bakabtw/packages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
packages/net/snort/patches/750-lightweight-config.patch
nico 2db62eb97e packages/snort: various fixes 
* use basic, mysql & pgsql VARIANTs
 * add a build dependency on librpc when building against uClibc (closes: #10132)
 * ship empty, useless, but working config & ruleset
 * ship dynamic engine & preprocessors, disabled by default
 * make it listen on loopback by default

git-svn-id: svn://svn.openwrt.org/openwrt/packages@28667 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-29 13:40:14 +00:00

317 lines
11 KiB
Diff
Raw Blame History

--- a/etc/snort.conf
+++ b/etc/snort.conf
@@ -6,6 +6,7 @@
#
###################################################
# This file contains a sample snort configuration.
+# Most preprocessors and rules were disabled to save memory.
# You can take the following steps to create your own custom configuration:
#
# 1) Set the variables for your network
@@ -43,10 +44,10 @@
# or you can specify the variable to be any IP address
# like this:
-var HOME_NET any
+var HOME_NET 192.168.1.0/24
# Set up the external network addresses as well. A good start may be "any"
-var EXTERNAL_NET any
+var EXTERNAL_NET !$HOME_NET
# Configure your server lists. This allows snort to only look for attacks to
# systems that have a service up. Why look for HTTP attacks if you are not
@@ -107,8 +108,8 @@ var AIM_SERVERS [64.12.24.0/23,64.12.28.
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
-var RULE_PATH ../rules
-var PREPROC_RULE_PATH ../preproc_rules
+var RULE_PATH /etc/snort/rules
+var PREPROC_RULE_PATH /etc/snort/preproc_rules
# Configure the snort decoder
# ============================
@@ -191,27 +192,27 @@ var PREPROC_RULE_PATH ../preproc_rules
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
#
-dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
+#dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
#
# Load a specific dynamic preprocessor library from the install path
# (same as command line option --dynamic-preprocessor-lib)
#
-# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
+# dynamicpreprocessor file /usr/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so
#
# Load a dynamic engine from the install path
# (same as command line option --dynamic-engine-lib)
#
-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
+#dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
#
# Load all dynamic rules libraries from the install path
# (same as command line option --dynamic-detection-lib-dir)
#
-# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
+# dynamicdetection directory /usr/lib/snort_dynamicrules/
#
# Load a specific dynamic rule library from the install path
# (same as command line option --dynamic-detection-lib)
#
-# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
+# dynamicdetection file /usr/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so
#
###################################################
@@ -307,11 +308,11 @@ preprocessor stream5_tcp: policy first,
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
-preprocessor http_inspect: global \
- iis_unicode_map unicode.map 1252
+#preprocessor http_inspect: global \
+# iis_unicode_map unicode.map 1252
-preprocessor http_inspect_server: server default \
- profile all ports { 80 8080 8180 } oversize_dir_length 500
+#preprocessor http_inspect_server: server default \
+# profile all ports { 80 8080 8180 } oversize_dir_length 500
#
# Example unique server configuration
@@ -345,7 +346,7 @@ preprocessor http_inspect_server: server
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
-preprocessor rpc_decode: 111 32771
+#preprocessor rpc_decode: 111 32771
# bo: Back Orifice detector
# -------------------------
@@ -368,7 +369,7 @@ preprocessor rpc_decode: 111 32771
# 3 Back Orifice Server Traffic Detected
# 4 Back Orifice Snort Buffer Attack
-preprocessor bo
+#preprocessor bo
# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow
# ---------------------------------------------------------------------------
@@ -391,32 +392,32 @@ preprocessor bo
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
-preprocessor ftp_telnet: global \
- encrypted_traffic yes \
- inspection_type stateful
-
-preprocessor ftp_telnet_protocol: telnet \
- normalize \
- ayt_attack_thresh 200
+#preprocessor ftp_telnet: global \
+# encrypted_traffic yes \
+# inspection_type stateful
+
+#preprocessor ftp_telnet_protocol: telnet \
+# normalize \
+# ayt_attack_thresh 200
# This is consistent with the FTP rules as of 18 Sept 2004.
# CWD can have param length of 200
# MODE has an additional mode of Z (compressed)
# Check for string formats in USER & PASS commands
# Check nDTM commands that set modification time on the file.
-preprocessor ftp_telnet_protocol: ftp server default \
- def_max_param_len 100 \
- alt_max_param_len 200 { CWD } \
- cmd_validity MODE < char ASBCZ > \
- cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
- chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
- telnet_cmds yes \
- data_chan
-
