4 # test mode -T you are required to supply an interface -i <interface>
5 # or test mode will fail to fully validate the configuration and
6 # exit with a FATAL error
9 +#! Some options in this config were changed to adapt snort for OpenWrt. Any changes
10 +#! made to the original default configuration will start with '#! ' so you can track
13 +#! Most preprocessors and rules were disabled to save memory.
14 #--------------------------------------------------
16 ###################################################
18 ###################################################
20 # Setup the network addresses you are protecting
22 +#! ipvar HOME_NET any
23 +ipvar HOME_NET 192.168.1.0/24
25 # Set up the external network addresses. Leave as "any" in most situations
26 -ipvar EXTERNAL_NET any
27 +#! ipvar EXTERNAL_NET any
28 +ipvar EXTERNAL_NET !$HOME_NET
30 # List of DNS servers on your network
31 ipvar DNS_SERVERS $HOME_NET
32 @@ -101,17 +110,23 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.2
33 # Path to your rules files (this can be a relative path)
34 # Note for Windows users: You are advised to make this an absolute path,
35 # such as: c:\snort\rules
36 -var RULE_PATH ../rules
37 -var SO_RULE_PATH ../so_rules
38 -var PREPROC_RULE_PATH ../preproc_rules
39 +#! Those paths are relative to this snort.conf file.
40 +#! var RULE_PATH ../rules
41 +#! var SO_RULE_PATH ../so_rules
42 +#! var PREPROC_RULE_PATH ../preproc_rules
43 +var RULE_PATH ./rules
44 +var SO_RULE_PATH ./so_rules
45 +var PREPROC_RULE_PATH ./preproc_rules
47 # If you are using reputation preprocessor set these
48 # Currently there is a bug with relative paths, they are relative to where snort is
49 # not relative to snort.conf like the above variables
50 # This is completely inconsistent with how other vars work, BUG 89986
51 # Set the absolute path appropriately
52 -var WHITE_LIST_PATH ../rules
53 -var BLACK_LIST_PATH ../rules
54 +#! var WHITE_LIST_PATH ../rules
55 +#! var BLACK_LIST_PATH ../rules
56 +var WHITE_LIST_PATH ./rules
57 +var BLACK_LIST_PATH ./rules
59 ###################################################
60 # Step #2: Configure the decoder. For more information, see README.decode
61 @@ -244,13 +259,16 @@ config paf_max: 16000
62 ###################################################
64 # path to dynamic preprocessor libraries
65 -dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
66 +#! dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
67 +dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
69 # path to base preprocessor engine
70 -dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
71 +#! dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
72 +#! dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so #! disabled for performance reasons
74 # path to dynamic rules libraries
75 -dynamicdetection directory /usr/local/lib/snort_dynamicrules
76 +#! dynamicdetection directory /usr/local/lib/snort_dynamicrules
77 +#! dynamicdetection directory /usr/lib/snort_dynamicrules #! disabled for performance reasons
79 ###################################################
80 # Step #5: Configure preprocessors
81 @@ -294,124 +312,128 @@ preprocessor stream5_udp: timeout 180
82 # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
84 # HTTP normalization and anomaly detection. For more information, see README.http_inspect
85 -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
86 -preprocessor http_inspect_server: server default \
87 - http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
88 - chunk_length 500000 \
89 - server_flow_depth 0 \
90 - client_flow_depth 0 \
92 - oversize_dir_length 500 \
93 - max_header_length 750 \
96 - small_chunk_length { 10 5 } \
97 - ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 } \
98 - non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
100 - extended_response_inspection \
103 - unlimited_decompress \
104 - normalize_javascript \
105 - apache_whitespace no \
117 +#! disabled for performance reasons:
118 +#! preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
119 +#! preprocessor http_inspect_server: server default \
120 +#! http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
121 +#! chunk_length 500000 \
122 +#! server_flow_depth 0 \
123 +#! client_flow_depth 0 \
124 +#! post_depth 65495 \
125 +#! oversize_dir_length 500 \
126 +#! max_header_length 750 \
127 +#! max_headers 100 \
129 +#! small_chunk_length { 10 5 } \
130 +#! ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 } \
131 +#! non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
133 +#! extended_response_inspection \
136 +#! unlimited_decompress \
137 +#! normalize_javascript \
138 +#! apache_whitespace no \
142 +#! double_decode no \
143 +#! iis_backslash no \
144 +#! iis_delimiter no \
151 # ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
152 -preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
153 +#! disabled for performance reasons:
154 +#! preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
156 # Back Orifice detection.
