-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor: Update snort.ps1 to use UTF-8 encoding when writing rules t…
…o file
- Loading branch information
Showing
1 changed file
with
55 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,15 +2,15 @@ | |
| # VRT Rule Packages Snort.conf | ||
| # | ||
| # For more information visit us at: | ||
| # http://www.snort.org Snort Website | ||
| # http://vrt-blog.snort.org/ Sourcefire VRT Blog | ||
| # http:\\www.snort.org Snort Website | ||
| # http:\\vrt-blog.snort.org\ Sourcefire VRT Blog | ||
| # | ||
| # Mailing list Contact: snort-sigs@lists.sourceforge.net | ||
| # Mailing list Contact: snort-users@lists.snort.org | ||
| # False Positive reports: [email protected] | ||
| # Snort bugs: [email protected] | ||
| # | ||
| # Compatible with Snort Versions: | ||
| # VERSIONS : 2.9.11 | ||
| # VERSIONS : 2.9.20 | ||
| # | ||
| # Snort build options: | ||
| # OPTIONS : --enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 | ||
|
|
@@ -101,17 +101,17 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64. | |
| # Path to your rules files (this can be a relative path) | ||
| # Note for Windows users: You are advised to make this an absolute path, | ||
| # such as: c:\snort\rules | ||
| var RULE_PATH C:\Snort\rules | ||
| # var SO_RULE_PATH C:\Snort\so_rules | ||
| var PREPROC_RULE_PATH C:\Snort\preproc_rules | ||
| var RULE_PATH ..\rules | ||
| var SO_RULE_PATH ..\so_rules | ||
| var PREPROC_RULE_PATH ..\preproc_rules | ||
|
|
||
| # If you are using reputation preprocessor set these | ||
| # Currently there is a bug with relative paths, they are relative to where snort is | ||
| # not relative to snort.conf like the above variables | ||
| # This is completely inconsistent with how other vars work, BUG 89986 | ||
| # Set the absolute path appropriately | ||
| var WHITE_LIST_PATH C:\Snort\rules | ||
| var BLACK_LIST_PATH C:\Snort\rules | ||
| var WHITE_LIST_PATH ..\rules | ||
| var BLACK_LIST_PATH ..\rules | ||
|
|
||
| ################################################### | ||
| # Step #2: Configure the decoder. For more information, see README.decode | ||
|
|
@@ -126,7 +126,7 @@ config disable_tcpopt_experimental_alerts | |
| # Stop Alerts on obsolete TCP options | ||
| config disable_tcpopt_obsolete_alerts | ||
|
|
||
| # Stop Alerts on T/TCP alerts | ||
| # Stop Alerts on T\TCP alerts | ||
| config disable_tcpopt_ttcp_alerts | ||
|
|
||
| # Stop Alerts on all other TCPOption type events: | ||
|
|
@@ -141,7 +141,7 @@ config disable_ipopt_alerts | |
| # Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts) | ||
| # config enable_decode_oversized_drops | ||
|
|
||
| # Configure IP / TCP checksum mode | ||
| # Configure IP \ TCP checksum mode | ||
| config checksum_mode: all | ||
|
|
||
| # Configure maximum number of flowbit references. For more information, see README.flowbits | ||
|
|
@@ -183,7 +183,7 @@ config checksum_mode: all | |
|
|
||
| # Configure default log directory for snort to log to. For more information see snort -h command line options (-l) | ||
| # | ||
| config logdir: C:\Snort\log | ||
| # config logdir: | ||
|
|
||
|
|
||
| ################################################### | ||
|
|
@@ -243,14 +243,15 @@ config paf_max: 16000 | |
| # For more information, see Snort Manual, Configuring Snort - Dynamic Modules | ||
| ################################################### | ||
|
|
||
| # path to dynamic preprocessor libraries | ||
| # path to dynamic preprocessor libraries | ||
| dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor | ||
|
|
||
| # path to base preprocessor engine | ||
| dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll | ||
|
|
||
| # path to dynamic rules libraries | ||
| # dynamicdetection directory C:\Snort\lib\snort_dynamicrules\ | ||
| #dynamicdetection directory C:\Snort\lib\snort_dynamicrules | ||
|
|
||
| ################################################### | ||
| # Step #5: Configure preprocessors | ||
|
|
@@ -262,17 +263,17 @@ dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll | |
|
|
||
| # Inline packet normalization. For more information, see README.normalize | ||
| # Does nothing in IDS mode | ||
| # preprocessor normalize_ip4 | ||
| # preprocessor normalize_tcp: ips ecn stream | ||
| # preprocessor normalize_icmp4 | ||
| # preprocessor normalize_ip6 | ||
| # preprocessor normalize_icmp6 | ||
| preprocessor normalize_ip4 | ||
| preprocessor normalize_tcp: ips ecn stream | ||
| preprocessor normalize_icmp4 | ||
| preprocessor normalize_ip6 | ||
| preprocessor normalize_icmp6 | ||
|
|
||
| # Target-based IP defragmentation. For more inforation, see README.frag3 | ||
| preprocessor frag3_global: max_frags 65536 | ||
| preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180 | ||
|
|
||
| # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 | ||
| # Target-Based stateful inspection\stream reassembly. For more inforation, see README.stream5 | ||
| preprocessor stream5_global: track_tcp yes, \ | ||
| track_udp yes, \ | ||
| track_icmp no, \ | ||
|
|
@@ -292,7 +293,7 @@ preprocessor stream5_tcp: log_asymmetric_traffic no, policy windows, \ | |
| preprocessor stream5_udp: timeout 180 | ||
|
|
||
| # performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor | ||
| # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 | ||
| # preprocessor perfmonitor: time 300 file \var\snort\snort.stats pktcnt 10000 | ||
|
|
||
| # HTTP normalization and anomaly detection. For more information, see README.http_inspect | ||
| preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 | ||
|
|
@@ -332,9 +333,9 @@ preprocessor http_inspect_server: server default \ | |
| preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete | ||
|
|
||
| # Back Orifice detection. | ||
| # preprocessor bo | ||
| preprocessor bo | ||
|
|
||
| # FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet | ||
| # FTP \ Telnet normalization and anomaly detection. For more information, see README.ftptelnet | ||
| preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted | ||
| preprocessor ftp_telnet_protocol: telnet \ | ||
| ayt_attack_thresh 20 \ | ||
|
|
@@ -415,7 +416,7 @@ preprocessor smtp: ports { 25 465 587 691 } \ | |
| xlink2state { enabled } | ||
|
|
||
| # Portscan detection. For more information, see README.sfportscan | ||
| preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } | ||
| # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } | ||
|
|
||
| # ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor | ||
| # preprocessor arpspoof | ||
|
|
@@ -430,7 +431,7 @@ preprocessor ssh: server_ports { 22 } \ | |
| enable_respoverflow enable_ssh1crc32 \ | ||
| enable_srvoverflow enable_protomismatch | ||
|
|
||
| # SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2 | ||
| # SMB \ DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2 | ||
| preprocessor dcerpc2: memcap 102400, events [co ] | ||
| preprocessor dcerpc2_server: default, policy WinXP, \ | ||
| detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ | ||
|
|
@@ -503,13 +504,13 @@ preprocessor dnp3: ports { 20000 } \ | |
| memcap 262144 \ | ||
| check_crc | ||
|
|
||
| # Reputation preprocessor. For more information see README.reputation | ||
