--------------------------------------------------------------------------- -- Snort++ configuration --------------------------------------------------------------------------- -- there are over 200 modules available to tune your policy. -- many can be used with defaults w/o any explicit configuration. -- use this conf as a template for your specific configuration. -- 1. configure defaults -- 2. configure inspection -- 3. configure bindings -- 4. configure performance -- 5. configure detection -- 6. configure filters -- 7. configure outputs -- 8. configure tweaks --------------------------------------------------------------------------- -- 1. configure defaults --------------------------------------------------------------------------- -- HOME_NET and EXTERNAL_NET must be set now -- setup the network addresses you are protecting HOME_NET = '172.16.0.0/16' -- set up the external network addresses. -- (leave as "any" in most situations) EXTERNAL_NET = 'any' include 'snort_defaults.lua' include 'file_magic.lua' --------------------------------------------------------------------------- -- 2. configure inspection --------------------------------------------------------------------------- -- mod = { } uses internal defaults -- you can see them with snort --help-module mod -- mod = default_mod uses external defaults -- you can see them in snort_defaults.lua -- the following are quite capable with defaults: stream = { } stream_ip = { } stream_icmp = { } stream_tcp = { } stream_udp = { } stream_user = { } stream_file = { } arp_spoof = { } back_orifice = { } dnp3 = { } dns = { } imap = { } iec104 = { } modbus = { } netflow = {} normalizer = { } pop = { } rpc_decode = { } sip = { } ssh = { } ssl = { } telnet = { } dce_smb = { } dce_tcp = { } dce_udp = { } dce_http_proxy = { } dce_http_server = { } -- see snort_defaults.lua for default_* gtp_inspect = default_gtp port_scan = default_med_port_scan smtp = default_smtp ftp_server = default_ftp_server ftp_client = { } ftp_data = { } http_inspect = default_http_inspect http2_inspect = { } file_id = { file_rules = file_magic } -- the following require additional configuration to be fully effective: appid = { -- appid requires this to use appids in rules app_detector_dir = '/usr/local/etc/snort/appid/' } appid_listener = { json_logging = true, file = "/var/log/snort/appid-output.log", } reputation = { blocklist = '/usr/local/etc/snort/lists/reputation.blacklist' } --------------------------------------------------------------------------- -- 3. configure bindings --------------------------------------------------------------------------- wizard = default_wizard binder = { -- port bindings required for protocols without wizard support { when = { proto = 'udp', ports = '53', role='server' }, use = { type = 'dns' } }, { when = { proto = 'tcp', ports = '53', role='server' }, use = { type = 'dns' } }, { when = { proto = 'tcp', ports = '111', role='server' }, use = { type = 'rpc_decode' } }, { when = { proto = 'tcp', ports = '502', role='server' }, use = { type = 'modbus' } }, { when = { proto = 'tcp', ports = '2123 2152 3386', role='server' }, use = { type = 'gtp_inspect' } }, { when = { proto = 'tcp', ports = '2404', role='server' }, use = { type = 'iec104' } }, { when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } }, { when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } }, { when = { proto = 'udp', service = 'netflow' }, use = { type = 'netflow' } }, { when = { service = 'netbios-ssn' }, use = { type = 'dce_smb' } }, { when = { service = 'dce_http_server' }, use = { type = 'dce_http_server' } }, { when = { service = 'dce_http_proxy' }, use = { type = 'dce_http_proxy' } }, { when = { service = 'dnp3' }, use = { type = 'dnp3' } }, { when = { service = 'dns' }, use = { type = 'dns' } }, { when = { service = 'ftp' }, use = { type = 'ftp_server' } }, { when = { service = 'ftp-data' }, use = { type = 'ftp_data' } }, { when = { service = 'gtp' }, use = { type = 'gtp_inspect' } }, { when = { service = 'imap' }, use = { type = 'imap' } }, { when = { service = 'http' }, use = { type = 'http_inspect' } }, { when = { service = 'http2' }, use = { type = 'http2_inspect' } }, { when = { service = 'iec104' }, use = { type = 'iec104' } }, { when = { service = 'modbus' }, use = { type = 'modbus' } }, { when = { service = 'pop3' }, use = { type = 'pop' } }, { when = { service = 'ssh' }, use = { type = 'ssh' } }, { when = { service = 'sip' }, use = { type = 'sip' } }, { when = { service = 'smtp' }, use = { type = 'smtp' } }, { when = { service = 'ssl' }, use = { type = 'ssl' } }, { when = { service = 'sunrpc' }, use = { type = 'rpc_decode' } }, { when = { service = 'telnet' }, use = { type = 'telnet' } }, { use = { type = 'wizard' } } } --------------------------------------------------------------------------- -- 4. configure performance --------------------------------------------------------------------------- -- use latency to monitor / enforce packet and rule thresholds --latency = { } -- use these to capture perf data for analysis and tuning --profiler = { } --perf_monitor = { } --------------------------------------------------------------------------- -- 5. configure detection --------------------------------------------------------------------------- references = default_references classifications = default_classifications ips = { enable_builtin_rules = true, rules = [[ include /usr/local/etc/snort/rules/snort.rules include /usr/local/etc/snort/rules/local.rules ]], variables = default_variables } -- use these to configure additional rule actions -- react = { } -- reject = { } -- use this to enable payload injection utility -- payload_injector = { } --------------------------------------------------------------------------- -- 6. configure filters --------------------------------------------------------------------------- -- below are examples of filters -- each table is a list of records suppress = { -- don't want to any of see these { gid = 116, sid = 6 } } --[[ event_filter = { -- reduce the number of events logged for some rules { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 }, { gid = 1, sid = 2, type = 'both', track = 'by_dst', count = 5, seconds = 60 }, } --]] --[[ rate_filter = { -- alert on connection attempts from clients in SOME_NET { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1, new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' }, -- alert on connections to servers over threshold { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3, new_action = 'alert', timeout = 1 }, } --]] --------------------------------------------------------------------------- -- 7. configure outputs --------------------------------------------------------------------------- -- event logging -- you can enable with defaults from the command line with -A -- uncomment below to set non-default configs alert_csv = { fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule msg', file = true } file_log = { log_pkt_time = true, log_sys_time = false } data_log = { key = 'http_request_header_event', limit = 100 } --alert_full = { } --alert_sfsocket = { } --alert_syslog = { facility = local7, level = alert, options = pid } --unified2 = { } -- packet logging -- you can enable with defaults from the command line with -L --log_codecs = { } --log_hext = { } --log_pcap = { } -- additional logs --packet_capture = { } --file_log = { } --------------------------------------------------------------------------- -- 8. configure tweaks --------------------------------------------------------------------------- if ( tweaks ~= nil ) then include(tweaks .. '.lua') end