From 1c453476d78da6607e1d39c8457ea11e54de23f0 Mon Sep 17 00:00:00 2001 From: rob Date: Sat, 11 Apr 2009 03:54:33 -0700 Subject: modified: config/snort/snort.inc Upadte snort.conf to fit snort 2.8.4, New SSL ignore, Flow Changes, Strartup change, New RPC2 Preproc, New Incudes modified: config/snort/snort.xml Update snort.xml version number to 2.8.4 --- config/snort/snort.inc | 207 +++++++++++++++++++++++++++++++++++++++---------- config/snort/snort.xml | 2 +- 2 files changed, 165 insertions(+), 44 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 5d6a2942..f681c25f 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -138,9 +138,11 @@ function sync_package_snort() /* start a snort process for each interface -gtm */ /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ + /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */ + /* TODO; get snort to start under nologin shell */ foreach($snortInterfaces as $snortIf) { - $start .= ";sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -A fast -q"; + $start .= ";sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -o -A fast -q"; } /* if block offenders is checked, start snort2c */ @@ -346,6 +348,7 @@ function generate_snort_conf() { conf_mount_ro(); /* build snort configuration file */ + /* TODO; feed back from pfsense users to reduce false positives */ $snort_conf_text = << \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity PORT < host_port > + preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 100 + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +##################### + # +# SMTP preprocessor # + # +##################### preprocessor SMTP: \ ports { 25 465 691 } \ @@ -512,39 +587,85 @@ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ xlink2state { enable } +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { $HOME_NET } + +############################ + # +# OLD # +# preprocessor dcerpc: \ # +# autodetect \ # +# max_frag_size 3000 \ # +# memcap 100000 # + # +############################ + +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2 +preprocessor dcerpc2_server: default + +#################### + # +# DNS preprocessor # + # +#################### + +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +############################## + # +# NEW # +# Ignore SSL and Encryption # + # +############################## + +preprocessor ssl: noinspect_encrypted, trustservers + +##################### + # +# Snort Output Logs # + # +##################### - - -#sf Portscan -preprocessor sfportscan: proto { all } \ - scan_type { all } \ - sense_level { low } \ - ignore_scanners { \$HOME_NET } - -preprocessor dcerpc: \ - autodetect \ - max_frag_size 3000 \ - memcap 100000 - -preprocessor dns: ports { 53 } enable_rdata_overflow - -#Output plugins -#output database: alert output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID - -output alert_unified: filename alert +output alert_unified: filename snort.alert, limit 128 -#Required files -include /usr/local/etc/snort/classification.config -include /usr/local/etc/snort/reference.config +################# + # +# Misc Includes # + # +################# -# Include any thresholding or suppression commands. See threshold.conf in the -# include threshold.conf +include /usr/local/etc/snort/reference.config +include /usr/local/etc/snort/classification.config +include /usr/local/etc/snort/threshold.conf # Snort user pass through configuration {$snort_config_pass_thru} -#Rulesets, all optional +################### + # +# Rules Selection # + # +################### + {$selected_rules_sections} EOD; diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 22b8e874..a35226fe 100644 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,7 +46,7 @@ Describe your package requirements here Currently there are no FAQ items provided. Snort - 2.8.3.2 + 2.8.4.2 Services: Snort /usr/local/pkg/snort.inc -- cgit v1.2.3