158 +#! preprocessor bo #! disabled for performance reasons
160 # FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet
161 -preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no
162 -preprocessor ftp_telnet_protocol: telnet \
163 - ayt_attack_thresh 20 \
164 - normalize ports { 23 } \
166 -preprocessor ftp_telnet_protocol: ftp server default \
167 - def_max_param_len 100 \
168 - ports { 21 2100 3535 } \
170 - ignore_telnet_erase_cmds yes \
171 - ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
172 - ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
173 - ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
174 - ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
175 - ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
176 - ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
177 - ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
178 - ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
179 - ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
180 - ftp_cmds { XSEN XSHA1 XSHA256 } \
181 - alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
182 - alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
183 - alt_max_param_len 256 { CWD RNTO } \
184 - alt_max_param_len 400 { PORT } \
185 - alt_max_param_len 512 { SIZE } \
186 - chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
187 - chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
188 - chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
189 - chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
190 - chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
191 - chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
192 - chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
193 - chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
194 - cmd_validity ALLO < int [ char R int ] > \
195 - cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
196 - cmd_validity MACB < string > \
197 - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
198 - cmd_validity MODE < char ASBCZ > \
199 - cmd_validity PORT < host_port > \
200 - cmd_validity PROT < char CSEP > \
201 - cmd_validity STRU < char FRPO [ string ] > \
202 - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
203 -preprocessor ftp_telnet_protocol: ftp client default \
206 - ignore_telnet_erase_cmds yes \
208 +#! disabled for performance reasons:
209 +#! preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
210 +#! preprocessor ftp_telnet_protocol: telnet \
211 +#! ayt_attack_thresh 20 \
212 +#! normalize ports { 23 } \
214 +#! preprocessor ftp_telnet_protocol: ftp server default \
215 +#! def_max_param_len 100 \
216 +#! ports { 21 2100 3535 } \
217 +#! telnet_cmds yes \
218 +#! ignore_telnet_erase_cmds yes \
219 +#! ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
220 +#! ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
221 +#! ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
222 +#! ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
223 +#! ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
224 +#! ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
225 +#! ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
226 +#! ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
227 +#! ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
228 +#! ftp_cmds { XSEN XSHA1 XSHA256 } \
229 +#! alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
230 +#! alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
231 +#! alt_max_param_len 256 { CWD RNTO } \
232 +#! alt_max_param_len 400 { PORT } \
233 +#! alt_max_param_len 512 { SIZE } \
234 +#! chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
235 +#! chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
236 +#! chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
237 +#! chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
238 +#! chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
239 +#! chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
240 +#! chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
241 +#! chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
242 +#! cmd_validity ALLO < int [ char R int ] > \
243 +#! cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
244 +#! cmd_validity MACB < string > \
245 +#! cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
246 +#! cmd_validity MODE < char ASBCZ > \
247 +#! cmd_validity PORT < host_port > \
248 +#! cmd_validity PROT < char CSEP > \
249 +#! cmd_validity STRU < char FRPO [ string ] > \
250 +#! cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
251 +#! preprocessor ftp_telnet_protocol: ftp client default \
252 +#! max_resp_len 256 \
254 +#! ignore_telnet_erase_cmds yes \
258 # SMTP normalization and anomaly detection. For more information, see README.SMTP