-preprocessor ftp_telnet_protocol: ftp client default \
- max_resp_len 256 \
- bounce yes \
- telnet_cmds yes
+#preprocessor ftp_telnet_protocol: ftp server default \
+# def_max_param_len 100 \
+# alt_max_param_len 200 { CWD } \
+# cmd_validity MODE < char ASBCZ > \
+# cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
+# chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
+# telnet_cmds yes \
+# data_chan
+
+#preprocessor ftp_telnet_protocol: ftp client default \
+# max_resp_len 256 \
+# bounce yes \
+# telnet_cmds yes
# smtp: SMTP normalizer, protocol enforcement and buffer overflow
# ---------------------------------------------------------------------------
@@ -434,15 +435,15 @@ preprocessor ftp_telnet_protocol: ftp cl
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
-preprocessor smtp: \
- ports { 25 587 691 } \
- inspection_type stateful \
- normalize cmds \
- normalize_cmds { EXPN VRFY RCPT } \
- alt_max_command_line_len 260 { MAIL } \
- alt_max_command_line_len 300 { RCPT } \
- alt_max_command_line_len 500 { HELP HELO ETRN } \
- alt_max_command_line_len 255 { EXPN VRFY }
+#preprocessor smtp: \
+# ports { 25 587 691 } \
+# inspection_type stateful \
+# normalize cmds \
+# normalize_cmds { EXPN VRFY RCPT } \
+# alt_max_command_line_len 260 { MAIL } \
+# alt_max_command_line_len 300 { RCPT } \
+# alt_max_command_line_len 500 { HELP HELO ETRN } \
+# alt_max_command_line_len 255 { EXPN VRFY }
# sfPortscan
# ----------
@@ -498,9 +499,9 @@ preprocessor smtp: \
# false alerts, especially under heavy load with dropped packets; which is why
# the option is off by default.
#
-preprocessor sfportscan: proto { all } \
- memcap { 10000000 } \
- sense_level { low }
+#preprocessor sfportscan: proto { all } \
+# memcap { 10000000 } \
+# sense_level { low }
# arpspoof
#----------------------------------------
@@ -605,8 +606,8 @@ preprocessor sfportscan: proto { all }
# See doc/README.dcerpc2 for explanations of what the
# preprocessor does and how to configure it.
#
-preprocessor dcerpc2
-preprocessor dcerpc2_server: default
+#preprocessor dcerpc2
+#preprocessor dcerpc2_server: default
# DNS
@@ -623,9 +624,9 @@ preprocessor dcerpc2_server: default
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
-preprocessor dns: \
- ports { 53 } \
- enable_rdata_overflow
+#preprocessor dns: \
+# ports { 53 } \
+# enable_rdata_overflow
# SSL
#----------------------------------------
@@ -649,7 +650,7 @@ preprocessor dns: \
# To add reassembly on port 443 to Stream5, use 'port both 443' in the
# Stream5 configuration.
-preprocessor ssl: noinspect_encrypted, trustservers
+#preprocessor ssl: noinspect_encrypted, trustservers
####################################################################
@@ -808,44 +809,44 @@ include reference.config
#=========================================
include $RULE_PATH/local.rules
-include $RULE_PATH/bad-traffic.rules
-include $RULE_PATH/exploit.rules
-include $RULE_PATH/scan.rules
-include $RULE_PATH/finger.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
-include $RULE_PATH/dos.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/tftp.rules
-
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-php.rules
-
-include $RULE_PATH/sql.rules
-include $RULE_PATH/x11.rules
-include $RULE_PATH/icmp.rules
-include $RULE_PATH/netbios.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/snmp.rules
-
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
+#include $RULE_PATH/bad-traffic.rules
+#include $RULE_PATH/exploit.rules
+#include $RULE_PATH/scan.rules
+#include $RULE_PATH/finger.rules
+#include $RULE_PATH/ftp.rules
+#include $RULE_PATH/telnet.rules
+#include $RULE_PATH/rpc.rules
+#include $RULE_PATH/rservices.rules
+#include $RULE_PATH/dos.rules
+#include $RULE_PATH/ddos.rules
+#include $RULE_PATH/dns.rules
+#include $RULE_PATH/tftp.rules
+
+#include $RULE_PATH/web-cgi.rules
+#include $RULE_PATH/web-coldfusion.rules
+#include $RULE_PATH/web-iis.rules
+#include $RULE_PATH/web-frontpage.rules
+#include $RULE_PATH/web-misc.rules
+#include $RULE_PATH/web-client.rules
+#include $RULE_PATH/web-php.rules
+
+#include $RULE_PATH/sql.rules
+#include $RULE_PATH/x11.rules
+#include $RULE_PATH/icmp.rules
+#include $RULE_PATH/netbios.rules
+#include $RULE_PATH/misc.rules
+#include $RULE_PATH/attack-responses.rules
+#include $RULE_PATH/oracle.rules
+#include $RULE_PATH/mysql.rules
+#include $RULE_PATH/snmp.rules
+
+#include $RULE_PATH/smtp.rules
+#include $RULE_PATH/imap.rules
+#include $RULE_PATH/pop2.rules
+#include $RULE_PATH/pop3.rules
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/other-ids.rules
+#include $RULE_PATH/nntp.rules
+#include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
@@ -859,7 +860,7 @@ include $RULE_PATH/other-ids.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/spyware-put.rules
# include $RULE_PATH/specific-threats.rules
-include $RULE_PATH/experimental.rules
+#include $RULE_PATH/experimental.rules
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
Reference in New Issue View Git Blame Copy Permalink