--- snort-wireless-2.4.3-alpha04/etc/snort.conf 2005-10-21 09:41:01.000000000 +0200 +++ /Users/florian/telechargements/snort.conf 2005-10-30 13:20:17.000000000 +0100 @@ -6,6 +6,7 @@ # ################################################### # This file contains a sample snort configuration. +# Most preprocessors and rules were disabled to save memory. # You can take the following steps to create your own custom configuration: # # 1) Set the variables for your network @@ -42,10 +43,10 @@ # or you can specify the variable to be any IP address # like this: -var HOME_NET any +var HOME_NET 192.168.1.0/24 # Set up the external network addresses as well. A good start may be "any" -var EXTERNAL_NET any +var EXTERNAL_NET !$HOME_NET # Configure your wireless AP lists. This allows snort to look for attacks # against your wireless network, such as rogue access points or adhoc wireless @@ -137,7 +138,7 @@ # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules -var RULE_PATH ../rules +var RULE_PATH /etc/snort/rules # Configure the snort decoder # ============================ @@ -413,11 +414,11 @@ # lots of options available here. See doc/README.http_inspect. # unicode.map should be wherever your snort.conf lives, or given # a full path to where snort can find it. -preprocessor http_inspect: global \ - iis_unicode_map unicode.map 1252 +#preprocessor http_inspect: global \ +# iis_unicode_map unicode.map 1252 -preprocessor http_inspect_server: server default \ - profile all ports { 80 8080 8180 } oversize_dir_length 500 +#preprocessor http_inspect_server: server default \ +# profile all ports { 80 8080 8180 } oversize_dir_length 500 # # Example unique server configuration @@ -451,7 +452,7 @@ # no_alert_incomplete - don't alert when a single segment # exceeds the current packet size -preprocessor rpc_decode: 111 32771 +#preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector # ------------------------- @@ -474,7 +475,7 @@ # 3 Back Orifice Server Traffic Detected # 4 Back Orifice Snort Buffer Attack -preprocessor bo +#preprocessor bo # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- @@ -486,7 +487,7 @@ # This preprocessor requires no arguments. # Portscan uses Generator ID 109 and does not generate any SID currently. -preprocessor telnet_decode +#preprocessor telnet_decode # sfPortscan # ---------- @@ -537,9 +538,9 @@ # are still watched as scanner hosts. The 'ignore_scanned' option is # used to tune alerts from very active hosts such as syslog servers, etc. # -preprocessor sfportscan: proto { all } \ - memcap { 10000000 } \ - sense_level { low } +#preprocessor sfportscan: proto { all } \ +# memcap { 10000000 } \ +# sense_level { low } # arpspoof #---------------------------------------- @@ -814,41 +815,41 @@ include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules -include $RULE_PATH/finger.rules -include $RULE_PATH/ftp.rules -include $RULE_PATH/telnet.rules -include $RULE_PATH/rpc.rules -include $RULE_PATH/rservices.rules -include $RULE_PATH/dos.rules -include $RULE_PATH/ddos.rules -include $RULE_PATH/dns.rules -include $RULE_PATH/tftp.rules - -include $RULE_PATH/web-cgi.rules -include $RULE_PATH/web-coldfusion.rules -include $RULE_PATH/web-iis.rules -include $RULE_PATH/web-frontpage.rules -include $RULE_PATH/web-misc.rules -include $RULE_PATH/web-client.rules -include $RULE_PATH/web-php.rules - -include $RULE_PATH/sql.rules -include $RULE_PATH/x11.rules -include $RULE_PATH/icmp.rules -include $RULE_PATH/netbios.rules -include $RULE_PATH/misc.rules -include $RULE_PATH/attack-responses.rules -include $RULE_PATH/oracle.rules -include $RULE_PATH/mysql.rules -include $RULE_PATH/snmp.rules - -include $RULE_PATH/smtp.rules -include $RULE_PATH/imap.rules -include $RULE_PATH/pop2.rules -include $RULE_PATH/pop3.rules +#include $RULE_PATH/finger.rules +#include $RULE_PATH/ftp.rules +#include $RULE_PATH/telnet.rules +#include $RULE_PATH/rpc.rules +#include $RULE_PATH/rservices.rules +#include $RULE_PATH/dos.rules +#include $RULE_PATH/ddos.rules +#include $RULE_PATH/dns.rules +#include $RULE_PATH/tftp.rules + +#include $RULE_PATH/web-cgi.rules +#include $RULE_PATH/web-coldfusion.rules +#include $RULE_PATH/web-iis.rules +#include $RULE_PATH/web-frontpage.rules +#include $RULE_PATH/web-misc.rules +#include $RULE_PATH/web-client.rules +#include $RULE_PATH/web-php.rules + +#include $RULE_PATH/sql.rules +#include $RULE_PATH/x11.rules +#include $RULE_PATH/icmp.rules +#include $RULE_PATH/netbios.rules +#include $RULE_PATH/misc.rules +#include $RULE_PATH/attack-responses.rules +#include $RULE_PATH/oracle.rules +#include $RULE_PATH/mysql.rules +#include $RULE_PATH/snmp.rules + +#include $RULE_PATH/smtp.rules +#include $RULE_PATH/imap.rules +#include $RULE_PATH/pop2.rules +#include $RULE_PATH/pop3.rules -include $RULE_PATH/nntp.rules -include $RULE_PATH/other-ids.rules +#include $RULE_PATH/nntp.rules +#include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules @@ -856,11 +857,11 @@ # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules - include $RULE_PATH/virus.rules +# include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules -include $RULE_PATH/experimental.rules +#include $RULE_PATH/experimental.rules #include $RULE_PATH/wifi.rules # Include any thresholding or suppression commands. See threshold.conf in the