packages/snort: various fixes
[openwrt/svn-archive/archive.git] / net / snort / patches / 750-lightweight-config.patch
1 --- a/etc/snort.conf
2 +++ b/etc/snort.conf
3 @@ -6,6 +6,7 @@
4 #
5 ###################################################
6 # This file contains a sample snort configuration.
7 +# Most preprocessors and rules were disabled to save memory.
8 # You can take the following steps to create your own custom configuration:
9 #
10 # 1) Set the variables for your network
11 @@ -43,10 +44,10 @@
12 # or you can specify the variable to be any IP address
13 # like this:
14
15 -var HOME_NET any
16 +var HOME_NET 192.168.1.0/24
17
18 # Set up the external network addresses as well. A good start may be "any"
19 -var EXTERNAL_NET any
20 +var EXTERNAL_NET !$HOME_NET
21
22 # Configure your server lists. This allows snort to only look for attacks to
23 # systems that have a service up. Why look for HTTP attacks if you are not
24 @@ -107,8 +108,8 @@ var AIM_SERVERS [64.12.24.0/23,64.12.28.
25 # Path to your rules files (this can be a relative path)
26 # Note for Windows users: You are advised to make this an absolute path,
27 # such as: c:\snort\rules
28 -var RULE_PATH ../rules
29 -var PREPROC_RULE_PATH ../preproc_rules
30 +var RULE_PATH /etc/snort/rules
31 +var PREPROC_RULE_PATH /etc/snort/preproc_rules
32
33 # Configure the snort decoder
34 # ============================
35 @@ -191,27 +192,27 @@ var PREPROC_RULE_PATH ../preproc_rules
36 # Load all dynamic preprocessors from the install path
37 # (same as command line option --dynamic-preprocessor-lib-dir)
38 #
39 -dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
40 +#dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
41 #
42 # Load a specific dynamic preprocessor library from the install path
43 # (same as command line option --dynamic-preprocessor-lib)
44 #
45 -# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
46 +# dynamicpreprocessor file /usr/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so
47 #
48 # Load a dynamic engine from the install path
49 # (same as command line option --dynamic-engine-lib)
50 #
51 -dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
52 +#dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
53 #
54 # Load all dynamic rules libraries from the install path
55 # (same as command line option --dynamic-detection-lib-dir)
56 #
57 -# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
58 +# dynamicdetection directory /usr/lib/snort_dynamicrules/
59 #
60 # Load a specific dynamic rule library from the install path
61 # (same as command line option --dynamic-detection-lib)
62 #
63 -# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
64 +# dynamicdetection file /usr/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so
65 #
66
67 ###################################################
68 @@ -307,11 +308,11 @@ preprocessor stream5_tcp: policy first,
69 # lots of options available here. See doc/README.http_inspect.
70 # unicode.map should be wherever your snort.conf lives, or given
71 # a full path to where snort can find it.
72 -preprocessor http_inspect: global \
73 - iis_unicode_map unicode.map 1252
74 +#preprocessor http_inspect: global \
75 +# iis_unicode_map unicode.map 1252
76
77 -preprocessor http_inspect_server: server default \
78 - profile all ports { 80 8080 8180 } oversize_dir_length 500
79 +#preprocessor http_inspect_server: server default \
80 +# profile all ports { 80 8080 8180 } oversize_dir_length 500
81
82 #
83 # Example unique server configuration
84 @@ -345,7 +346,7 @@ preprocessor http_inspect_server: server
85 # no_alert_incomplete - don't alert when a single segment
86 # exceeds the current packet size
87
88 -preprocessor rpc_decode: 111 32771
89 +#preprocessor rpc_decode: 111 32771
90
91 # bo: Back Orifice detector
92 # -------------------------
93 @@ -368,7 +369,7 @@ preprocessor rpc_decode: 111 32771
94 # 3 Back Orifice Server Traffic Detected
95 # 4 Back Orifice Snort Buffer Attack
96
97 -preprocessor bo
98 +#preprocessor bo
99
100 # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow
101 # ---------------------------------------------------------------------------
102 @@ -391,32 +392,32 @@ preprocessor bo
103 # or use commandline option
104 # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
105
106 -preprocessor ftp_telnet: global \
107 - encrypted_traffic yes \
108 - inspection_type stateful
109 -
110 -preprocessor ftp_telnet_protocol: telnet \
111 - normalize \
112 - ayt_attack_thresh 200
113 +#preprocessor ftp_telnet: global \
114 +# encrypted_traffic yes \
115 +# inspection_type stateful
116 +
117 +#preprocessor ftp_telnet_protocol: telnet \
118 +# normalize \
119 +# ayt_attack_thresh 200
120
121 # This is consistent with the FTP rules as of 18 Sept 2004.