| preprocessor reputation: \ | ||
| memcap 500, \ | ||
| priority whitelist, \ | ||
| nested_ip inner, \ | ||
| whitelist $WHITE_LIST_PATH\white.list, \ | ||
| blacklist $BLACK_LIST_PATH\black.list | ||
| # # Reputation preprocessor. For more information see README.reputation | ||
| # preprocessor reputation: \ | ||
| # memcap 500, \ | ||
| # priority whitelist, \ | ||
| # nested_ip inner, \ | ||
| # whitelist $WHITE_LIST_PATH\white_list.rules, \ | ||
| # #blacklist $BLACK_LIST_PATH\black_list.rules | ||
|
|
||
| ################################################### | ||
| # Step #6: Configure output plugins | ||
|
|
@@ -525,7 +526,7 @@ preprocessor reputation: \ | |
| # output log_unified2: filename snort.log, limit 128, nostamp | ||
|
|
||
| # syslog | ||
| # output alert_syslog: LOG_AUTH LOG_ALERT | ||
| output alert_syslog: LOG_AUTH LOG_ALERT | ||
|
|
||
| # pcap | ||
| # output log_tcpdump: tcpdump.log | ||
|
|
@@ -656,34 +657,34 @@ include $RULE_PATH\x11.rules | |
| ################################################### | ||
|
|
||
| # decoder and preprocessor event rules | ||
| include $PREPROC_RULE_PATH\preprocessor.rules | ||
| include $PREPROC_RULE_PATH\decoder.rules | ||
| include $PREPROC_RULE_PATH\sensitive-data.rules | ||
| # include $PREPROC_RULE_PATH\preprocessor.rules | ||
| # include $PREPROC_RULE_PATH\decoder.rules | ||
| # include $PREPROC_RULE_PATH\sensitive-data.rules | ||
|
|
||
| ################################################### | ||
| # Step #9: Customize your Shared Object Snort Rules | ||
| # For more information, see http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html | ||
| # For more information, see http:\\vrt-blog.snort.org\2009\01\using-vrt-certified-shared-object-rules.html | ||
| ################################################### | ||
|
|
||
| # dynamic library rules | ||
| # include $SO_RULE_PATH/bad-traffic.rules | ||
| # include $SO_RULE_PATH/chat.rules | ||
| # include $SO_RULE_PATH/dos.rules | ||
| # include $SO_RULE_PATH/exploit.rules | ||
| # include $SO_RULE_PATH/icmp.rules | ||
| # include $SO_RULE_PATH/imap.rules | ||
| # include $SO_RULE_PATH/misc.rules | ||
| # include $SO_RULE_PATH/multimedia.rules | ||
| # include $SO_RULE_PATH/netbios.rules | ||
| # include $SO_RULE_PATH/nntp.rules | ||
| # include $SO_RULE_PATH/p2p.rules | ||
| # include $SO_RULE_PATH/smtp.rules | ||
| # include $SO_RULE_PATH/snmp.rules | ||
| # include $SO_RULE_PATH/specific-threats.rules | ||
| # include $SO_RULE_PATH/web-activex.rules | ||
| # include $SO_RULE_PATH/web-client.rules | ||
| # include $SO_RULE_PATH/web-iis.rules | ||
| # include $SO_RULE_PATH/web-misc.rules | ||
| # include $SO_RULE_PATH\bad-traffic.rules | ||
| # include $SO_RULE_PATH\chat.rules | ||
| # include $SO_RULE_PATH\dos.rules | ||
| # include $SO_RULE_PATH\exploit.rules | ||
| # include $SO_RULE_PATH\icmp.rules | ||
| # include $SO_RULE_PATH\imap.rules | ||
| # include $SO_RULE_PATH\misc.rules | ||
| # include $SO_RULE_PATH\multimedia.rules | ||
| # include $SO_RULE_PATH\netbios.rules | ||
| # include $SO_RULE_PATH\nntp.rules | ||
| # include $SO_RULE_PATH\p2p.rules | ||
| # include $SO_RULE_PATH\smtp.rules | ||
| # include $SO_RULE_PATH\snmp.rules | ||
| # include $SO_RULE_PATH\specific-threats.rules | ||
| # include $SO_RULE_PATH\web-activex.rules | ||
| # include $SO_RULE_PATH\web-client.rules | ||
| # include $SO_RULE_PATH\web-iis.rules | ||
| # include $SO_RULE_PATH\web-misc.rules | ||
|
|
||
| # Event thresholding or suppression commands. See threshold.conf | ||
| include threshold.conf | ||