summaryrefslogtreecommitdiff
path: root/openwrt/package/snort/patches/750-lightweight-config.patch
blob: c8bde27f51b68c2a51d7f5a41725e616fa783d6d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
--- snort-2.3.2-orig/etc/snort.conf	2005-03-10 23:04:38.000000000 +0100
+++ snort-2.3.2-1/etc/snort.conf	2005-04-04 20:01:41.000000000 +0200
@@ -6,6 +6,7 @@
 #
 ###################################################
 # This file contains a sample snort configuration. 
+# Most preprocessors and rules were disabled to save memory.
 # You can take the following steps to create your own custom configuration:
 #
 #  1) Set the network variables for your network
@@ -41,10 +42,10 @@
 # or you can specify the variable to be any IP address
 # like this:
 
-var HOME_NET any
+var HOME_NET 192.168.1.0/24
 
 # Set up the external network addresses as well.  A good start may be "any"
-var EXTERNAL_NET any
+var EXTERNAL_NET !$HOME_NET
 
 # Configure your server lists.  This allows snort to only look for attacks to
 # systems that have a service up.  Why look for HTTP attacks if you are not
@@ -106,7 +107,7 @@
 # Path to your rules files (this can be a relative path)
 # Note for Windows users:  You are advised to make this an absolute path,
 # such as:  c:\snort\rules
-var RULE_PATH ../rules
+var RULE_PATH /etc/snort/rules
 
 # Configure the snort decoder
 # ============================
@@ -297,11 +298,11 @@
 # lots of options available here. See doc/README.http_inspect.
 # unicode.map should be wherever your snort.conf lives, or given
 # a full path to where snort can find it.
-preprocessor http_inspect: global \
-    iis_unicode_map unicode.map 1252 
+#preprocessor http_inspect: global \
+#    iis_unicode_map unicode.map 1252 
 
-preprocessor http_inspect_server: server default \
-    profile all ports { 80 8080 8180 } oversize_dir_length 500
+#preprocessor http_inspect_server: server default \
+#    profile all ports { 80 8080 8180 } oversize_dir_length 500
 
 #
 #  Example unique server configuration
@@ -335,7 +336,7 @@
 # no_alert_incomplete - don't alert when a single segment
 #                       exceeds the current packet size
 
-preprocessor rpc_decode: 111 32771
+#preprocessor rpc_decode: 111 32771
 
 # bo: Back Orifice detector
 # -------------------------
@@ -347,7 +348,7 @@
 # -----   -------------------
 #   1       Back Orifice traffic detected
 
-preprocessor bo
+#preprocessor bo
 
 # telnet_decode: Telnet negotiation string normalizer
 # ---------------------------------------------------
@@ -359,7 +360,7 @@
 # This preprocessor requires no arguments.
 # Portscan uses Generator ID 109 and does not generate any SID currently.
 
-preprocessor telnet_decode
+#preprocessor telnet_decode
 
 # Flow-Portscan: detect a variety of portscans
 # ---------------------------------------
@@ -455,9 +456,9 @@
 #       are still watched as scanner hosts.  The 'ignore_scanned' option is
 #       used to tune alerts from very active hosts such as syslog servers, etc.
 #
-preprocessor sfportscan: proto  { all } \
-                         memcap { 10000000 } \
-                         sense_level { low }
+#preprocessor sfportscan: proto  { all } \
+#                         memcap { 10000000 } \
+#                         sense_level { low }
 
 # arpspoof
 #----------------------------------------
@@ -642,41 +643,41 @@
 include $RULE_PATH/bad-traffic.rules
 include $RULE_PATH/exploit.rules
 include $RULE_PATH/scan.rules
-include $RULE_PATH/finger.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
-include $RULE_PATH/dos.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/tftp.rules
-
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-php.rules
-
-include $RULE_PATH/sql.rules
-include $RULE_PATH/x11.rules
-include $RULE_PATH/icmp.rules
-include $RULE_PATH/netbios.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/snmp.rules
-
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
+#include $RULE_PATH/finger.rules
+#include $RULE_PATH/ftp.rules
+#include $RULE_PATH/telnet.rules
+#include $RULE_PATH/rpc.rules
+#include $RULE_PATH/rservices.rules
+#include $RULE_PATH/dos.rules
+#include $RULE_PATH/ddos.rules
+#include $RULE_PATH/dns.rules
+#include $RULE_PATH/tftp.rules
+
+#include $RULE_PATH/web-cgi.rules
+#include $RULE_PATH/web-coldfusion.rules
+#include $RULE_PATH/web-iis.rules
+#include $RULE_PATH/web-frontpage.rules
+#include $RULE_PATH/web-misc.rules
+#include $RULE_PATH/web-client.rules
+#include $RULE_PATH/web-php.rules
+
+#include $RULE_PATH/sql.rules
+#include $RULE_PATH/x11.rules
+#include $RULE_PATH/icmp.rules
+#include $RULE_PATH/netbios.rules
+#include $RULE_PATH/misc.rules
+#include $RULE_PATH/attack-responses.rules
+#include $RULE_PATH/oracle.rules
+#include $RULE_PATH/mysql.rules
+#include $RULE_PATH/snmp.rules
+
+#include $RULE_PATH/smtp.rules
+#include $RULE_PATH/imap.rules
+#include $RULE_PATH/pop2.rules
+#include $RULE_PATH/pop3.rules
 
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/other-ids.rules
+#include $RULE_PATH/nntp.rules
+#include $RULE_PATH/other-ids.rules
 # include $RULE_PATH/web-attacks.rules
 # include $RULE_PATH/backdoor.rules
 # include $RULE_PATH/shellcode.rules
@@ -684,11 +685,11 @@
 # include $RULE_PATH/porn.rules
 # include $RULE_PATH/info.rules
 # include $RULE_PATH/icmp-info.rules
- include $RULE_PATH/virus.rules
+# include $RULE_PATH/virus.rules
 # include $RULE_PATH/chat.rules
 # include $RULE_PATH/multimedia.rules
 # include $RULE_PATH/p2p.rules
-include $RULE_PATH/experimental.rules
+#include $RULE_PATH/experimental.rules
 
 # Include any thresholding or suppression commands. See threshold.conf in the
 # <snort src>/etc directory for details. Commands don't necessarily need to be