122 # CWD can have param length of 200
123 # MODE has an additional mode of Z (compressed)
124 # Check for string formats in USER & PASS commands
125 # Check nDTM commands that set modification time on the file.
126 -preprocessor ftp_telnet_protocol: ftp server default \
127 - def_max_param_len 100 \
128 - alt_max_param_len 200 { CWD } \
129 - cmd_validity MODE < char ASBCZ > \
130 - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
131 - chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
132 - telnet_cmds yes \
133 - data_chan
134 -
135 -preprocessor ftp_telnet_protocol: ftp client default \
136 - max_resp_len 256 \
137 - bounce yes \
138 - telnet_cmds yes
139 +#preprocessor ftp_telnet_protocol: ftp server default \
140 +# def_max_param_len 100 \
141 +# alt_max_param_len 200 { CWD } \
142 +# cmd_validity MODE < char ASBCZ > \
143 +# cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
144 +# chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
145 +# telnet_cmds yes \
146 +# data_chan
147 +
148 +#preprocessor ftp_telnet_protocol: ftp client default \
149 +# max_resp_len 256 \
150 +# bounce yes \
151 +# telnet_cmds yes
152
153 # smtp: SMTP normalizer, protocol enforcement and buffer overflow
154 # ---------------------------------------------------------------------------
155 @@ -434,15 +435,15 @@ preprocessor ftp_telnet_protocol: ftp cl
156 # or use commandline option
157 # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
158
159 -preprocessor smtp: \
160 - ports { 25 587 691 } \
161 - inspection_type stateful \
162 - normalize cmds \
163 - normalize_cmds { EXPN VRFY RCPT } \
164 - alt_max_command_line_len 260 { MAIL } \
165 - alt_max_command_line_len 300 { RCPT } \
166 - alt_max_command_line_len 500 { HELP HELO ETRN } \
167 - alt_max_command_line_len 255 { EXPN VRFY }
168 +#preprocessor smtp: \
169 +# ports { 25 587 691 } \
170 +# inspection_type stateful \
171 +# normalize cmds \
172 +# normalize_cmds { EXPN VRFY RCPT } \
173 +# alt_max_command_line_len 260 { MAIL } \
174 +# alt_max_command_line_len 300 { RCPT } \
175 +# alt_max_command_line_len 500 { HELP HELO ETRN } \
176 +# alt_max_command_line_len 255 { EXPN VRFY }
177
178 # sfPortscan
179 # ----------
180 @@ -498,9 +499,9 @@ preprocessor smtp: \
181 # false alerts, especially under heavy load with dropped packets; which is why
182 # the option is off by default.
183 #
184 -preprocessor sfportscan: proto { all } \
185 - memcap { 10000000 } \
186 - sense_level { low }
187 +#preprocessor sfportscan: proto { all } \
188 +# memcap { 10000000 } \
189 +# sense_level { low }
190
191 # arpspoof
192 #----------------------------------------
193 @@ -605,8 +606,8 @@ preprocessor sfportscan: proto { all }
194 # See doc/README.dcerpc2 for explanations of what the
195 # preprocessor does and how to configure it.
196 #
197 -preprocessor dcerpc2
198 -preprocessor dcerpc2_server: default
199 +#preprocessor dcerpc2
200 +#preprocessor dcerpc2_server: default
201
202
203 # DNS
204 @@ -623,9 +624,9 @@ preprocessor dcerpc2_server: default
205 # or use commandline option
206 # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
207
208 -preprocessor dns: \
209 - ports { 53 } \
210 - enable_rdata_overflow
211 +#preprocessor dns: \
212 +# ports { 53 } \
213 +# enable_rdata_overflow
214
215 # SSL
216 #----------------------------------------
217 @@ -649,7 +650,7 @@ preprocessor dns: \
218 # To add reassembly on port 443 to Stream5, use 'port both 443' in the
219 # Stream5 configuration.
