$CHARSET=UTF-8 $DESC=Snort config file (English) # Template snort.conf [TEMPLATE] # HOME_NET and EXTERNAL_NET filled dynamically by Kerio Control dir = '.' # treated as ipvar HOME_NET = $HOME_NET$ # treated as ipvar EXTERNAL_NET = '$EXTERNAL_NET$' include '/usr/local/snort/etc/snort/snort_defaults.lua' # treated as global var SNORT_FOLDER = '$IPS_FOLDER$' # treated as path var RULE_PATH = SNORT_FOLDER..'/rules' # treated as global var DYNAMIC_PREPROC_FOLDER = '/usr/local/lib/snort_dynamicpreprocessor' # treated as global var DYNAMIC_ENGINE_FOLDER = '/usr/local/lib/snort_dynamicengine' # treated as ipvar DNS_SERVERS = HOME_NET # treated as ipvar SMTP_SERVERS = HOME_NET # treated as ipvar HTTP_SERVERS = HOME_NET # treated as ipvar SQL_SERVERS = HOME_NET # treated as ipvar TELNET_SERVERS = HOME_NET # treated as ipvar FTP_SERVERS = HOME_NET # treated as ipvar SNMP_SERVERS = HOME_NET # treated as ipvar SSH_SERVERS = HOME_NET # treated as ipvar SIP_SERVERS = HOME_NET HTTP_PORTS = $VAR_HTTP_PORTS$ SHELLCODE_PORTS = '$SHELLCODE_PORTS$' ORACLE_PORTS = '$VAR_SSH_PORTS$' SSH_PORTS = '22' # treated as ipvar AIM_SERVERS = [[64.12.24.0/23 64.12.28.0/23 64.12.161.0/24 64.12.163.0/24 64.12.200.0/24 205.188.3.0/24 205.188.5.0/24 205.188.7.0/24 205.188.9.0/24 205.188.153.0/24 205.188.179.0/24 205.188.248.0/24]] wizard = default_wizard include '/opt/kerio/winroute/snort/etc/classification.config.lua' include '/opt/kerio/winroute/snort/etc/reference.config.lua' ips = { # include compiled rules include = '/opt/kerio/winroute/snort/rules/used.rules', variables = { nets = { HOME_NET = HOME_NET, EXTERNAL_NET = EXTERNAL_NET, DNS_SERVERS = DNS_SERVERS, SMTP_SERVERS = SMTP_SERVERS, HTTP_SERVERS = HTTP_SERVERS, SQL_SERVERS = SQL_SERVERS, TELNET_SERVERS = TELNET_SERVERS, FTP_SERVERS = FTP_SERVERS, SNMP_SERVERS = SNMP_SERVERS, SSH_SERVERS = SSH_SERVERS, SIP_SERVERS = SIP_SERVERS, AIM_SERVERS = AIM_SERVERS }, ports = { HTTP_PORTS = HTTP_PORTS, SHELLCODE_PORTS = SHELLCODE_PORTS, ORACLE_PORTS = ORACLE_PORTS, SSH_PORTS = SSH_PORTS } } } #deleted_snort_config_options = #{ # option deleted: 'config disable_decode_alerts[:.*]' # option deleted: 'config disable_ipopt_alerts[:.*]' # option deleted: 'config disable_tcpopt_alerts[:.*]' # option deleted: 'config disable_tcpopt_experimental_alerts[:.*]' # option deleted: 'config disable_tcpopt_obsolete_alerts[:.*]' # option deleted: 'config disable_tcpopt_ttcp_alerts[:.*]' # option deleted: 'config enable_decode_oversized_alerts[:.*]' # option deleted: 'config enable_decode_oversized_drops[:.*]' #} daq = { inputs = $INPUTS$, modules = { { name = 'nfq', mode = 'inline' } }, snaplen = 65535, } output = { logdir = SNORT_FOLDER..'/logs', } memory = { cap = $MEM_CAP_PER_THREAD$, } search_engine = { max_pattern_len = 60, split_any_any = true, search_method = "hyperscan", detect_raw_tcp = true, # This table was previously 'config detection: ... # option change: 'max-pattern-len' #> 'max_pattern_len' # option change: 'search-method' #> 'search_method' # option deleted: 'search_optimize' # option change: 'split-any-any' #> 'split_any_any' } detection = { hyperscan_literals = true, pcre_to_regex = true } process = { # Cannot add specific files to Snort++ plugin path. Use 'plugin_path = # ' instead of adding specific file: # $DYNAMIC_ENGINE_FOLDER/libsf_engine.so # Cannot add specific files to Snort++ plugin path. Use 'plugin_path = # ' instead of adding specific file: file # Since paths have changed between Snort and Snort++, commenting out any # plugin paths. You must manually add them # option change: 'dynamicengine' #> 'plugin_path' # option change: 'dynamicpreprocessor' #> 'plugin_path' } stream_ip = { max_frags = 65536, policy = 'first', # option deleted: 'detect_anomalies' } stream = { max_flows = 278528, # option deleted: 'prune_log_max' # option deleted: 'track_ip' # option deleted: 'track_tcp' # option deleted: 'track_udp' } stream_udp = { } http_inspect = { iis_unicode_map_file = 'unicode.map', iis_unicode_code_page = 1252, response_depth = 1460, request_depth = 1460, # option change: 'client_flow_depth' #> 'request_depth' # option change: 'http_inspect_server' #> 'http_inspect' # option change: 'server_flow_depth' #> 'response_depth' # option deleted: 'compress_depth' # option deleted: 'decompress_depth' # option deleted: 'profile' } dns = { # option change: 'ports' #> 'bindings' # option deleted: 'enable_rdata_overflow' } telnet = { encrypted_traffic = true, normalize = true, ayt_attack_thresh = 200, # option deleted: 'detect_anomalies' # option deleted: 'inspection_type' } ftp_server = { encrypted_traffic = true, def_max_param_len = 100, telnet_cmds = true, ignore_data_chan = true, chk_str_fmt = ftp_format_commands, data_chan_cmds = ftp_default_data_chan_cmds, data_xfer_cmds = ftp_default_data_xfer_cmds, encr_cmds = ftp_default_encr_cmds, file_get_cmds = ftp_default_file_get_cmds, file_put_cmds = ftp_default_file_put_cmds, ftp_cmds = ftp_default_cmds, login_cmds = ftp_default_login_cmds, cmd_validity = ftp_command_specs, # option deleted: 'inspection_type' } ftp_data = { } ftp_client = { max_resp_len = 256, bounce = $PP_FTP_DETECTBOUNCE$, telnet_cmds = true, } smtp = { normalize = 'cmds', normalize_cmds = 'EXPN VRFY RCPT', alt_max_command_line_len = { { command = 'MAIL', length = 260, }, { command = 'RCPT', length = 300, }, { command = 'HELP', length = 500, }, { command = 'HELO', length = 500, }, { command = 'ETRN', length = 500, }, { command = 'EXPN', length = 255, }, { command = 'VRFY', length = 255, }, }, # option deleted: 'alert_unknown_cmds' # option deleted: 'inspection_type' } ssh = { # server_ports = '22', max_client_bytes = 19600, max_encrypted_packets = 20, # option deleted: 'autodetect' # option deleted: 'enable_badmsgdir' # option deleted: 'enable_paysize' # option deleted: 'enable_protomismatch' # option deleted: 'enable_recognition' # option deleted: 'enable_respoverflow' # option deleted: 'enable_srvoverflow' # option deleted: 'enable_ssh1crc32' } ssl = { # option deleted: 'noinspect_encrypted' } sip = { max_uri_len = 512, max_call_id_len = 80, max_request_name_len = 20, max_from_len = 256, max_to_len = 256, max_via_len = 1024, max_contact_len = 512, max_content_len = 2048, methods = [[ invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack ]], # option change: 'max_requestName_len' #> 'max_request_name_len' # option deleted: 'max_sessions' } imap = { b64_decode_depth = -1, qp_decode_depth = -1, bitenc_decode_depth = -1, uu_decode_depth = -1, } pop = { b64_decode_depth = -1, qp_decode_depth = -1, bitenc_decode_depth = -1, uu_decode_depth = -1, } appid = { $DISABLE_APPID$app_detector_dir = '/opt/kerio/winroute/snort', } unified2 = { limit = 5, nostamp = false, log_packet = false, # option deleted: 'filename' } #alert_null = #{ #} stream_tcp = { max_pdu = 16384, policy = 'first', # option change: 'both ports' #> 'binder.when.ports; binder.when.role = # any' # option change: 'client ports' #> 'binder.when.ports; binder.when.role = # client' # option change: 'paf_max [0:63780]' #> 'max_pdu [1460:32768]' # option deleted: 'detect_anomalies' } binder = { { when = { proto = 'udp', role = 'server', ports = '$PP_DNS_PORTS$', }, use = { type = 'dns', }, }, { when = { proto = 'tcp', role = 'server', ports = '$PP_DNS_PORTS$', }, use = { type = 'dns', }, }, { when = { proto = 'tcp', role = 'any', ports = '$PP_STREAM_PORTS$', }, use = { type = 'stream_tcp', }, }, { when = { proto = 'tcp', role = 'client', ports = '21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 514 1433 1521 2401 3306', }, use = { type = 'stream_tcp', }, }, { when = { proto = 'tcp', ports = '$PP_HTTP_PORTS$', }, use = { type = 'http_inspect', }, }, { when = { ports = '$PP_TELNET_PORTS$', }, use = { type = 'telnet', }, }, { when = { ports = '$PP_SMTP_PORTS$', }, use = { type = 'smtp', }, }, { when = { ports = '$PP_SSH_PORTS$', }, use = { type = 'ssh', }, }, { when = { ports = '$PP_SSL_PORTS$', }, use = { type = 'ssl', }, }, { when = { ports = '$PP_SIP_PORTS$', }, use = { type = 'sip', }, }, { when = { ports = '$PP_IMAP_PORTS$', }, use = { type = 'imap', }, }, { when = { ports = '$PP_POP_PORTS$', }, use = { type = 'pop', }, }, { when = { service = 'ftp', proto = 'tcp', }, use = { type = 'ftp_client', }, }, { when = { service = 'ftp', }, use = { type = 'ftp_server', }, }, { when = { service = 'ftp-data', }, use = { type = 'ftp_data', }, }, { when = { service = 'http', }, use = { type = 'http_inspect', }, }, { when = { service = 'imap', }, use = { type = 'imap', }, }, { when = { service = 'pop3', }, use = { type = 'pop', }, }, { when = { service = 'sip', }, use = { type = 'sip', }, }, { when = { service = 'smtp', }, use = { type = 'smtp', }, }, { when = { service = 'ssh', }, use = { type = 'ssh', }, }, { when = { service = 'ssl', }, use = { type = 'ssl', }, }, { when = { service = 'telnet', }, use = { type = 'telnet', }, }, { use = { type = 'wizard', }, }, }