-
Notifications
You must be signed in to change notification settings - Fork 15
/
fwsnort.conf
123 lines (109 loc) · 5.17 KB
/
fwsnort.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#
###########################################################################
#
# This is the configuration file for fwsnort. There are some similarities
# between this file and the configuration file for Snort.
#
###########################################################################
#
### Fwsnort treats all traffic directed to / originating from the local
### machine as going to / coming from the HOME_NET in Snort rule parlance.
### If there is only one interface on the local system, then there will be
### no rules processed via the FWSNORT_FORWARD chain because no traffic
### would make it into the iptables FORWARD chain.
HOME_NET any;
EXTERNAL_NET any;
### List of servers. Fwsnort supports the same variable resolution as
### Snort.
HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;
### AOL AIM server nets
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
### Configurable port numbers
SSH_PORTS 22;
HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;
### Default update URL for new rules. This variable can be given multiple
### times on separate lines in order to specify multiple update URL's:
#UPDATE_RULES_URL <url1>
#UPDATE_RULES_URL <url2>
UPDATE_RULES_URL http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules;
### define average packet lengths and maximum frame length. This is
### used for iptables length match emulation of the Snort dsize option.
AVG_IP_HEADER_LEN 20; ### IP options are not usually used.
AVG_TCP_HEADER_LEN 30; ### Include 10 bytes for options
MAX_FRAME_LEN 1500;
### define the max length of the content (null terminated string) that
### can be passed to either the --hex-string or --string iptables matches.
### Note that as of fwsnort-1.5, the max string length supported by the
### local iptables instance is automatically determined, so this variable
### is not really needed, and just allows a max value to be set
### independently of what iptables supports.
MAX_STRING_LEN 1024;
### Use the WHITELIST variable to define a list of hosts/networks
### that should be completely ignored by fwsnort. For example, if you
### want to whitelist the IP 192.168.10.1 and the network 10.1.1.0/24,
### you would use (note that you can also specify multiple WHITELIST
### variables, one per line). Note that by default the update IP's for
### Emerging Threats ruleset downloads are whitelisted:
## Name: rules.emergingthreats.net
## Address: 96.43.137.99
## Name: rules.emergingthreats.net
## Address: 204.12.217.19
WHITELIST 96.43.137.99, 204.12.217.19;
### Use the BLACKLIST variable to define a list of hosts/networks
### that for which fwsnort should DROP or REJECT all traffic. For
### example, to DROP all traffic from the 192.168.10.0/24 network, you
### can use:
### BLACKLIST 192.168.10.0/24 DROP;
### To have fwsnort REJECT all traffic from 192.168.10.0/24, you would
### use:
### BLACKLIST 192.168.10.0/24 REJECT;
BLACKLIST NONE;
### define the jump position in the built-in chains to jump to the
### fwsnort chains
FWSNORT_INPUT_JUMP 1;
FWSNORT_OUTPUT_JUMP 1;
FWSNORT_FORWARD_JUMP 1;
### iptables chains (these do not normally need to be changed).
FWSNORT_INPUT FWSNORT_INPUT;
FWSNORT_INPUT_ESTAB FWSNORT_INPUT_ESTAB;
FWSNORT_OUTPUT FWSNORT_OUTPUT;
FWSNORT_OUTPUT_ESTAB FWSNORT_OUTPUT_ESTAB;
FWSNORT_FORWARD FWSNORT_FORWARD;
FWSNORT_FORWARD_ESTAB FWSNORT_FORWARD_ESTAB;
### fwsnort filesystem paths
INSTALL_ROOT /;
CONF_DIR $INSTALL_ROOT/etc/fwsnort;
RULES_DIR $CONF_DIR/snort_rules;
LOG_DIR $INSTALL_ROOT/var/log/fwsnort;
LIBS_DIR $INSTALL_ROOT/usr/lib/fwsnort; ### for perl modules
STATE_DIR $INSTALL_ROOT/var/lib/fwsnort;
QUEUE_RULES_DIR $STATE_DIR/snort_rules_queue;
ARCHIVE_DIR $STATE_DIR/archive;
CONF_FILE $CONF_DIR/fwsnort.conf;
LOG_FILE $LOG_DIR/fwsnort.log;
FWSNORT_SCRIPT $STATE_DIR/fwsnort_iptcmds.sh; ### slow version
FWSNORT_SAVE_EXEC_FILE $STATE_DIR/fwsnort.sh; ### main fwsnort.sh script
FWSNORT_SAVE_FILE $STATE_DIR/fwsnort.save; ### main fwsnort.save file
IPT_BACKUP_SAVE_FILE $STATE_DIR/iptables.save; ### iptables policy backup
### system binaries
shCmd /bin/sh;
catCmd /bin/cat;
grepCmd /bin/grep;
echoCmd /bin/echo;
tarCmd /bin/tar;
wgetCmd /usr/bin/wget;
unameCmd /usr/bin/uname;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
iptablesCmd /sbin/iptables;
iptables-saveCmd /sbin/iptables-save;
iptables-restoreCmd /sbin/iptables-restore;
ip6tablesCmd /sbin/ip6tables;
ip6tables-saveCmd /sbin/ip6tables-save;
ip6tables-restoreCmd /sbin/ip6tables-restore;