220
221 -preprocessor ssl: noinspect_encrypted, trustservers
222 +#preprocessor ssl: noinspect_encrypted, trustservers
223
224
225 ####################################################################
226 @@ -808,44 +809,44 @@ include reference.config
227 #=========================================
228
229 include $RULE_PATH/local.rules
230 -include $RULE_PATH/bad-traffic.rules
231 -include $RULE_PATH/exploit.rules
232 -include $RULE_PATH/scan.rules
233 -include $RULE_PATH/finger.rules
234 -include $RULE_PATH/ftp.rules
235 -include $RULE_PATH/telnet.rules
236 -include $RULE_PATH/rpc.rules
237 -include $RULE_PATH/rservices.rules
238 -include $RULE_PATH/dos.rules
239 -include $RULE_PATH/ddos.rules
240 -include $RULE_PATH/dns.rules
241 -include $RULE_PATH/tftp.rules
242 -
243 -include $RULE_PATH/web-cgi.rules
244 -include $RULE_PATH/web-coldfusion.rules
245 -include $RULE_PATH/web-iis.rules
246 -include $RULE_PATH/web-frontpage.rules
247 -include $RULE_PATH/web-misc.rules
248 -include $RULE_PATH/web-client.rules
249 -include $RULE_PATH/web-php.rules
250 -
251 -include $RULE_PATH/sql.rules
252 -include $RULE_PATH/x11.rules
253 -include $RULE_PATH/icmp.rules
254 -include $RULE_PATH/netbios.rules
255 -include $RULE_PATH/misc.rules
256 -include $RULE_PATH/attack-responses.rules
257 -include $RULE_PATH/oracle.rules
258 -include $RULE_PATH/mysql.rules
259 -include $RULE_PATH/snmp.rules
260 -
261 -include $RULE_PATH/smtp.rules
262 -include $RULE_PATH/imap.rules
263 -include $RULE_PATH/pop2.rules
264 -include $RULE_PATH/pop3.rules
265 +#include $RULE_PATH/bad-traffic.rules
266 +#include $RULE_PATH/exploit.rules
267 +#include $RULE_PATH/scan.rules
268 +#include $RULE_PATH/finger.rules
269 +#include $RULE_PATH/ftp.rules
270 +#include $RULE_PATH/telnet.rules
271 +#include $RULE_PATH/rpc.rules
272 +#include $RULE_PATH/rservices.rules
273 +#include $RULE_PATH/dos.rules
274 +#include $RULE_PATH/ddos.rules
275 +#include $RULE_PATH/dns.rules
276 +#include $RULE_PATH/tftp.rules
277 +
278 +#include $RULE_PATH/web-cgi.rules
279 +#include $RULE_PATH/web-coldfusion.rules
280 +#include $RULE_PATH/web-iis.rules
281 +#include $RULE_PATH/web-frontpage.rules
282 +#include $RULE_PATH/web-misc.rules
283 +#include $RULE_PATH/web-client.rules
284 +#include $RULE_PATH/web-php.rules
285 +
286 +#include $RULE_PATH/sql.rules
287 +#include $RULE_PATH/x11.rules
288 +#include $RULE_PATH/icmp.rules
289 +#include $RULE_PATH/netbios.rules
290 +#include $RULE_PATH/misc.rules
291 +#include $RULE_PATH/attack-responses.rules
292 +#include $RULE_PATH/oracle.rules
293 +#include $RULE_PATH/mysql.rules
294 +#include $RULE_PATH/snmp.rules
295 +
296 +#include $RULE_PATH/smtp.rules
297 +#include $RULE_PATH/imap.rules
298 +#include $RULE_PATH/pop2.rules
299 +#include $RULE_PATH/pop3.rules
300
301 -include $RULE_PATH/nntp.rules
302 -include $RULE_PATH/other-ids.rules
303 +#include $RULE_PATH/nntp.rules
304 +#include $RULE_PATH/other-ids.rules
305 # include $RULE_PATH/web-attacks.rules
306 # include $RULE_PATH/backdoor.rules
307 # include $RULE_PATH/shellcode.rules
308 @@ -859,7 +860,7 @@ include $RULE_PATH/other-ids.rules
309 # include $RULE_PATH/p2p.rules
310 # include $RULE_PATH/spyware-put.rules
311 # include $RULE_PATH/specific-threats.rules
312 -include $RULE_PATH/experimental.rules
313 +#include $RULE_PATH/experimental.rules
314
315 # include $PREPROC_RULE_PATH/preprocessor.rules
316 # include $PREPROC_RULE_PATH/decoder.rules