1---------------------------------------------------------------------------
2-- Snort++ configuration
3---------------------------------------------------------------------------
4
5-- there are over 200 modules available to tune your policy.
6-- many can be used with defaults w/o any explicit configuration.
7-- use this conf as a template for your specific configuration.
8
9-- 1. configure defaults
10-- 2. configure inspection
11-- 3. configure bindings
12-- 4. configure performance
13-- 5. configure detection
14-- 6. configure filters
15-- 7. configure outputs
16-- 8. configure tweaks
17
18---------------------------------------------------------------------------
19-- 1. configure defaults
20---------------------------------------------------------------------------
21
22-- HOME_NET and EXTERNAL_NET must be set now
23-- setup the network addresses you are protecting
24HOME_NET = 'any'
25
26-- set up the external network addresses.
27-- (leave as "any" in most situations)
28EXTERNAL_NET = 'any'
29
30include 'snort_defaults.lua'
31include 'file_magic.lua'
32
33---------------------------------------------------------------------------
34-- 2. configure inspection
35---------------------------------------------------------------------------
36
37-- mod = { } uses internal defaults
38-- you can see them with snort --help-module mod
39
40-- mod = default_mod uses external defaults
41-- you can see them in snort_defaults.lua
42
43-- the following are quite capable with defaults:
44
45stream = { }
46stream_ip = { }
47stream_icmp = { }
48stream_tcp = { }
49stream_udp = { }
50stream_user = { }
51stream_file = { }
52
53arp_spoof = { }
54back_orifice = { }
55dnp3 = { }
56dns = { }
57imap = { }
58iec104 = { }
59modbus = { }
60netflow = {}
61normalizer = { }
62pop = { }
63rpc_decode = { }
64sip = { }
65ssh = { }
66ssl = { }
67telnet = { }
68
69dce_smb = { }
70dce_tcp = { }
71dce_udp = { }
72dce_http_proxy = { }
73dce_http_server = { }
74
75-- see snort_defaults.lua for default_*
76gtp_inspect = default_gtp
77port_scan = default_med_port_scan
78smtp = default_smtp
79
80ftp_server = default_ftp_server
81ftp_client = { }
82ftp_data = { }
83
84http_inspect = default_http_inspect
85http2_inspect = { }
86
87-- see file_magic.lua for file id rules
88file_id = { file_rules = file_magic }
89
90-- the following require additional configuration to be fully effective:
91
92appid =
93{
94    -- appid requires this to use appids in rules
95    --app_detector_dir = 'directory to load appid detectors from'
96}
97
98--[[
99reputation =
100{
101    -- configure one or both of these, then uncomment reputation
102    -- (see also related path vars at the top of snort_defaults.lua)
103
104    --blacklist = 'blacklist file name with ip lists'
105    --whitelist = 'whitelist file name with ip lists'
106}
107--]]
108
109---------------------------------------------------------------------------
110-- 3. configure bindings
111---------------------------------------------------------------------------
112
113wizard = default_wizard
114
115binder =
116{
117    -- port bindings required for protocols without wizard support
118    { when = { proto = 'udp', ports = '53', role='server' },  use = { type = 'dns' } },
119    { when = { proto = 'tcp', ports = '53', role='server' },  use = { type = 'dns' } },
120    { when = { proto = 'tcp', ports = '111', role='server' }, use = { type = 'rpc_decode' } },
121    { when = { proto = 'tcp', ports = '502', role='server' }, use = { type = 'modbus' } },
122    { when = { proto = 'tcp', ports = '2123 2152 3386', role='server' }, use = { type = 'gtp_inspect' } },
123    { when = { proto = 'tcp', ports = '2404', role='server' }, use = { type = 'iec104' } },
124
125    { when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } },
126    { when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } },
127    { when = { proto = 'udp', service = 'netflow' }, use = { type = 'netflow' } },
128
129    { when = { service = 'netbios-ssn' },      use = { type = 'dce_smb' } },
130    { when = { service = 'dce_http_server' },  use = { type = 'dce_http_server' } },
131    { when = { service = 'dce_http_proxy' },   use = { type = 'dce_http_proxy' } },
132
133    { when = { service = 'dnp3' },             use = { type = 'dnp3' } },
134    { when = { service = 'dns' },              use = { type = 'dns' } },
135    { when = { service = 'ftp' },              use = { type = 'ftp_server' } },
