LJ Archive

Listing 2. A Sample snort.conf File

# Step #0: Set global options:

config logdir: /var/log/snort

# Step #1: Set the network variables:

var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS 192.168.1.250/32
var RULE_PATH ./

# Step #2: Configure preprocessors

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor portscan: $HOME_NET 4 3 portscan.log

# Step #3: Configure output plugins

output database: log, mysql, user=root
dbname=snort host=localhost

# Step #4: Customize your rule set

#   Here's a rule:

alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any
(msg:"MISC Cisco Catalyst Remote Access";
reference:cve,CVE-1999-0430;
classtype:bad-unknown; sid:513; rev:1;)

#   And here are the paths to text files
#   containing additional rules:

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
# (etc. ...)
LJ Archive