[Snort-users] snort-inline and iptables INPUT chain

Laurent Haond lhaond at ...13100...
Wed Mar 2 08:57:56 EST 2005


Will Metcalf a écrit :

>hmmm what does your snort_inline.conf look like?  What version of
>snort-inline are you using?
>
>Regards,
>
>Will
>  
>
>
Using latest snort 2.3.0 freshly compiled
configure was : --prefix=/usr --bindir=/usr/sbin --sysconfdir=/etc 
--enable-inline --enable-flexresp
   

snort.conf :
#===================================================
var HOME_NET 192.168.0.0/24
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS 
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

var RULE_PATH /var/lib/snort


config detection: search-method lowmem

preprocessor flow: stats_interval 0 hash 2

preprocessor frag2

preprocessor stream4: midstream_drop_alerts

preprocessor stream4_reassemble

preprocessor bo


preprocessor telnet_decode

preprocessor perfmonitor: reset time 60 pktcnt 100 file 
/var/log/snort/perfs.log

output alert_unified: filename /var/log/snort/alert,  limit 5M
output log_unified:   filename /var/log/snort/packet, limit 5M

include /var/lib/snort/classification.config
include /var/lib/snort/reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
#==============================================================================

I will give a try  without  --enable-flexresp...

Regards

Laurent





More information about the Snort-users mailing list