[Snort-sigs] snort-rules CURRENT update @ Tue Dec 2 19:15:20 2003

bmc at ...95... bmc at ...95...
Tue Dec 2 16:16:01 EST 2003


This rule update was brought to you by Oinkmaster.

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "snort.conf":
       # You can take the following steps to create your own custom configuration:
       # You must change the following variables to reflect your local network. The
       # variable is currently setup for an RFC 1918 address space.
       # or use global variable $<interfacename>_ADDRESS which will be always
       # initialized to IP address and netmask of the network interface which you run
       # snort at.  Under Windows, this must be specified as
       # $(<interfacename>_ADDRESS), such as:
       # Set up the external network addresses as well.  A good start may be "any"
       # Configure your server lists.  This allows snort to only look for attacks to
       # systems that have a service up.  Why look for HTTP attacks if you are not
       # running a web server?  This allows quick filtering based on IP addresses
       # Configure your service ports.  This allows snort to look for attacks destined
       # to a specific application only on the ports that application runs on.  For
       # example, if you run a web server on port 8081, set your HTTP_PORTS variable
       ## var HTTP_PORTS 80 
       ## include somefile.rules 
       ## var HTTP_PORTS 8080
       ## include somefile.rules 
       # AIM servers.  AOL has a habit of adding new AIM servers, so instead of
       # modifying the signatures when they do, we add them to this list of servers.
       # In snort 2.0.1 and above, this only alerts when the a TCP option is detected
       # that shows T/TCP being actively used on the network.  If this is normal
       # behavior for your network, disable the next option.
       # config disable_tcpopt_ttcp_alerts
       # Use a different pattern matcher in case you have a machine with very limited
       # resources:
       # Configure Flow tracking module
       # The Flow tracking module is meant to start unifying the state keeping
       # mechanisms of snort into a single place. Right now, only a portscan detector
       # is implemented but in the long term,  many of the stateful subsystems of
       # snort will be migrated over to becoming flow plugins. This must be enabled
       # for flow-portscan to work correctly.
       # See README.flow for additional information
       # preprocessor flow: stats_interval 0 hash 2
       # Configure Thresholding and Suppression
       # ======================================
       # Thresholding:
       # This feature is used to reduce the number of logged alerts for noisy rules.
       # This can be tuned to significantly reduce false alarms, and it can also be
       # used to write a newer breed of rules. Thresholding commands limit the number
       # of times a particular event is logged during a specified time interval.
       # There are 3 types of thresholding:
       #        1) Limit
       #           Alert on the 1st M events during the time interval, then ignore events
       #           for the rest of the time interval.
       #        2) Threshold
       #           Alert every M times we see this event during the time interval.
       #        3) Both
       #           Alert once per time interval after seeing M occurrences of the event,
       #           then ignore any additional events during the time interval.
       # Threshold commands are formatted as:
       # threshold gen_id gen-id, sig_id sig-id, type limit|threshold|both, track
       # by_src|by_dst, count n , seconds m
       # Limit to logging 1 event per 60 seconds
       # threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60
       # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
       # each rule (rules are gen_id 1).
       # threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
       # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
       # any alert for any event generator
       # threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
       # Thresholding do not have to be stand-alone commands, and can also be applied
       # to a rule. Please read README.thresholding for more information on
       # thresholding.
       # Suppression:
       # Suppression commands are standalone commands that reference generators and
       # sids and IP addresses via a CIDR block. This allows a rule to be completely
       # suppressed, or suppressed when the causitive traffic is going to or comming
       # from a specific IP or group of IP addresses.
       #  Suppress this event completely
       # suppress gen_id 1, sig_id 1852
       #  Suppress this event from this IP
       # suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
       #  Suppress this event to this CIDR block
       # suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
       # arguments loads the default configuration of the preprocessor, which is a 60
       # second timeout and a 4MB fragment buffer. 
       # Use in concert with the -z [all|est] command line switch to defeat stick/snot
       # against TCP rules.  Also performs full TCP stream reassembly, stateful
