1#
2#  Running configuration as of 2003-12-12 05:53:43 GMT
3#
4#
5# Use vars to define a single ip address/mask, numeric value or numeric value-range
6#
7
8#
9# These are called CLASS_O variables (eth_proto)
10#
11			#  snort pcap filter format # description
12var ip 8		# ether proto 0x0800  # ip traffic
13var arp 1544   		# ether proto 0x0806  # arp traffic
14var loopback 144 	# ether proto 0x9000  # Loopback: used to test ethernet interfaces
15var 802.3 1024		# ether proto 0x0004  # IEEE 802.3 traffic
16
17#
18# These are called CLASS_1 variables (ip addresses)
19#
20
21var pixfw1  10.10.10.1
22var pixfw2  10.10.10.2
23var webserver1  10.10.11.24
24var webserver2  10.10.11.25
25var webserver3  10.10.11.26
26var dnsserver1  10.10.11.27
27var dnsserver2  10.10.11.28
28var mailserver1  10.10.11.29
29var mailserver2  10.10.11.30
30var proxyserver  10.10.11.30
31var ntpserver  210.121.2.64
32
33#
34# These are called CLASS_2 variables (ip_proto)
35#
36
37var icmp 1
38var tcp 6
39var udp 17
40
41#
42# These are called CLASS_3 variables (tcp/udp ports)
43#
44
45var http 80
46var https 443
47var ssh 22
48var telnet 23
49var irc_ports 6665-6667
50var dns 53
51var highports 1024-65535
52
53#
54# Define ports that are common services on our network
55# to help sancp guess the direction of 'half-open' connections
56# and connections commonly logged reverse of their real direction
57# scans from these ports may try to fool these... so watch the
58# 'reversed' output field and whether pkts/data came from the source
59#
60
61known_ports tcp http,https,ssh,telnet,irc_ports,dns
62known_ports udp dns
63
64#
65# Default output logging for each connection
66#
67
68default realtime=log
69
70default stats=log
71
72default pcap=log
73
74#
75# Default limit: bytes of pcap data to collect per connection
76#
77
78default limit=0
79
80#
81# Default timeout: how many secs to wait after the last packet till we consider the cnx closed
82#
83
84default timeout=120
85
86#
87# Default tcplag (experimental): delay to wait for straggler tcp packets
88#
89
90default tcplag=0 # after a tcp connection would normally be considered closed
91
92# i.e. delayed RST packets sent minutes after a HTTP cnx closes
93
94#
95# Default rule id to assign to each connection (default = 0)
96#
97
98default rid=0
99
100#
101# Default status to assign to each connection (default = 0)
102#
103
104default status=0
105
106#
107# Default node id to assign to each connection (default = 0)
108#
109
110default node=2
111
112#
113# System wide default - Strip 8021Q headers from all packets
114# use only if needed to decapsulate 8021Q traffic
115# (note: 80211 is not related to 8021Q, this association is a typo that resides only in the source code)
116#
117
118default strip-80211=enable
119
120#
121# Low-level Packet filter - we wrote rules to ignore this traffic instead of using this filter
122#default pcapfilter = not ether proto 0x0026 and not ether proto loopback and not ether proto 0x002e and not ether proto 0x004c and not ether proto 0x016a and not ether proto 0x0806
123#
124
125#
126# Local IP traffic Rules
127#
128
129ip any any icmp any any, realtime=pass, pcap=pass, status=1, rid=23, timeout=1500 # test rule
130
131#
132# Identify traffic to ignore
133#
134
135arp any any any any any, ignore # ignore arp traffic
136loopback any any any any any, ignore # ignore local ethernet loopback test packets
137802.3 any any any any any, ignore  # ignore IEEE 802.3 traffic on the switch
138
139#
140# Identify traffic to pass on generating realtimes
141#
142
143ip pixfw1 pixfw2 105 0 0, pcap pass, realtime=pass, status=100, rid=1 #2003-12-14 18:21:53
144
145ip pixfw1 ntpserver 17 123 123, realtime=pass, status=200, rid=2 #2003-12-14 18:21:53
146ip pixfw2 ntpserver 17 123 123, realtime=pass, status=200, rid=3 #2003-12-14 18:21:53
147
148ip pixfw2 any tcp highports 80, realtime=pass, status=201, rid=4 #2003-12-14 18:21:53
149ip pixfw2 any udp highports 443, realtime=pass, status=202, rid=6 #2003-12-14 18:21:53
150ip pixfw2 any udp highports 53, realtime=pass, status=203, rid=5 #2003-12-14 18:21:53
151
152ip proxyserver any tcp highports any, realtime=pass, status=299, rid=8 #2003-12-14 18:21:53
153
154ip any webserver1 6 any 80, realtime=pass, status=301, rid=9 #2003-12-14 19:19:27
155ip any webserver1 6 any 443, realtime=pass, status=302, rid=10 #2003-12-14 19:19:27
156
157ip any webserver2 6 any 80, realtime=pass, status=301, rid=11 #2003-12-14 19:19:27
158ip any webserver2 6 any 443, realtime=pass, status=302, rid=12 #2003-12-14 19:19:27
159
160ip any webserver3 6 any 80, realtime=pass, status=301, rid=13 #2003-12-14 19:19:27
161ip any webserver3 6 any 443, realtime=pass, status=302, rid=14 #2003-12-14 19:19:27
162
163ip any dnsserver1 17 any 53, realtime=pass, status=303, rid=15 #2003-12-14 19:19:27
164ip any dnsserver2 17 any 53, realtime=pass, status=303, rid=16 #2003-12-14 19:19:27
165
166ip any mailserver1 6 any 25, realtime=pass, status=304, rid=17 #2003-12-14 19:19:27
167ip mailserver1 any 6 any 25, realtime=pass, status=204, rid=18 #2003-12-14 19:19:27
168
169ip any mailserver2 6 any 25, realtime=pass, status=304, rid=19 #2003-12-14 19:19:27
170ip mailserver2 any 6 any 25, realtime=pass, status=204, rid=20 #2003-12-14 19:19:27
171
172#
173# Remaining traffic will be logged according to default realtime, stats, and pcap
174#
175