 } \ 
     629#    enable_rdata_overflow 
    629630 
    630631# SSL 
    631632#---------------------------------------- 
    preprocessor dns: \ 
    649650#   To add reassembly on port 443 to Stream5, use 'port both 443' in the  
    650651#   Stream5 configuration. 
    651652 
    652 preprocessor ssl: noinspect_encrypted, trustservers 
     653#preprocessor ssl: noinspect_encrypted, trustservers 
    653654 
    654655 
    655656#################################################################### 
    include reference.config 
    808809#========================================= 
    809810 
    810811include $RULE_PATH/local.rules 
    811 include $RULE_PATH/bad-traffic.rules 
    812 include $RULE_PATH/exploit.rules 
    813 include $RULE_PATH/scan.rules 
    814 include $RULE_PATH/finger.rules 
    815 include $RULE_PATH/ftp.rules 
    816 include $RULE_PATH/telnet.rules 
    817 include $RULE_PATH/rpc.rules 
    818 include $RULE_PATH/rservices.rules 
    819 include $RULE_PATH/dos.rules 
    820 include $RULE_PATH/ddos.rules 
    821 include $RULE_PATH/dns.rules 
    822 include $RULE_PATH/tftp.rules 
    823  
    824 include $RULE_PATH/web-cgi.rules 
    825 include $RULE_PATH/web-coldfusion.rules 
    826 include $RULE_PATH/web-iis.rules 
    827 include $RULE_PATH/web-frontpage.rules 
    828 include $RULE_PATH/web-misc.rules 
    829 include $RULE_PATH/web-client.rules 
    830 include $RULE_PATH/web-php.rules 
    831  
    832 include $RULE_PATH/sql.rules 
    833 include $RULE_PATH/x11.rules 
    834 include $RULE_PATH/icmp.rules 
    835 include $RULE_PATH/netbios.rules 
    836 include $RULE_PATH/misc.rules 
    837 include $RULE_PATH/attack-responses.rules 
    838 include $RULE_PATH/oracle.rules 
    839 include $RULE_PATH/mysql.rules 
    840 include $RULE_PATH/snmp.rules 
    841  
    842 include $RULE_PATH/smtp.rules 
    843 include $RULE_PATH/imap.rules 
    844 include $RULE_PATH/pop2.rules 
    845 include $RULE_PATH/pop3.rules 
     812#include $RULE_PATH/bad-traffic.rules 
     813#include $RULE_PATH/exploit.rules 
     814#include $RULE_PATH/scan.rules 
     815#include $RULE_PATH/finger.rules 
     816#include $RULE_PATH/ftp.rules 
     817#include $RULE_PATH/telnet.rules 
     818#include $RULE_PATH/rpc.rules 
     819#include $RULE_PATH/rservices.rules 
     820#include $RULE_PATH/dos.rules 
     821#include $RULE_PATH/ddos.rules 
     822#include $RULE_PATH/dns.rules 
     823#include $RULE_PATH/tftp.rules 
     824 
     825#include $RULE_PATH/web-cgi.rules 
     826#include $RULE_PATH/web-coldfusion.rules 
     827#include $RULE_PATH/web-iis.rules 
     828#include $RULE_PATH/web-frontpage.rules 
     829#include $RULE_PATH/web-misc.rules 
     830#include $RULE_PATH/web-client.rules 
     831#include $RULE_PATH/web-php.rules 
     832 
     833#include $RULE_PATH/sql.rules 
     834#include $RULE_PATH/x11.rules 
     835#include $RULE_PATH/icmp.rules 
     836#include $RULE_PATH/netbios.rules 
     837#include $RULE_PATH/misc.rules 
     838#include $RULE_PATH/attack-responses.rules 
     839#include $RULE_PATH/oracle.rules 
     840#include $RULE_PATH/mysql.rules 
     841#include $RULE_PATH/snmp.rules 
     842 
     843#include $RULE_PATH/smtp.rules 
     844#include $RULE_PATH/imap.rules 
     845#include $RULE_PATH/pop2.rules 
     846#include $RULE_PATH/pop3.rules 
    846847 
    847 include $RULE_PATH/nntp.rules 
    848 include $RULE_PATH/other-ids.rules 
     848#include $RULE_PATH/nntp.rules 
     849#include $RULE_PATH/other-ids.rules 
    849850# include $RULE_PATH/web-attacks.rules 
    850851# include $RULE_PATH/backdoor.rules 
    851852# include $RULE_PATH/shellcode.rules 
    include $RULE_PATH/other-ids.rules 
    859860# include $RULE_PATH/p2p.rules 
    860861# include $RULE_PATH/spyware-put.rules 
    861862# include $RULE_PATH/specific-threats.rules 
    862 include $RULE_PATH/experimental.rules 
     863#include $RULE_PATH/experimental.rules 
    863864 
    864865# include $PREPROC_RULE_PATH/preprocessor.rules 
    865866# include $PREPROC_RULE_PATH/decoder.rules 
Note: See TracBrowser for help on using the repository browser.