reputation preprocessor disabled, still experimental --- etc/snort.conf.orig Fri Mar 18 15:11:55 2016 +++ etc/snort.conf Fri Apr 29 11:02:26 2016 @@ -101,17 +101,17 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.1 # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules -var RULE_PATH ../rules -var SO_RULE_PATH ../so_rules -var PREPROC_RULE_PATH ../preproc_rules +var RULE_PATH ${SYSCONFDIR}/snort/rules +var SO_RULE_PATH ${SYSCONFDIR}/snort/so_rules +var PREPROC_RULE_PATH ${SYSCONFDIR}/snort/preproc_rules # If you are using reputation preprocessor set these # Currently there is a bug with relative paths, they are relative to where snort is # not relative to snort.conf like the above variables # This is completely inconsistent with how other vars work, BUG 89986 # Set the absolute path appropriately -var WHITE_LIST_PATH ../rules -var BLACK_LIST_PATH ../rules +var WHITE_LIST_PATH ${SYSCONFDIR}/snort/rules +var BLACK_LIST_PATH ${SYSCONFDIR}/snort/rules ################################################### # Step #2: Configure the decoder. For more information, see README.decode @@ -142,7 +142,11 @@ config disable_ipopt_alerts # config enable_decode_oversized_drops # Configure IP / TCP checksum mode -config checksum_mode: all +# OpenBSD delays the IP and protocol checksum calculation for outbound packets +# until late in the outbound path. However, this causes Snort to think it is +# seeing packets with bad checksums and discard them and never trigger alerts. +# To prevent this, turn off Snort's checksum verification subsystem. +config checksum_mode: none # Configure maximum number of flowbit references. For more information, see README.flowbits # config flowbits_size: 64 @@ -158,6 +162,7 @@ config checksum_mode: all # # config daq: # config daq_dir: +config daq_dir: ${PREFIX}/lib/daq/ # config daq_mode: # config daq_var: # @@ -504,12 +509,12 @@ preprocessor dnp3: ports { 20000 } \ check_crc # Reputation preprocessor. For more information see README.reputation -preprocessor reputation: \ - memcap 500, \ - priority whitelist, \ - nested_ip inner, \ - whitelist $WHITE_LIST_PATH/white_list.rules, \ - blacklist $BLACK_LIST_PATH/black_list.rules +#preprocessor reputation: \ +# memcap 500, \ +# priority whitelist, \ +# nested_ip inner, \ +# whitelist $WHITE_LIST_PATH/white_list.rules, \ +# blacklist $BLACK_LIST_PATH/black_list.rules ################################################### # Step #6: Configure output plugins @@ -543,8 +548,10 @@ include reference.config ################################################### # site specific rules -include $RULE_PATH/local.rules +#include $RULE_PATH/local.rules +# Official Sourcefire VRT rules from +# https://www.snort.org/downloads/#rule-downloads include $RULE_PATH/app-detect.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules @@ -569,6 +576,7 @@ include $RULE_PATH/file-executable.rules include $RULE_PATH/file-flash.rules include $RULE_PATH/file-identify.rules include $RULE_PATH/file-image.rules +include $RULE_PATH/file-java.rules include $RULE_PATH/file-multimedia.rules include $RULE_PATH/file-office.rules include $RULE_PATH/file-other.rules @@ -580,6 +588,7 @@ include $RULE_PATH/icmp.rules include $RULE_PATH/imap.rules include $RULE_PATH/indicator-compromise.rules include $RULE_PATH/indicator-obfuscation.rules +include $RULE_PATH/indicator-scan.rules include $RULE_PATH/indicator-shellcode.rules include $RULE_PATH/info.rules include $RULE_PATH/malware-backdoor.rules @@ -593,6 +602,7 @@ include $RULE_PATH/netbios.rules include $RULE_PATH/nntp.rules include $RULE_PATH/oracle.rules include $RULE_PATH/os-linux.rules +include $RULE_PATH/os-mobile.rules include $RULE_PATH/os-other.rules include $RULE_PATH/os-solaris.rules include $RULE_PATH/os-windows.rules @@ -606,12 +616,20 @@ include $RULE_PATH/policy-social.rules include $RULE_PATH/policy-spam.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules +include $RULE_PATH/protocol-dns.rules include $RULE_PATH/protocol-finger.rules include $RULE_PATH/protocol-ftp.rules include $RULE_PATH/protocol-icmp.rules include $RULE_PATH/protocol-imap.rules +include $RULE_PATH/protocol-nntp.rules +include $RULE_PATH/protocol-other.rules include $RULE_PATH/protocol-pop.rules +include $RULE_PATH/protocol-rpc.rules +include $RULE_PATH/protocol-scada.rules include $RULE_PATH/protocol-services.rules +include $RULE_PATH/protocol-snmp.rules +include $RULE_PATH/protocol-telnet.rules +include $RULE_PATH/protocol-tftp.rules include $RULE_PATH/protocol-voip.rules include $RULE_PATH/pua-adware.rules include $RULE_PATH/pua-other.rules @@ -628,6 +646,7 @@ include $RULE_PATH/server-mssql.rules include $RULE_PATH/server-mysql.rules include $RULE_PATH/server-oracle.rules include $RULE_PATH/server-other.rules +include $RULE_PATH/server-samba.rules include $RULE_PATH/server-webapp.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/smtp.rules @@ -650,6 +669,9 @@ include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules +# Emerging Threats rules from http://rules.emergingthreats.net/open/snort-2.9.0/ +# include $RULE_PATH/emerging.conf + ################################################### # Step #8: Customize your preprocessor and decoder alerts # For more information, see README.decoder_preproc_rules @@ -667,9 +689,11 @@ include $RULE_PATH/x11.rules # dynamic library rules # include $SO_RULE_PATH/bad-traffic.rules +# include $SO_RULE_PATH/browser-ie.rules # include $SO_RULE_PATH/chat.rules # include $SO_RULE_PATH/dos.rules # include $SO_RULE_PATH/exploit.rules +# include $SO_RULE_PATH/file-flash.rules # include $SO_RULE_PATH/icmp.rules # include $SO_RULE_PATH/imap.rules # include $SO_RULE_PATH/misc.rules