259 -preprocessor smtp: ports { 25 465 587 691 } \
260 - inspection_type stateful \
261 - b64_decode_depth 0 \
262 - qp_decode_depth 0 \
263 - bitenc_decode_depth 0 \
264 - uu_decode_depth 0 \
270 - normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
271 - normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
272 - normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
273 - normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
274 - max_command_line_len 512 \
275 - max_header_line_len 1000 \
276 - max_response_line_len 512 \
277 - alt_max_command_line_len 260 { MAIL } \
278 - alt_max_command_line_len 300 { RCPT } \
279 - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
280 - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
281 - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
282 - valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
283 - valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
284 - valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
285 - valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
286 - xlink2state { enabled }
287 +#! disabled for performance reasons:
288 +#! preprocessor smtp: ports { 25 465 587 691 } \
289 +#! inspection_type stateful \
290 +#! b64_decode_depth 0 \
291 +#! qp_decode_depth 0 \
292 +#! bitenc_decode_depth 0 \
293 +#! uu_decode_depth 0 \
299 +#! normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
300 +#! normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
301 +#! normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
302 +#! normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
303 +#! max_command_line_len 512 \
304 +#! max_header_line_len 1000 \
305 +#! max_response_line_len 512 \
306 +#! alt_max_command_line_len 260 { MAIL } \
307 +#! alt_max_command_line_len 300 { RCPT } \
308 +#! alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
309 +#! alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
310 +#! alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
311 +#! valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
312 +#! valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
313 +#! valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
314 +#! valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
315 +#! xlink2state { enabled }
317 # Portscan detection. For more information, see README.sfportscan
318 # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
319 @@ -430,17 +452,19 @@ preprocessor ssh: server_ports { 22 } \
320 enable_srvoverflow enable_protomismatch
322 # SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2
323 -preprocessor dcerpc2: memcap 102400, events [co ]
324 -preprocessor dcerpc2_server: default, policy WinXP, \
325 - detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
326 - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
327 - smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
328 +#! disabled for performance reasons:
329 +#! preprocessor dcerpc2: memcap 102400, events [co ]
330 +#! preprocessor dcerpc2_server: default, policy WinXP, \
331 +#! detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
332 +#! autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
333 +#! smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
335 # DNS anomaly detection. For more information, see README.dns
336 -preprocessor dns: ports { 53 } enable_rdata_overflow
337 +#! preprocessor dns: ports { 53 } enable_rdata_overflow #! disabled for performance reasons
339 # SSL anomaly detection and traffic bypass. For more information, see README.ssl
340 -preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
341 +#! disabled for performance reasons:
342 +#! preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
344 # SDF sensitive data preprocessor. For more information see README.sensitive_data
345 preprocessor sensitive_data: alert_threshold 25
346 @@ -503,12 +527,13 @@ preprocessor dnp3: ports { 20000 } \
349 # Reputation preprocessor. For more information see README.reputation
350 -preprocessor reputation: \
352 - priority whitelist, \
354 - whitelist $WHITE_LIST_PATH/white_list.rules, \
355 - blacklist $BLACK_LIST_PATH/black_list.rules
356 +#! disabled for performance reasons:
357 +#! preprocessor reputation: \
359 +#! priority whitelist, \
360 +#! nested_ip inner, \
361 +#! whitelist $WHITE_LIST_PATH/white_list.rules, \
362 +#! blacklist $BLACK_LIST_PATH/black_list.rules
364 ###################################################
365 # Step #6: Configure output plugins
366 @@ -551,60 +576,71 @@ include reference.config
367 # site specific rules
368 include $RULE_PATH/local.rules
370 -include $RULE_PATH/attack-responses.rules
371 -include $RULE_PATH/backdoor.rules
372 -include $RULE_PATH/bad-traffic.rules
373 -include $RULE_PATH/blacklist.rules
