aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rwxr-xr-x[-rw-r--r--]config/snort/snort.inc214
-rw-r--r--config/snort/snort.xml2
2 files changed, 173 insertions, 43 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 5d6a2942..6de4c8f3 100644..100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -138,6 +138,8 @@ function sync_package_snort()
/* start a snort process for each interface -gtm */
/* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */
+ /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */
+ /* TODO; get snort to start under nologin shell */
foreach($snortInterfaces as $snortIf)
{
$start .= ";sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -A fast -q";
@@ -346,6 +348,7 @@ function generate_snort_conf() {
conf_mount_ro();
/* build snort configuration file */
+ /* TODO; feed back from pfsense users to reduce false positives */
$snort_conf_text = <<<EOD
# snort configuration file
@@ -354,9 +357,21 @@ function generate_snort_conf() {
# see /usr/local/pkg/snort.inc
# for more information
+#########################
+ #
+# Define Local Network #
+ #
+#########################
+
var HOME_NET {$home_net}
var EXTERNAL_NET !\$HOME_NET
+###################
+ #
+# Define Servers #
+ #
+###################
+
var DNS_SERVERS \$HOME_NET
var SMTP_SERVERS \$HOME_NET
var HTTP_SERVERS \$HOME_NET
@@ -372,6 +387,12 @@ var WWW_SERVERS \$HOME_NET
var AIM_SERVERS \
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
+########################
+ #
+# Define Server Ports #
+ #
+########################
+
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
@@ -396,9 +417,21 @@ portvar TELNET_PORTS 23
portvar MAIL_PORTS [25,143,465,691]
portvar SSL_PORTS [25,443,465,636,993,995]
-var RULE_PATH /usr/local/etc/snort/rules
+#####################
+ #
+# Define Rule Paths #
+ #
+#####################
+
+var RULE_PATH ./rules
+# var PREPROC_RULE_PATH ./preproc_rules
+
+################################
+ #
+# Configure the snort decoder #
+ #
+################################
-# Configure the snort decoder
config checksum_mode: all
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
@@ -408,32 +441,58 @@ config disable_tcpopt_alerts
config disable_ipopt_alerts
config disable_decode_drops
-#Configure the detection engine
-#Use lower memory models
+###################################
+ #
+# Configure the detection engine #
+# Use lower memory models #
+ #
+###################################
+
config detection: search-method {$snort_performance}
config detection: max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_length
#Configure dynamic loaded libraries
-dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_dcerpc_preproc.so
-dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_dns_preproc.so
-dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so
-dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_smtp_preproc.so
-dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ssh_preproc.so
-
+dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/
dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
-#Flow and stream
+###################
+ #
+# Flow and stream #
+ #
+###################
preprocessor frag3_global: max_frags 8192
-preprocessor frag3_engine: policy last detect_anomalies
+preprocessor frag3_engine: policy windows
+preprocessor frag3_engine: policy linux
+preprocessor frag3_engine: policy first
+preprocessor frag3_engine: policy bsd detect_anomalies
+
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp yes, track_icmp yes
+preprocessor stream5_tcp: bind_to any, policy windows
+preprocessor stream5_tcp: bind_to any, policy linux
+preprocessor stream5_tcp: bind_to any, policy vista
+preprocessor stream5_tcp: bind_to any, policy macos
preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes
preprocessor stream5_udp
preprocessor stream5_icmp
-#HTTP Inspect
+##########################
+ #
+# NEW #
+# Performance Statistics #
+ #
+##########################
+
+preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000
+
+#################
+ #
+# HTTP Inspect #