       # inspection of TCP streams, etc.  Can statefully detect various portscan
       # types, fingerprinting, ECN, etc.
       #    ports { 80 3128 8080 } \
       # RPC may be sent in alternate encodings besides the usual 4-byte encoding that
       # is used by default.  This preprocessor normalized RPC traffic in much the
       # same way as the http_decode preprocessor.  This plugin takes the ports
       # numbers that RPC services are running on as arguments.
       # This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
       # traffic.  It works in much the same way as the http_decode preprocessor,
       # searching for traffic that breaks up the normal data stream of a protocol and
       # replacing it with a normalized representation of that traffic so that the
       # "content" pattern matching keyword can work without requiring modifications.
       # Flow-Portscan: detect a variety of portscans
       # Note:  The Flow preprocessor (above) must first be enabled for Flow-Portscan to
       # work.
       # This module detects portscans based off of flow creation in the flow
       # preprocessors.  The goal is to catch catch one->many hosts and one->many
       # ports scans.
       # Flow-Portscan has numerous options available, please read
       # README.flow-portscan for help configuring this option. 
       # Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
       #   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
       #   2       flow-portscan: Sliding Scale Scanner Limit Exceeded 
       #   3       flow-portscan: Fixed Scale Talker Limit Exceeded
       #   4	    flow-portscan: Sliding Scale Talker Limit Exceeded
       # preprocessor flow-portscan: \
       #	talker-sliding-scale-factor 0.50 \
       #	talker-fixed-threshold 30 \
       #	talker-sliding-threshold 30 \
       #	talker-sliding-window 20 \
       #	talker-fixed-window 30 \
       #	scoreboard-rows-talker 30000 \
       #	server-watchnet $HOME_NET \
       #	server-ignore-limit 200 \
       #	server-rows 65535 \
       #	server-learning-time 14400 \
       #	server-scanner-limit 4 \
       #	scanner-sliding-window 20 \
       #	scanner-sliding-scale-factor 0.50 \
       #	scanner-fixed-threshold 15 \
       #	scanner-sliding-threshold 40 \
       #	scanner-fixed-window 15 \
       #	scoreboard-rows-scanner 30000 \
       #	src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
       #	dst-ignore-net [10.0.0.0/30] \
       #	alert-mode once \
       #	output-mode pktkludge \
       #	tcp-penalties on \
       #	base-score 1
       # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
       # unicast ARP requests, and specific ARP mapping monitoring.  To make use of
       # this preprocessor you must specify the IP and hardware address of hosts on
       # the same layer 2 segment as you.  Specify one host IP MAC combo per line.
       # Performance Statistics
       # ----------------------
       # Uncomment and configure the output plugins you decide to use.  General
       # configuration for output plugins is of the form:
       # Use one or more syslog facilities as arguments.  Win32 can also optionally
       # specify a particular hostname/port.  Under Win32, the default hostname is
       # '127.0.0.1', and the default port is 514.
       # The unified output plugin provides two new formats for logging and generating
       # alerts from Snort, the "unified" format.  The unified format is a straight
       # binary format for logging data out of Snort that is designed to be fast and
       # efficient.  Used with barnyard (the new alert/log processor), most of the
       # overhead for logging and alerting to various slow storage mechanisms such as
       # databases or the network can now be avoided.  
       # You can optionally define new rule types and associate one or more output
       # plugins specifically to that type.
       # This example will create a rule type that will log to syslog and a mysql
       # database:
       # EXAMPLE RULE FOR REDALERT RULETYPE:
       # The snort web site has documentation about how to write your own custom snort
       # rules.
       # The rules included with this distribution generate alerts based on on
       # suspicious activity. Depending on your network environment, your security
       # policies, and what you consider to be suspicious, some of these rules may
       # either generate false positives ore may be detecting activity you consider to
       # be acceptable; therefore, you are encouraged to comment out rules that are
       # not applicable in your environment.
       # The following individuals contributed many of rules in this distribution.
       # The following rulesets are disabled by default:
       #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
       #   chat, multimedia, and p2p
       #            
       # These rules are either site policy specific or require tuning in order to not
       # generate false positive alerts in most enviornments.
       # Please read the specific include file for more information and
       # README.alert_order for how rule ordering affects how alerts are triggered.

