--- etc/snort.conf.org 2007-03-22 10:34:21.000000000 -0700 +++ etc/snort.conf 2007-04-18 21:48:31.000000000 -0700 @@ -194,7 +194,7 @@ # Load all dynamic preprocessors from the install path # (same as command line option --dynamic-preprocessor-lib-dir) # -dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ +# dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ # # Load a specific dynamic preprocessor library from the install path # (same as command line option --dynamic-preprocessor-lib) @@ -204,7 +204,7 @@ # Load a dynamic engine from the install path # (same as command line option --dynamic-engine-lib) # -dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so +# dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so # # Load all dynamic rules libraries from the install path # (same as command line option --dynamic-detection-lib-dir) @@ -235,7 +235,7 @@ # # See README.flow for additional information # -preprocessor flow: stats_interval 0 hash 2 +# preprocessor flow: stats_interval 0 hash 2 # frag2: IP defragmentation support # ------------------------------- @@ -320,8 +320,8 @@ # bind_to 10.3.1.0/24 #preprocessor frag3_engine: policy bsd -preprocessor frag3_global: max_frags 65536 -preprocessor frag3_engine: policy first detect_anomalies +#preprocessor frag3_global: max_frags 65536 +#preprocessor frag3_engine: policy first detect_anomalies # stream4: stateful inspection/stream reassembly for Snort @@ -400,7 +400,7 @@ # 13 Stealth scan: SYN-FIN scan # 14 TCP forward overlap -preprocessor stream4: disable_evasion_alerts +#preprocessor stream4: disable_evasion_alerts # tcp stream reassembly directive # no arguments loads the default configuration @@ -436,7 +436,7 @@ # # Using the default random flushpoints, the smallest flushpoint is 512, # and the largest is 1725 bytes. -preprocessor stream4_reassemble +#preprocessor stream4_reassemble # stream5: Target Based stateful inspection/stream reassembly for Snort # --------------------------------------------------------------------- @@ -472,11 +472,11 @@ # lots of options available here. See doc/README.http_inspect. # unicode.map should be wherever your snort.conf lives, or given # a full path to where snort can find it. -preprocessor http_inspect: global \ - iis_unicode_map unicode.map 1252 +#preprocessor http_inspect: global \ +# iis_unicode_map unicode.map 1252 -preprocessor http_inspect_server: server default \ - profile all ports { 80 8080 8180 } oversize_dir_length 500 +#preprocessor http_inspect_server: server default \ +# profile all ports { 80 8080 8180 } oversize_dir_length 500 # # Example unique server configuration @@ -510,7 +510,7 @@ # no_alert_incomplete - don't alert when a single segment # exceeds the current packet size -preprocessor rpc_decode: 111 32771 +#preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector # ------------------------- @@ -533,7 +533,7 @@ # 3 Back Orifice Server Traffic Detected # 4 Back Orifice Snort Buffer Attack -preprocessor bo +#preprocessor bo # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- @@ -568,32 +568,32 @@ # or use commandline option # --dynamic-preprocessor-lib -preprocessor ftp_telnet: global \ - encrypted_traffic yes \ - inspection_type stateful - -preprocessor ftp_telnet_protocol: telnet \ - normalize \ - ayt_attack_thresh 200 +#preprocessor ftp_telnet: global \ +# encrypted_traffic yes \ +# inspection_type stateful + +#preprocessor ftp_telnet_protocol: telnet \ +# normalize \ +# ayt_attack_thresh 200 # This is consistent with the FTP rules as of 18 Sept 2004. # CWD can have param length of 200 # MODE has an additional mode of Z (compressed) # Check for string formats in USER & PASS commands # Check nDTM commands that set modification time on the file. -preprocessor ftp_telnet_protocol: ftp server default \ - def_max_param_len 100 \ - alt_max_param_len 200 { CWD } \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ - telnet_cmds yes \ - data_chan - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - telnet_cmds yes +#preprocessor ftp_telnet_protocol: ftp server default \ +# def_max_param_len 100 \ +# alt_max_param_len 200 { CWD } \ +# cmd_validity MODE < char ASBCZ > \ +# cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ +# chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ +# telnet_cmds yes \ +# data_chan + +#preprocessor ftp_telnet_protocol: ftp client default \ +# max_resp_len 256 \ +# bounce yes \ +# telnet_cmds yes # smtp: SMTP normalizer, protocol enforcement and buffer overflow # --------------------------------------------------------------------------- @@ -611,15 +611,15 @@ # or use commandline option # --dynamic-preprocessor-lib -preprocessor smtp: \ - ports { 25 } \ - inspection_type stateful \ - normalize cmds \ - normalize_cmds { EXPN VRFY RCPT } \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN } \ - alt_max_command_line_len 255 { EXPN VRFY } +#preprocessor smtp: \ +# ports { 25 } \ +# inspection_type stateful \ +# normalize cmds \ +# normalize_cmds { EXPN VRFY RCPT } \ +# alt_max_command_line_len 260 { MAIL } \ +# alt_max_command_line_len 300 { RCPT } \ +# alt_max_command_line_len 500 { HELP HELO ETRN } \ +# alt_max_command_line_len 255 { EXPN VRFY } # sfPortscan # ---------- @@ -675,7 +675,7 @@ # false alerts, especially under heavy load with dropped packets; which is why # the option is off by default. # -preprocessor sfportscan: proto { all } \ - memcap { 10000000 } \ - sense_level { low } +#preprocessor sfportscan: proto { all } \ +# memcap { 10000000 } \ +# sense_level { low } @@ -771,10 +771,10 @@ # or use commandline option # --dynamic-preprocessor-lib -preprocessor dcerpc: \ - autodetect \ - max_frag_size 3000 \ - memcap 100000 +#preprocessor dcerpc: \ +# autodetect \ +# max_frag_size 3000 \ +# memcap 100000 # DNS #---------------------------------------- @@ -790,9 +790,9 @@ # or use commandline option # --dynamic-preprocessor-lib -preprocessor dns: \ - ports { 53 } \ - enable_rdata_overflow +#preprocessor dns: \ +# ports { 53 } \ +# enable_rdata_overflow #################################################################### # Step #4: Configure output plugins