# # Running configuration as of 2003-12-12 05:53:43 GMT # # # Use vars to define a single ip address/mask, numeric value or numeric value-range # # # These are called CLASS_O variables (eth_proto) # # snort pcap filter format # description var ip 8 # ether proto 0x0800 # ip traffic var arp 1544 # ether proto 0x0806 # arp traffic var loopback 144 # ether proto 0x9000 # Loopback: used to test ethernet interfaces var 802.3 1024 # ether proto 0x0004 # IEEE 802.3 traffic # # These are called CLASS_1 variables (ip addresses) # var pixfw1 10.10.10.1 var pixfw2 10.10.10.2 var webserver1 10.10.11.24 var webserver2 10.10.11.25 var webserver3 10.10.11.26 var dnsserver1 10.10.11.27 var dnsserver2 10.10.11.28 var mailserver1 10.10.11.29 var mailserver2 10.10.11.30 var proxyserver 10.10.11.30 var ntpserver 210.121.2.64 # # These are called CLASS_2 variables (ip_proto) # var icmp 1 var tcp 6 var udp 17 # # These are called CLASS_3 variables (tcp/udp ports) # var http 80 var https 443 var ssh 22 var telnet 23 var irc_ports 6665-6667 var dns 53 var highports 1024-65535 # # Define ports that are common services on our network # to help sancp guess the direction of 'half-open' connections # and connections commonly logged reverse of their real direction # scans from these ports may try to fool these... so watch the # 'reversed' output field and whether pkts/data came from the source # known_ports tcp http,https,ssh,telnet,irc_ports,dns known_ports udp dns # # Default output logging for each connection # default realtime=log default stats=log default pcap=log # # Default limit: bytes of pcap data to collect per connection # default limit=0 # # Default timeout: how many secs to wait after the last packet till we consider the cnx closed # default timeout=120 # # Default tcplag (experimental): delay to wait for straggler tcp packets # default tcplag=0 # after a tcp connection would normally be considered closed # i.e. delayed RST packets sent minutes after a HTTP cnx closes # # Default rule id to assign to each connection (default = 0) # default rid=0 # # Default status to assign to each connection (default = 0) # default status=0 # # Default node id to assign to each connection (default = 0) # default node=2 # # System wide default - Strip 8021Q headers from all packets # use only if needed to decapsulate 8021Q traffic # (note: 80211 is not related to 8021Q, this association is a typo that resides only in the source code) # default strip-80211=enable # # Low-level Packet filter - we wrote rules to ignore this traffic instead of using this filter #default pcapfilter = not ether proto 0x0026 and not ether proto loopback and not ether proto 0x002e and not ether proto 0x004c and not ether proto 0x016a and not ether proto 0x0806 # # # Local IP traffic Rules # ip any any icmp any any, realtime=pass, pcap=pass, status=1, rid=23, timeout=1500 # test rule # # Identify traffic to ignore # arp any any any any any, ignore # ignore arp traffic loopback any any any any any, ignore # ignore local ethernet loopback test packets 802.3 any any any any any, ignore # ignore IEEE 802.3 traffic on the switch # # Identify traffic to pass on generating realtimes # ip pixfw1 pixfw2 105 0 0, pcap pass, realtime=pass, status=100, rid=1 #2003-12-14 18:21:53 ip pixfw1 ntpserver 17 123 123, realtime=pass, status=200, rid=2 #2003-12-14 18:21:53 ip pixfw2 ntpserver 17 123 123, realtime=pass, status=200, rid=3 #2003-12-14 18:21:53 ip pixfw2 any tcp highports 80, realtime=pass, status=201, rid=4 #2003-12-14 18:21:53 ip pixfw2 any udp highports 443, realtime=pass, status=202, rid=6 #2003-12-14 18:21:53 ip pixfw2 any udp highports 53, realtime=pass, status=203, rid=5 #2003-12-14 18:21:53 ip proxyserver any tcp highports any, realtime=pass, status=299, rid=8 #2003-12-14 18:21:53 ip any webserver1 6 any 80, realtime=pass, status=301, rid=9 #2003-12-14 19:19:27 ip any webserver1 6 any 443, realtime=pass, status=302, rid=10 #2003-12-14 19:19:27 ip any webserver2 6 any 80, realtime=pass, status=301, rid=11 #2003-12-14 19:19:27 ip any webserver2 6 any 443, realtime=pass, status=302, rid=12 #2003-12-14 19:19:27 ip any webserver3 6 any 80, realtime=pass, status=301, rid=13 #2003-12-14 19:19:27 ip any webserver3 6 any 443, realtime=pass, status=302, rid=14 #2003-12-14 19:19:27 ip any dnsserver1 17 any 53, realtime=pass, status=303, rid=15 #2003-12-14 19:19:27 ip any dnsserver2 17 any 53, realtime=pass, status=303, rid=16 #2003-12-14 19:19:27 ip any mailserver1 6 any 25, realtime=pass, status=304, rid=17 #2003-12-14 19:19:27 ip mailserver1 any 6 any 25, realtime=pass, status=204, rid=18 #2003-12-14 19:19:27 ip any mailserver2 6 any 25, realtime=pass, status=304, rid=19 #2003-12-14 19:19:27 ip mailserver2 any 6 any 25, realtime=pass, status=204, rid=20 #2003-12-14 19:19:27 # # Remaining traffic will be logged according to default realtime, stats, and pcap #