00001 ---------------------------------------------------------------------------
00002 -- Snort++ configuration
00003 ---------------------------------------------------------------------------
00004
00005 -- there are over 200 modules available to tune your policy.
00006 -- many can be used with defaults w/o any explicit configuration.
00007 -- use this conf as a template for your specific configuration.
00008
00009 -- 1. configure environment
00010 -- 2. configure defaults
00011 -- 3. configure inspection
00012 -- 4. configure bindings
00013 -- 5. configure performance
00014 -- 6. configure detection
00015 -- 7. configure filters
00016 -- 8. configure outputs
00017
00018 ---------------------------------------------------------------------------
00019 -- 1. configure environment
00020 ---------------------------------------------------------------------------
00021
00022 -- given:
00023 -- export DIR=/install/path
00024 -- configure --prefix=$DIR
00025 -- make install
00026
00027 -- then:
00028 -- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
00029 -- export SNORT_LUA_PATH=$DIR/etc/snort
00030
00031 -- this depends on LUA_PATH
00032 -- used to load this conf into Snort
00033 require('snort_config')
00034
00035 -- this depends on SNORT_LUA_PATH
00036 -- where to find other config files
00037 conf_dir = os.getenv('SNORT_LUA_PATH')
00038
00039 if ( not conf_dir ) then
00040 conf_dir = '.'
00041 end
00042
00043 ---------------------------------------------------------------------------
00044 -- 2. configure defaults
00045 ---------------------------------------------------------------------------
00046
00047 -- HOME_NET and EXTERNAL_NET must be set now
00048 -- setup the network addresses you are protecting
00049 HOME_NET = 'any'
00050
00051 -- set up the external network addresses.
00052 -- (leave as "any" in most situations)
00053 EXTERNAL_NET = 'any'
00054
00055 dofile(conf_dir .. '/snort_defaults.lua')
00056 dofile(conf_dir .. '/file_magic.lua')
00057
00058 ---------------------------------------------------------------------------
00059 -- 3. configure inspection
00060 ---------------------------------------------------------------------------
00061
00062 -- mod = { } uses internal defaults
00063 -- you can see them with snort --help-module mod
00064
00065 -- mod = default_mod uses external defaults
00066 -- you can see them in snort_defaults.lua
00067
00068 -- the following are quite capable with defaults:
00069
00070 stream = { }
00071 stream_ip = { }
00072 stream_icmp = { }
00073 stream_tcp = { }
00074 stream_udp = { }
00075 stream_user = { }
00076 stream_file = { }
00077
00078 arp_spoof = { }
00079 back_orifice = { }
00080 dnp3 = { }
00081 dns = { }
00082 http_inspect = { }
00083 imap = { }
00084 modbus = { }
00085 normalizer = { }
00086 pop = { }
00087 rpc_decode = { }
00088 sip = { }
00089 ssh = { }
00090 ssl = { }
00091 telnet = { }
00092
00093 dce_smb = { }
00094 dce_tcp = { }
00095 dce_udp = { }
00096 dce_http_proxy = { }
00097 dce_http_server = { }
00098
00099 -- see snort_defaults.lua for default_*
00100 gtp_inspect = default_gtp
00101 port_scan = default_med_port_scan
00102 smtp = default_smtp
00103
00104 ftp_server = default_ftp_server
00105 ftp_client = { }
00106 ftp_data = { }
00107
00108 -- see file_magic.lua for file id rules
00109 --file_id = { file_rules = file_magic }
00110
00111 -- the following require additional configuration to be fully effective:
00112
00113 appid =
00114 {
00115 -- appid requires this to use appids in rules
00116 --app_detector_dir = 'directory to load appid detectors from'
00117 }
00118
00119 --[[
00120 reputation =
00121 {
00122 -- configure one or both of these, then uncomment reputation
00123 --blacklist = 'blacklist file name with ip lists'
00124 --whitelist = 'whitelist file name with ip lists'
00125 }
00126 --]]
00127
00128 ---------------------------------------------------------------------------
00129 -- 4. configure bindings
00130 ---------------------------------------------------------------------------
00131
00132 wizard = default_wizard
00133
00134 binder =
00135 {
00136 -- these protocols do not yet have wizard support
00137 { when = { proto = 'udp', ports = '53' }, use = { type = 'dns' } },
00138 { when = { proto = 'tcp', ports = '111' }, use = { type = 'rpc_decode' } },
00139 { when = { proto = 'tcp', ports = '502' }, use = { type = 'modbus' } },
00140 { when = { proto = 'tcp', ports = '2123 2152 3386' }, use = { type = 'gtp' } },
00141
00142 { when = { service = 'dce_http_server' }, use = { type = 'dce_http_server' } },
00143 { when = { service = 'dce_http_proxy' }, use = { type = 'dce_http_proxy' } },
00144 { when = { service = 'dce_smb' }, use = { type = 'dce_smb' } },
00145 { when = { service = 'dce_udp' }, use = { type = 'dce_udp' } },
00146 { when = { service = 'dce_tcp' }, use = { type = 'dce_tcp' } },