374 -include $RULE_PATH/botnet-cnc.rules
375 -include $RULE_PATH/chat.rules
376 -include $RULE_PATH/content-replace.rules
377 -include $RULE_PATH/ddos.rules
378 -include $RULE_PATH/dns.rules
379 -include $RULE_PATH/dos.rules
380 -include $RULE_PATH/exploit.rules
381 -include $RULE_PATH/file-identify.rules
382 -include $RULE_PATH/finger.rules
383 -include $RULE_PATH/ftp.rules
384 -include $RULE_PATH/icmp.rules
385 -include $RULE_PATH/icmp-info.rules
386 -include $RULE_PATH/imap.rules
387 -include $RULE_PATH/info.rules
388 -include $RULE_PATH/misc.rules
389 -include $RULE_PATH/multimedia.rules
390 -include $RULE_PATH/mysql.rules
391 -include $RULE_PATH/netbios.rules
392 -include $RULE_PATH/nntp.rules
393 -include $RULE_PATH/oracle.rules
394 -include $RULE_PATH/other-ids.rules
395 -include $RULE_PATH/p2p.rules
396 -include $RULE_PATH/phishing-spam.rules
397 -include $RULE_PATH/policy.rules
398 -include $RULE_PATH/pop2.rules
399 -include $RULE_PATH/pop3.rules
400 -include $RULE_PATH/rpc.rules
401 -include $RULE_PATH/rservices.rules
402 -include $RULE_PATH/scada.rules
403 -include $RULE_PATH/scan.rules
404 -include $RULE_PATH/shellcode.rules
405 -include $RULE_PATH/smtp.rules
406 -include $RULE_PATH/snmp.rules
407 -include $RULE_PATH/specific-threats.rules
408 -include $RULE_PATH/spyware-put.rules
409 -include $RULE_PATH/sql.rules
410 -include $RULE_PATH/telnet.rules
411 -include $RULE_PATH/tftp.rules
412 -include $RULE_PATH/virus.rules
413 -include $RULE_PATH/voip.rules
414 -include $RULE_PATH/web-activex.rules
415 -include $RULE_PATH/web-attacks.rules
416 -include $RULE_PATH/web-cgi.rules
417 -include $RULE_PATH/web-client.rules
418 -include $RULE_PATH/web-coldfusion.rules
419 -include $RULE_PATH/web-frontpage.rules
420 -include $RULE_PATH/web-iis.rules
421 -include $RULE_PATH/web-misc.rules
422 -include $RULE_PATH/web-php.rules
423 -include $RULE_PATH/x11.rules
424 +#! include $RULE_PATH/attack-responses.rules
425 +#! include $RULE_PATH/backdoor.rules
426 +#! include $RULE_PATH/bad-traffic.rules
427 +#! include $RULE_PATH/blacklist.rules
428 +#! include $RULE_PATH/botnet-cnc.rules
429 +#! include $RULE_PATH/chat.rules
430 +#! include $RULE_PATH/content-replace.rules
431 +#! include $RULE_PATH/ddos.rules
432 +#! include $RULE_PATH/dns.rules
433 +#! include $RULE_PATH/dos.rules
434 +#! include $RULE_PATH/exploit.rules
435 +#! include $RULE_PATH/file-identify.rules
436 +#! include $RULE_PATH/file-office.rules
437 +#! include $RULE_PATH/file-other.rules
438 +#! include $RULE_PATH/file-pdf.rules
439 +#! include $RULE_PATH/finger.rules
440 +#! include $RULE_PATH/ftp.rules
441 +#! include $RULE_PATH/icmp.rules
442 +#! include $RULE_PATH/icmp-info.rules
443 +#! include $RULE_PATH/imap.rules
444 +#! include $RULE_PATH/indicator-compromise.rules
445 +#! include $RULE_PATH/indicator-obfuscation.rules
446 +#! include $RULE_PATH/info.rules
447 +#! include $RULE_PATH/misc.rules
448 +#! include $RULE_PATH/multimedia.rules
449 +#! include $RULE_PATH/mysql.rules
450 +#! include $RULE_PATH/netbios.rules
451 +#! include $RULE_PATH/nntp.rules
452 +#! include $RULE_PATH/oracle.rules
453 +#! include $RULE_PATH/other-ids.rules
454 +#! include $RULE_PATH/p2p.rules
455 +#! include $RULE_PATH/phishing-spam.rules
456 +#! include $RULE_PATH/policy.rules
457 +#! include $RULE_PATH/policy-multimedia.rules
458 +#! include $RULE_PATH/policy-other.rules
459 +#! include $RULE_PATH/policy-social.rules
460 +#! include $RULE_PATH/pop2.rules
461 +#! include $RULE_PATH/pop3.rules
462 +#! include $RULE_PATH/pua-p2p.rules
463 +#! include $RULE_PATH/pua-toolbars.rules
464 +#! include $RULE_PATH/rpc.rules
465 +#! include $RULE_PATH/rservices.rules
466 +#! include $RULE_PATH/scada.rules
467 +#! include $RULE_PATH/scan.rules
468 +#! include $RULE_PATH/server-mail.rules
469 +#! include $RULE_PATH/shellcode.rules
470 +#! include $RULE_PATH/smtp.rules
471 +#! include $RULE_PATH/snmp.rules
472 +#! include $RULE_PATH/specific-threats.rules
473 +#! include $RULE_PATH/spyware-put.rules
474 +#! include $RULE_PATH/sql.rules
475 +#! include $RULE_PATH/telnet.rules
476 +#! include $RULE_PATH/tftp.rules
477 +#! include $RULE_PATH/virus.rules
478 +#! include $RULE_PATH/voip.rules
479 +#! include $RULE_PATH/web-activex.rules
480 +#! include $RULE_PATH/web-attacks.rules
481 +#! include $RULE_PATH/web-cgi.rules
482 +#! include $RULE_PATH/web-client.rules
483 +#! include $RULE_PATH/web-coldfusion.rules
484 +#! include $RULE_PATH/web-frontpage.rules
485 +#! include $RULE_PATH/web-iis.rules
486 +#! include $RULE_PATH/web-misc.rules
487 +#! include $RULE_PATH/web-php.rules
488 +#! include $RULE_PATH/x11.rules
490 ###################################################
491 # Step #8: Customize your preprocessor and decoder alerts
projects / packages.git / blob