1# 2# Running configuration as of 2003-12-12 05:53:43 GMT 3# 4# 5# Use vars to define a single ip address/mask, numeric value or numeric value-range 6# 7 8# 9# These are called CLASS_O variables (eth_proto) 10# 11 # snort pcap filter format # description 12var ip 8 # ether proto 0x0800 # ip traffic 13var arp 1544 # ether proto 0x0806 # arp traffic 14var loopback 144 # ether proto 0x9000 # Loopback: used to test ethernet interfaces 15var 802.3 1024 # ether proto 0x0004 # IEEE 802.3 traffic 16 17# 18# These are called CLASS_1 variables (ip addresses) 19# 20 21var pixfw1 10.10.10.1 22var pixfw2 10.10.10.2 23var webserver1 10.10.11.24 24var webserver2 10.10.11.25 25var webserver3 10.10.11.26 26var dnsserver1 10.10.11.27 27var dnsserver2 10.10.11.28 28var mailserver1 10.10.11.29 29var mailserver2 10.10.11.30 30var proxyserver 10.10.11.30 31var ntpserver 210.121.2.64 32 33# 34# These are called CLASS_2 variables (ip_proto) 35# 36 37var icmp 1 38var tcp 6 39var udp 17 40 41# 42# These are called CLASS_3 variables (tcp/udp ports) 43# 44 45var http 80 46var https 443 47var ssh 22 48var telnet 23 49var irc_ports 6665-6667 50var dns 53 51var highports 1024-65535 52 53# 54# Define ports that are common services on our network 55# to help sancp guess the direction of 'half-open' connections 56# and connections commonly logged reverse of their real direction 57# scans from these ports may try to fool these... so watch the 58# 'reversed' output field and whether pkts/data came from the source 59# 60 61known_ports tcp http,https,ssh,telnet,irc_ports,dns 62known_ports udp dns 63 64# 65# Default output logging for each connection 66# 67 68default realtime=log 69 70default stats=log 71 72default pcap=log 73 74# 75# Default limit: bytes of pcap data to collect per connection 76# 77 78default limit=0 79 80# 81# Default timeout: how many secs to wait after the last packet till we consider the cnx closed 82# 83 84default timeout=120 85 86# 87# Default tcplag (experimental): delay to wait for straggler tcp packets 88# 89 90default tcplag=0 # after a tcp connection would normally be considered closed 91 92# i.e. delayed RST packets sent minutes after a HTTP cnx closes 93 94# 95# Default rule id to assign to each connection (default = 0) 96# 97 98default rid=0 99 100# 101# Default status to assign to each connection (default = 0) 102# 103 104default status=0 105 106# 107# Default node id to assign to each connection (default = 0) 108# 109 110default node=2 111 112# 113# System wide default - Strip 8021Q headers from all packets 114# use only if needed to decapsulate 8021Q traffic 115# (note: 80211 is not related to 8021Q, this association is a typo that resides only in the source code) 116# 117 118default strip-80211=enable 119 120# 121# Low-level Packet filter - we wrote rules to ignore this traffic instead of using this filter 122#default pcapfilter = not ether proto 0x0026 and not ether proto loopback and not ether proto 0x002e and not ether proto 0x004c and not ether proto 0x016a and not ether proto 0x0806 123# 124 125# 126# Local IP traffic Rules 127# 128 129ip any any icmp any any, realtime=pass, pcap=pass, status=1, rid=23, timeout=1500 # test rule 130 131# 132# Identify traffic to ignore 133# 134 135arp any any any any any, ignore # ignore arp traffic 136loopback any any any any any, ignore # ignore local ethernet loopback test packets 137802.3 any any any any any, ignore # ignore IEEE 802.3 traffic on the switch 138 139# 140# Identify traffic to pass on generating realtimes 141# 142 143ip pixfw1 pixfw2 105 0 0, pcap pass, realtime=pass, status=100, rid=1 #2003-12-14 18:21:53 144 145ip pixfw1 ntpserver 17 123 123, realtime=pass, status=200, rid=2 #2003-12-14 18:21:53 146ip pixfw2 ntpserver 17 123 123, realtime=pass, status=200, rid=3 #2003-12-14 18:21:53 147 148ip pixfw2 any tcp highports 80, realtime=pass, status=201, rid=4 #2003-12-14 18:21:53 149ip pixfw2 any udp highports 443, realtime=pass, status=202, rid=6 #2003-12-14 18:21:53 150ip pixfw2 any udp highports 53, realtime=pass, status=203, rid=5 #2003-12-14 18:21:53 151 152ip proxyserver any tcp highports any, realtime=pass, status=299, rid=8 #2003-12-14 18:21:53 153 154ip any webserver1 6 any 80, realtime=pass, status=301, rid=9 #2003-12-14 19:19:27 155ip any webserver1 6 any 443, realtime=pass, status=302, rid=10 #2003-12-14 19:19:27 156 157ip any webserver2 6 any 80, realtime=pass, status=301, rid=11 #2003-12-14 19:19:27 158ip any webserver2 6 any 443, realtime=pass, status=302, rid=12 #2003-12-14 19:19:27 159 160ip any webserver3 6 any 80, realtime=pass, status=301, rid=13 #2003-12-14 19:19:27 161ip any webserver3 6 any 443, realtime=pass, status=302, rid=14 #2003-12-14 19:19:27 162 163ip any dnsserver1 17 any 53, realtime=pass, status=303, rid=15 #2003-12-14 19:19:27 164ip any dnsserver2 17 any 53, realtime=pass, status=303, rid=16 #2003-12-14 19:19:27 165 166ip any mailserver1 6 any 25, realtime=pass, status=304, rid=17 #2003-12-14 19:19:27 167ip mailserver1 any 6 any 25, realtime=pass, status=204, rid=18 #2003-12-14 19:19:27 168 169ip any mailserver2 6 any 25, realtime=pass, status=304, rid=19 #2003-12-14 19:19:27 170ip mailserver2 any 6 any 25, realtime=pass, status=204, rid=20 #2003-12-14 19:19:27 171 172# 173# Remaining traffic will be logged according to default realtime, stats, and pcap 174# 175