136    { when = { service = 'ftp-data' },         use = { type = 'ftp_data' } },
137    { when = { service = 'gtp' },              use = { type = 'gtp_inspect' } },
138    { when = { service = 'imap' },             use = { type = 'imap' } },
139    { when = { service = 'http' },             use = { type = 'http_inspect' } },
140    { when = { service = 'http2' },            use = { type = 'http2_inspect' } },
141    { when = { service = 'iec104' },           use = { type = 'iec104' } },
142    { when = { service = 'modbus' },           use = { type = 'modbus' } },
143    { when = { service = 'pop3' },             use = { type = 'pop' } },
144    { when = { service = 'ssh' },              use = { type = 'ssh' } },
145    { when = { service = 'sip' },              use = { type = 'sip' } },
146    { when = { service = 'smtp' },             use = { type = 'smtp' } },
147    { when = { service = 'ssl' },              use = { type = 'ssl' } },
148    { when = { service = 'sunrpc' },           use = { type = 'rpc_decode' } },
149    { when = { service = 'telnet' },           use = { type = 'telnet' } },
150
151    { use = { type = 'wizard' } }
152}
153
154---------------------------------------------------------------------------
155-- 4. configure performance
156---------------------------------------------------------------------------
157
158-- use latency to monitor / enforce packet and rule thresholds
159--latency = { }
160
161-- use these to capture perf data for analysis and tuning
162--profiler = { }
163--perf_monitor = { }
164
165---------------------------------------------------------------------------
166-- 5. configure detection
167---------------------------------------------------------------------------
168
169references = default_references
170classifications = default_classifications
171
172ips =
173{
174    -- use this to enable decoder and inspector alerts
175    --enable_builtin_rules = true,
176
177    -- use include for rules files; be sure to set your path
178    -- note that rules files can include other rules files
179    -- (see also related path vars at the top of snort_defaults.lua)
180
181    variables = default_variables
182}
183
184-- use these to configure additional rule actions
185-- react = { }
186-- reject = { }
187
188-- use this to enable payload injection utility
189-- payload_injector = { }
190
191---------------------------------------------------------------------------
192-- 6. configure filters
193---------------------------------------------------------------------------
194
195-- below are examples of filters
196-- each table is a list of records
197
198--[[
199suppress =
200{
201    -- don't want to any of see these
202    { gid = 1, sid = 1 },
203
204    -- don't want to see these for a given server
205    { gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' },
206}
207--]]
208
209--[[
210event_filter =
211{
212    -- reduce the number of events logged for some rules
213    { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 },
214    { gid = 1, sid = 2, type = 'both',  track = 'by_dst', count = 5, seconds = 60 },
215}
216--]]
217
218--[[
219rate_filter =
220{
221    -- alert on connection attempts from clients in SOME_NET
222    { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1,
223      new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' },
224
225    -- alert on connections to servers over threshold
226    { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3,
227      new_action = 'alert', timeout = 1 },
228}
229--]]
230
231---------------------------------------------------------------------------
232-- 7. configure outputs
233---------------------------------------------------------------------------
234
235-- event logging
236-- you can enable with defaults from the command line with -A <alert_type>
237-- uncomment below to set non-default configs
238--alert_csv = { }
239--alert_fast = { }
240--alert_full = { }
241--alert_sfsocket = { }
242--alert_syslog = { }
243--unified2 = { }
244
245-- packet logging
246-- you can enable with defaults from the command line with -L <log_type>
247--log_codecs = { }
248--log_hext = { }
249--log_pcap = { }
250
251-- additional logs
252--packet_capture = { }
253--file_log = { }
254
255---------------------------------------------------------------------------
256-- 8. configure tweaks
257---------------------------------------------------------------------------
258
259if ( tweaks ~= nil ) then
260    include(tweaks .. '.lua')
261end
262
263