diff options
Diffstat (limited to 'packages/snort')
-rw-r--r-- | packages/snort/snort.inc | 65 |
1 files changed, 60 insertions, 5 deletions
diff --git a/packages/snort/snort.inc b/packages/snort/snort.inc index 3fd8318f..7c441ab8 100644 --- a/packages/snort/snort.inc +++ b/packages/snort/snort.inc @@ -354,10 +354,20 @@ output alert_unified: filename alert #Flow and stream preprocessor flow: stats_interval 0 hash 2 -preprocessor frag2 -preprocessor stream4: disable_evasion_alerts,detect_scans -preprocessor stream4_reassemble: both, ports all +preprocessor frag3_global: max_frags 8192 +preprocessor frag3_engine +preprocessor frag3_engine: policy last detect_anomalies +#preprocessor frag2 +#preprocessor frag2 +#preprocessor stream4: disable_evasion_alerts,detect_scans +preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ +track_udp yes, track_icmp yes +preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes +preprocessor stream5_udp +preprocessor stream5_icmp + +#preprocessor stream4_reassemble: both, ports all #XLink2State mini proc #preprocessor xlink2state: ports { 25 691 } @@ -386,7 +396,52 @@ preprocessor http_inspect_server: server default \ #Other preprocs preprocessor rpc_decode: 111 32771 preprocessor bo -preprocessor telnet_decode + + + +dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/ +dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so + +preprocessor ftp_telnet: global \ +inspection_type stateless +preprocessor ftp_telnet_protocol: ftp server default \ + ports { 21 } \ + def_max_param_len 100 \ + ftp_cmds { USER PASS ACCT CWD CDUP SMNT \ + QUIT REIN PORT PASV TYPE STRU MODE RETR STOR STOU APPE ALLO REST \ + RNFR RNTO ABOR DELE RMD MKD PWD LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT OPTS } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + cmd_validity MODE < char SBC > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity PORT < host_port > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 100 + +#preprocessor telnet_decode + + +dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_smtp_preproc.so + + +preprocessor smtp: \ + ports { 25 } \ + inspection_type stateful \ + normalize cmds \ + normalize_cmds { EXPN VRFY RCPT } \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN } \ + alt_max_command_line_len 255 { EXPN VRFY } + + + + #sf Portscan preprocessor sfportscan: proto { all } \ @@ -612,4 +667,4 @@ function snort_advanced() { sync_package_snort(); } -?> +?>
\ No newline at end of file |