Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 126045 Details for
Bug 186649
net-analyzer/snort-2.6.1* segfaults
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
snort.conf
snort.conf (text/plain), 4.15 KB, created by
Jukka Ruohonen
on 2007-07-26 07:40:58 UTC
(
hide
)
Description:
snort.conf
Filename:
MIME Type:
Creator:
Jukka Ruohonen
Created:
2007-07-26 07:40:58 UTC
Size:
4.15 KB
patch
obsolete
>############# ># VARIABLES # >############# > ># Set environmental variables > >var RULE_PATH /etc/snort/rules >var HOME_NET 127.0.0.1 >var EXTERNAL_NET 192.168.2.100 > ># Set evaluation of the webserver > >var HTTP_SERVERS 192.168.2.100 >var HTTP_PORTS 80 >var SHELLCODE_PORTS !80 > >##################### ># DYNAMIC LIBRARIES # >##################### > ># We need only the dynamic engine. >dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so > >###################### ># DECODER AND ALERTS # >###################### > ># Alert if value in length field (IP, TCP, UDP) is greater than the actual length of the captured packet. >config enable_decode_oversized_alerts > ># Same as above, but drop packet if in inline mode - enable_decode_oversized_alerts must be enabled for this to work. >config enable_decode_oversized_drops > >################# ># INLINE RESETS # >################# > ># Inline resets for eth0. This is done via MAC address. > >config layer2resets: 00:15:F2:30:F8:35 > >################### ># STREAM TRACKING # >################### > ># We only use state_protection and detect_state_problems (e.g. data on a SYN packet) from the default config. ># The inline has enforce_state drop, but DO NOT enable it, as it had a HUGE impact on performance (with NO rules). ># The "possible EVASIVE FIN detection" alerts still flooded; use disable_evasion_alerts here too. > >preprocessor stream4: state_protection, detect_state_problems, disable_evasion_alerts > ># The TCP stream reassembly have defaults of (1) only reassemble client on (2) default ports (3) giving alerts for bad streams. ># Use only for ports the are potentially vulnerable, meaining the HTTP and SSH. > >preprocessor stream4_reassemble: serveronly, ports { 80 38751 }, emergency_ports { 80 38751 }, favor_new > >###################### ># HTTP PREPROCESSOR # >###################### > ># Turn the HTTP inspect on. > >preprocessor http_inspect: global iis_unicode_map unicode.map 1252 > ># The profile all is the default but the apache-profile is much better; e.g. only accept utf-8 with no backslashes. ># Yet, it disables many nice features so configure the profile manually with rather same options as the Apache defaults, though: ># ># (1) increase the flow_depth (i.e. the bytes of a HTTP header) from the default of 300 to 600 (observe possible performance penalties). ># (2) reduce the oversized_dir_length from the default of 500 to 100. ># (3) disable alert on ascii decoding; it is recommended to disable this, but observe. ># (4) disable alert on multiple shashes like index///////.html; this was noisy when tested. ># (5) alert on utf_8 encoding; this is somewhat mandatory for Apache. ># (6) alert on directory traversals so that /foo/shit\_dir/../shit gets normalized to /foo/shit. ># (7) alert on directory traversals beyond the webserver root directory. ># (8) alert on non-RFC standards for the use of space delimiters; again rather mandatory for Apache. > >preprocessor http_inspect_server: server default \ > ports { 80 } \ > flow_depth 600 \ > oversize_dir_length 100 \ > ascii yes \ > multi_slash yes \ > utf_8 yes \ > directory yes \ > webroot yes \ > apache_whitespace yes > >################## ># OUTPUT PLUGINS # >################## > ># Log to syslog (the scale runs from the usual log_debug log_info log_notice ... log_alert log.emerge). >output alert_syslog: log_auth log_info > ># Log to tcpdump binary format. >output log_tcpdump: tcpdump.log > ># Include classification and priority settings together with reference systems. >include classification.config >include reference.config > >############ ># RULESETS # >############ > ># As we now operate on inline, only include the queues to the webserver. > ># We want to load only our own rules. >include $RULE_PATH/local.rules > ># Webservers and clients. >include $RULE_PATH/web-cgi.rules ># include $RULE_PATH/web-client.rules ># include $RULE_PATH/community-web-client.rules ># include $RULE_PATH/web-php.rules ># include $RULE_PATH/web-coldfusion.rules ># include $RULE_PATH/web-iis.rules ># include $RULE_PATH/web-frontpage.rules ># include $RULE_PATH/web-misc.rules ># include $RULE_PATH/community-web-attacks.rules ># include $RULE_PATH/community-web-cgi.rules ># include $RULE_PATH/community-web-php.rules ># include $RULE_PATH/community-web-misc.rules ># include $RULE_PATH/community-sql-injection.rules
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=126045">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 186649
:
126043
| 126045