  [---]      Removed lines:      [---]
    -> File "snort.conf":
       # You can take the following steps to create your 
       # own custom configuration:
       # You must change the following variables to reflect
       # your local network. The variable is currently 
       # setup for an RFC 1918 address space.
       # or use global variable $<interfacename>_ADDRESS 
       # which will be always initialized to IP address and 
       # netmask of the network interface which you run
       # snort at.  Under Windows, this must be specified
       # as $(<interfacename>_ADDRESS), such as:
       # Set up the external network addresses as well.  
       # A good start may be "any"
       # Configure your server lists.  This allows snort to only look for attacks
       # to systems that have a service up.  Why look for HTTP attacks if you are
       # not running a web server?  This allows quick filtering based on IP addresses
       output log_unified
       # Configure your service ports.  This allows snort to look for attacks 
       # destined to a specific application only on the ports that application
       # runs on.  For example, if you run a web server on port 8081, set your
       # HTTP_PORTS variable like this:
       # var HTTP_PORTS 80 
       # include web.rules
       # var HTTP_PORTS 8080
       # include web.rules
       # AIM servers.  AOL has a habit of adding new AIM servers, so instead of 
       # modifying the signatures when they do, we add them to this list of 
       # servers.
       #  In snort 2.0.1 and above, this only alerts when the a TCP option
       #  is detected that shows T/TCP being actively used on the network.
       #  If this is normal behavior for your network, disable the next option.
       #   config disable_tcpopt_ttcp_alerts
       # Use a different pattern matcher in case you have a machine with very
       # limited resources:
       # arguments loads the default configuration of the preprocessor, which is a 
       # 60 second timeout and a 4MB fragment buffer. 
       # Use in concert with the -z [all|est] command line switch to defeat 
       # stick/snot against TCP rules.  Also performs full TCP stream 
       # reassembly, stateful inspection of TCP streams, etc.  Can statefully
       # detect various portscan types, fingerprinting, ECN, etc.
       # RPC may be sent in alternate encodings besides the usual
       # 4-byte encoding that is used by default.  This preprocessor
       # normalized RPC traffic in much the same way as the http_decode
       # preprocessor.  This plugin takes the ports numbers that RPC 
       # services are running on as arguments.
       # This preprocessor "normalizes" telnet negotiation strings from
       # telnet and ftp traffic.  It works in much the same way as the 
       # http_decode preprocessor, searching for traffic that breaks up
       # the normal data stream of a protocol and replacing it with 
       # a normalized representation of that traffic so that the "content"
       # pattern matching keyword can work without requiring modifications.
       # Portscan: detect a variety of portscans
       # portscan preprocessor by Patrick Mullen <p_mullen at ...849...>
       # This preprocessor detects UDP packets or TCP SYN packets going to
       # four different ports in less than three seconds. "Stealth" TCP
       # packets are always detected, regardless of these settings.
       # Portscan uses Generator ID 100 and uses the following SIDS for that GID:
       #   1       Portscan detect
       #   2       Inter-scan info
       #   3       Portscan End
       # preprocessor portscan: $HOME_NET 4 3 portscan.log
       # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
       # specific networks or hosts to reduce false alerts. It is typical
       # to see many false alerts from DNS servers so you may want to
       # add your DNS servers here. You can all multiple hosts/networks
       # in a whitespace-delimited list.
       #preprocessor portscan-ignorehosts: 0.0.0.0
       # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, 
       # unicast ARP requests, and specific ARP mapping monitoring.  To make use
       # of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you.  Specify one host IP MAC combo per line.
       # Experimental Perf stats
       # -----------------------
       # Uncomment and configure the output plugins you decide to use.
       # General configuration for output plugins is of the form:
       # Use one or more syslog facilities as arguments.  Win32 can also
       # optionally specify a particular hostname/port.  Under Win32, the
       # default hostname is '127.0.0.1', and the default port is 514.
       # The unified output plugin provides two new formats for logging
       # and generating alerts from Snort, the "unified" format.  The
       # unified format is a straight binary format for logging data 
       # out of Snort that is designed to be fast and efficient.  Used
       # with barnyard (the new alert/log processor), most of the overhead
       # for logging and alerting to various slow storage mechanisms
       # such as databases or the network can now be avoided.  
       # You can optionally define new rule types and associate one or 
       # more output plugins specifically to that type.
       # This example will create a rule type that will log to syslog
       # and a mysql database.
       # EXAMPLE RULE FOR REDALERT RULETYPE
       # The snort web site has documentation about how to write your own 
       # custom snort rules.
       # The rules included with this distribution generate alerts based on
       # on suspicious activity. Depending on your network environment, your
       # security policies, and what you consider to be suspicious, some of
       # these rules may either generate false positives ore may be detecting
       # activity you consider to be acceptable; therefore, you are
       # encouraged to comment out rules that are not applicable in your
       # environment.
       # Note that using all of the rules at the same time may lead to
       # serious packet loss on slower machines. YMMV, use with caution,
       # standard disclaimers apply. :)
       # The following individuals contributed many of rules in this
       # distribution.
       # shellcode, policy, info, backdoor, and virus rulesets are 
       # disabled by default.  These require tuning and maintance.  
       # Please read the included specific file for more information.





More information about the Snort-sigs mailing list