+ #
+#################
+
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
@@ -454,12 +513,28 @@ preprocessor http_inspect_server: server default \
iis_delimiter yes \
multi_slash no
-#Other preprocs
+##################
+ #
+# Other preprocs #
+ #
+##################
+
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
preprocessor bo
+#####################
+ #
+# ftp preprocessor #
+ #
+#####################
+
preprocessor ftp_telnet: global \
inspection_type stateless
+
+preprocessor ftp_telnet_protocol: telnet \
+ normalize \
+ ayt_attack_thresh 200
+
preprocessor ftp_telnet_protocol: \
ftp server default \
def_max_param_len 100 \
@@ -469,12 +544,12 @@ preprocessor ftp_telnet_protocol: \
ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
ftp_cmds { FEAT OPTS CEL CMD MACB } \
- ftp_cmds { MDTM REST SIZE MLST MLSD EPSV } \
+ ftp_cmds { MDTM REST SIZE MLST MLSD } \
ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
- alt_max_param_len 256 { RNTO CWD } \
+ alt_max_param_len 256 { RNTO CWD } \
alt_max_param_len 400 { PORT } \
alt_max_param_len 512 { SIZE } \
chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
@@ -490,8 +565,17 @@ preprocessor ftp_telnet_protocol: \
cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
cmd_validity PORT < host_port >
+
preprocessor ftp_telnet_protocol: ftp client default \
- max_resp_len 100
+ max_resp_len 256 \
+ bounce yes \
+ telnet_cmds yes
+
+#####################
+ #
+# SMTP preprocessor #
+ #
+#####################
preprocessor SMTP: \
ports { 25 465 691 } \
@@ -512,39 +596,85 @@ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB
alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
xlink2state { enable }
+################
+ #
+# sf Portscan #
+ #
+################
+
+preprocessor sfportscan: scan_type { all } \
+ proto { all } \
+ memcap { 10000000 } \
+ sense_level { medium } \
+ ignore_scanners { \$HOME_NET }
+
+############################
+ #
+# OLD #
+# preprocessor dcerpc: \ #
+# autodetect \ #
+# max_frag_size 3000 \ #
+# memcap 100000 #
+ #
+############################
+
+###############
+ #
+# NEW #
+# DCE/RPC 2 #
+ #
+###############
+
+preprocessor dcerpc2
+preprocessor dcerpc2_server: default
+
+####################
+ #
+# DNS preprocessor #
+ #
+####################
+
+preprocessor dns: \
+ ports { 53 } \
+ enable_rdata_overflow
+
+##############################
+ #
+# NEW #
+# Ignore SSL and Encryption #
+ #
+##############################
+
+preprocessor ssl: noinspect_encrypted, trustservers
+
+#####################
+ #
+# Snort Output Logs #
+ #
+#####################
-
-
-#sf Portscan
-preprocessor sfportscan: proto { all } \
- scan_type { all } \
- sense_level { low } \
- ignore_scanners { \$HOME_NET }
-
-preprocessor dcerpc: \
- autodetect \
- max_frag_size 3000 \
- memcap 100000
-
-preprocessor dns: ports { 53 } enable_rdata_overflow
-
-#Output plugins
-#output database: alert
output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID
-
-output alert_unified: filename alert
+output alert_unified: filename snort.alert, limit 128
-#Required files
-include /usr/local/etc/snort/classification.config
-include /usr/local/etc/snort/reference.config
+#################
+ #
+# Misc Includes #
+ #
+#################
-# Include any thresholding or suppression commands. See threshold.conf in the
-# include threshold.conf
+include /usr/local/etc/snort/reference.config
+include /usr/local/etc/snort/classification.config
+include /usr/local/etc/snort/threshold.conf
# Snort user pass through configuration
{$snort_config_pass_thru}
-#Rulesets, all optional
+###################
+ #
+# Rules Selection #
+ #
+###################
+
{$selected_rules_sections}
EOD;
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index 22b8e874..e9a8c87d 100644
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -46,7 +46,7 @@
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>Snort</name>
- <version>2.8.3.2</version>
+ <version>2.8.4</version>
<title>Services: Snort</title>
<include_file>/usr/local/pkg/snort.inc</include_file>
<menu>