All pastes #938622 Raw Edit

w3rd_

public text v1 · immutable
#938622 ·published 2008-03-11 19:33 UTC
rendered paste body
#--------------------------------------------------
# Snort IDScenter ruleset
# Contact: Ueli Kistler, u.kistler@engagesecurity.com
#--------------------------------------------------
# Generated using IDScenter 1.1 RC4
###################################################
# You can take the following steps to create your
# own custom configuration:
# 1) Set the network variables for your network
# 2) Configure preprocessors
# 3) Configure output plugins
# 4) Customize your rule set
###################################################

config logdir: C:\Snort\log

###################################################
# Step #1: Set the network variables:
# You must change the following variables to reflect
# your local network. The variable is currently
# setup for an RFC 1918 address space.
###################################################
var HOME_NET 10.1.10.6/32
var EXTERNAL_NET any
var DNS_SERVERS any
var SMTP_SERVERS 10.1.10.6/32
var HTTP_SERVERS 10.1.10.6/32
var SQL_SERVERS 10.1.10.6/32
var TELNET_SERVERS 10.1.10.6/32
var SNMP_SERVERS 10.1.10.6/32
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH c:\snort\rules
var PREPROC_RULE_PATH ../preproc_rules
var HTTP_PORTS 80

# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual
# 4-byte encoding that is used by default.  This preprocessor
# normalized RPC traffic in much the same way as the http_decode
# preprocessor.  This plugin takes the ports numbers that RPC
# services are running on as arguments.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
#                            sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
#                       exceeds the current packet size
preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  This preprocessor
# uses the Back Orifice "encryption" algorithm to search for
# traffic conforming to the Back Orifice protocol (not BO2K).
# This preprocessor can take two arguments.  The first is "-nobrute"
# which turns off the plugin´s brute forcing routine (brute forces
# the key space of the protocol to find BO traffic).  The second
# argument that can be passed to the routine is a number to use
# as the default key when trying to decrypt the traffic.  The
# default value is 31337 (just like BO).  Be aware that turning on
# the brute forcing option runs the risk of impacting the overall
# performance of Snort, you´ve been warned...
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected
preprocessor bo

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
#preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
preprocessor http_inspect_server: server default \
preprocessor ftp_telnet: global \
preprocessor ftp_telnet_protocol: telnet \
preprocessor ftp_telnet_protocol: ftp server default \
preprocessor ftp_telnet_protocol: ftp client default \
preprocessor smtp: \
preprocessor sfportscan: proto  { all } \
preprocessor dcerpc: \
preprocessor dns: \

####################################################################
# Step #3: Configure output plugins
#
# General configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>

####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own
# custom snort rules.
#
# The rules included with this distribution generate alerts based on
# on suspicious activity. Depending on your network environment, your
# security policies, and what you consider to be suspicious, some of
# these rules may either generate false positives ore may be detecting
# activity you consider to be acceptable; therefore, you are
# encouraged to comment out rules that are not applicable in your
# environment.
#
# Note that using all of the rules at the same time may lead to
# serious packet loss on slower machines. YMMV, use with caution,
# standard disclaimers apply. :)
#
# The following individuals contributed many of rules in this
# distribution.
#
# Credits:
#   Ron Gula <rgula@securitywizards.com> of Network Security Wizards
#   Max Vision <vision@whitehats.com>
#   Martin Markgraf <martin@mail.du.gtn.com>
#   Fyodor Yarochkin <fygrave@tigerteam.net>
#   Nick Rogness <nick@rapidnet.com>
#   Jim Forster <jforster@rapidnet.com>
#   Scott McIntyre <scott@whoi.edu>
#   Tom Vandepoel <Tom.Vandepoel@ubizen.com>
#   Brian Caswell <bmc@snort.org>
#   Zeno <admin@cgisecurity.com>
#   Ryan Russell <ryan@securityfocus.com>
#
#=========================================
# Include all relevant rulesets here
#
# shellcode, policy, info, backdoor, and virus rulesets are
# disabled by default.  These require tuning and maintance.
# Please read the included specific file for more information.
#=========================================

# Classification configuration file
include C:\Snort\rules\

# Rule/Signature files:
include C:\Snort\rules\bad-traffic.rules
include C:\Snort\rules\backdoor.rules
include C:\Snort\rules\attack-responses.rules