00147 { when = { service = 'dnp3' }, use = { type = 'dnp3' } },
00148 { when = { service = 'dns' }, use = { type = 'dns' } },
00149 { when = { service = 'ftp' }, use = { type = 'ftp_server' } },
00150 { when = { service = 'ftp-data' }, use = { type = 'ftp_data' } },
00151 { when = { service = 'gtp' }, use = { type = 'gtp_inspect' } },
00152 { when = { service = 'imap' }, use = { type = 'imap' } },
00153 { when = { service = 'http' }, use = { type = 'http_inspect' } },
00154 { when = { service = 'modbus' }, use = { type = 'modbus' } },
00155 { when = { service = 'pop3' }, use = { type = 'pop' } },
00156 { when = { service = 'ssh' }, use = { type = 'ssh' } },
00157 { when = { service = 'sip' }, use = { type = 'sip' } },
00158 { when = { service = 'smtp' }, use = { type = 'smtp' } },
00159 { when = { service = 'ssl' }, use = { type = 'ssl' } },
00160 { when = { service = 'sunrpc' }, use = { type = 'rpc_decode' } },
00161 { when = { service = 'telnet' }, use = { type = 'telnet' } },
00162
00163 { use = { type = 'wizard' } }
00164 }
00165
00166 ---------------------------------------------------------------------------
00167 -- 5. configure performance
00168 ---------------------------------------------------------------------------
00169
00170 -- use latency to monitor / enforce packet and rule thresholds
00171 latency =
00172 {
00173 packet = { max_time = 1500 },
00174 rule = { max_time = 200 },
00175 }
00176
00177 -- use these to capture perf data for analysis and tuning
00178 --profiler = { }
00179 --perf_monitor = { }
00180
00181 ---------------------------------------------------------------------------
00182 -- 6. configure detection
00183 ---------------------------------------------------------------------------
00184
00185 references = default_references
00186 classifications = default_classifications
00187
00188 ips =
00189 {
00190 -- use this to enable decoder and inspector alerts
00191 --enable_builtin_rules = true,
00192
00193 -- use include for rules files; be sure to set your path
00194 -- note that rules files can include other rules files
00195 --include = 'snort3_community.rules'
00196 }
00197
00198 -- use these to configure additional rule actions
00199 -- react = { }
00200 -- reject = { }
00201 -- rewrite = { }
00202
00203 ---------------------------------------------------------------------------
00204 -- 7. configure filters
00205 ---------------------------------------------------------------------------
00206
00207 -- below are examples of filters
00208 -- each table is a list of records
00209
00210 --[[
00211 suppress =
00212 {
00213 -- don't want to any of see these
00214 { gid = 1, sid = 1 },
00215
00216 -- don't want to see these for a given server
00217 { gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' },
00218 }
00219 --]]
00220
00221 --[[
00222 event_filter =
00223 {
00224 -- reduce the number of events logged for some rules
00225 { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 },
00226 { gid = 1, sid = 2, type = 'both', track = 'by_dst', count = 5, seconds = 60 },
00227 }
00228 --]]
00229
00230 --[[
00231 rate_filter =
00232 {
00233 -- alert on connection attempts from clients in SOME_NET
00234 { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1,
00235 new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' },
00236
00237 -- alert on connections to servers over threshold
00238 { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3,
00239 new_action = 'alert', timeout = 1 },
00240 }
00241 --]]
00242
00243 ---------------------------------------------------------------------------
00244 -- 8. configure outputs
00245 ---------------------------------------------------------------------------
00246
00247 -- event logging
00248 -- you can enable with defaults from the command line with -A <alert_type>
00249 -- uncomment below to set non-default configs
00250 --alert_csv = { }
00251 --alert_fast = { }
00252 --alert_full = { }
00253 --alert_sfsocket = { }
00254 --alert_syslog = { }
00255 --unified2 = { }
00256
00257 -- packet logging
00258 -- you can enable with defaults from the command line with -L <log_type>
00259 --log_codecs = { }
00260 --log_hext = { }
00261 --log_pcap = { }
00262
00263 -- additional logs
00264 --packet_capture = { }
00265 --file_log = { }
00266
00267 --my_file_policy =
00268 --{
00269 -- { when = { file_type_id = 0 }, use = { verdict = ’log’, enable_file_signature = true, enable_file_capture = true } },
00270 --}
00271
00272 file_id =
00273 {
00274 enable_type = true,
00275 enable_signature = true,
00276 enable_capture = true,
00277 file_rules = file_magic,
00278 trace_type = true,
00279 trace_signature = true,
00280 trace_stream = true,
00281 -- file_policy = my_file_policy,
00282 }
00283
00284 file_log =
00285 {
00286 log_pkt_time = true,
00287 log_sys_time = false,
00288 }
00289
END OF CODE