r60 - 14 Jul 2008 - 11:06:25 - JamesMcQuaidYou are here: TWiki > 
Main Web > AllProjects > SnortConfSamples
Main Web > AllProjects > SnortConfSamplesSnort.Conf Samples
The goal of this project is to make a set of sample snort.conf files. These will represent different size and goal installs of snort. We do not intend to provide snort.conf files that you can use without modification or understanding, but guides to help you benefit from the experience of the community as a whole. The discussion to create these configuration files will occur on the bleeding-sigs list. The files for this project will be stored here: http://doc.emergingthreats.net/bin/view/Main/SnortConfSamples Smoothwall and Honeywall files are at: http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples Russian Business Network files are at: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork We welcome submissions and tips to improve these files, as well as ideas for new types of configs to add. This project is maintained by JamesMcQuaid -- MattJonkman - 20 Mar 2007Updates:
Updated versions of many of these files are available at: http://doc.emergingthreats.net/bin/view/Main/SnortConfSamples * Diagram portraying home network defended by multiple layers of Snort Inline:
Honeywall Roo 1.0:
- snort_inline_roo-1.0.hw-139.conf: Snort.conf for Roo 1.0
- A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network_roo-1.0.hw-139.pdf: Bleeding topology for the home (Roo 1.0)
- A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network_roo-1.0.hw-139.txt: Bleeding topology for the home (Roo 1.0)
- snort_inline.conf: Honeywall snort-inline configuration: Bleeding Snort config for Honeywall Roo 1.1
- A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.doc: Bleeding topology for the home: Honeywall Roo 1.1 and 1.2
- A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.pdf: Bleeding topology for the home: Honeywall Roo 1.1 and 1.2
- crontab: crontab file for Honeywall which schedules reboot.pl and clean.pl
- clean.pl.txt: Clean out Honeywall's logging directories on a schedule
- reboot.pl.txt: Reboot Honeywall on a schedule
- snort.in: snort.in for Smoothwall Express 2.0 Fixes 1-9
- snort.conf: snort.conf for Smoothwall Express 2.0 Fixes 1-9
- SmoothwallSnortHowTo.txt: This file explains how to set up snort on Smoothwall Express 2.0 Fixes 1-9
- blackhole.conf: 80,000 blacklisted domains for Smoothwall 2.0; leave last line blank. Includes the RBN's Malaysian domains. Updated 12-9-2007.
- config: IP blocks for Smoothwall 2.0: includes the RBN, Chinese hackers, trojan servers, viral spam boxes, bogons and hijacked ranges. A base upon which to build a customized home firewall.
- dedupe.pl.txt: Rename to dedupe.pl. Sorts and removes duplicate entries in Smoothwall's blackhole.conf; populates newblackhole.conf file (which you then rename to blackhole.conf).
- dnsmasq.conf: DNSMasq config for Smoothwall 2.0's blackhole
- tldblackhole.conf: Top Level Domains for Smoothwall 2.0; add to top of blackhole.conf; edit to suit your preferences
- BadMP3SitesBlackhole.txt: Evil MP3 sites targeting the kids with malware. Use in Smoothwall 2.0's blackhole.conf file.
- http://sourceforge.net/projects/smoothiemods/ Smoothwall Homebrew Mods at sourceforge
- config-ipblock_Smoothwall3: IP blocks for Smoothwall 3: includes the RBN, Chinese hackers, trojan servers, viral spam boxes, bogons and hijacked ranges (with descriptions). A base upon which to build a customized home firewall. Customizing your firewall: you can obtain bad IPs by looking at the Bleeding DShield rules, the Bleeding Compromised rules, the Bleeding Drop rules, and the Bleeding BotCC? rules (I have included group 1 of 16). Also, regularly read Symantec's Threat Explorer (http://www.symantec.com/business/security_response/threatexplorer/threats.jsp) and SRI's Multiperspective Malware Infection Analysis Page (http://www.cyber-ta.org/releases/malware-analysis/public/). If you are a Windows user, you can edit these files with Notepad++ (http://sourceforge.net/projects/notepad-plus/).
- config-hosts: 80,000 blacklisted domains for Smoothwall 3; leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Includes the RBN's Malaysian domains. Updated 12-9-2007.
- hosts: 80,000 blacklisted domains for Smoothwall 3; also placed in /var/smoothwall/hosts/. Includes the RBN's Malaysian domains. Updated 12-9-2007.
- RussianBusinessNetworkIPs.txt Updated 12-5-2007.
- 4000RBNDomainsAndObjects.txt: Apply liberally. Updated 12-5-2007.
- http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7740
- http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html
- http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
- http://blog.washingtonpost.com/securityfix/2007/10/taking_on_the_russian_business.html
- http://www.washingtonpost.com/wp-dyn/content/story/2007/10/12/ST2007101202661.html?hpid=moreheadlines
- http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101201700.html?sub=new
- "The Russians Go Chinese": http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829
- Bleeding RBN Signatures: http://docs.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
- David Bizeul's research: http://isc.sans.org/presentations/RBN_study.pdf
- RBNExploit: http://rbnexploit.blogspot.com
- ChineseAttackIPs.txt Recent DOS attacks
- bogons: Complete list of bogons on 10-21-2007
- BlackholeForFirekeeper.txt: Snort in the browser evil domain blocking
- BlackholeForFirekeeperInstructions.txt: Blackhole DNS in Firefox
Show attachments
Hide attachments
| I | Attachment | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|
 txt | 4000RBNDomainsAndObjects.txt | manage | 83.1 K | 06 Dec 2007 - 01:19 | JamesMcQuaid | Apply liberally. Updated 12-5-2007. |
 doc | A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.doc | manage | 474.5 K | 27 Aug 2007 - 03:05 | JamesMcQuaid | Bleeding topology for the home: Honeywall Roo 1.1 and 1.2 |
 odt | A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.odt | manage | 203.4 K | 06 May 2007 - 13:42 | JamesMcQuaid | Bleeding topology for the home (Roo 1.0) |
 pdf | A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.pdf | manage | 429.1 K | 27 Aug 2007 - 03:06 | JamesMcQuaid | Bleeding topology for the home: Honeywall Roo 1.1 and 1.2 |
| txt | A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.txt | manage | 19.6 K | 26 Aug 2007 - 02:03 | JamesMcQuaid | Bleeding topology for the home |
| pdf | A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network_roo-1.0.hw-139.pdf | manage | 95.1 K | 26 Aug 2007 - 19:21 | JamesMcQuaid | Bleeding topology for the home (Roo 1.0) |
| txt | A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network_roo-1.0.hw-139.txt | manage | 19.6 K | 26 Aug 2007 - 19:22 | JamesMcQuaid | Bleeding topology for the home (Roo 1.0) |
| txt | BadMP3SitesBlackhole.txt | manage | 12.8 K | 05 Oct 2007 - 01:47 | JamesMcQuaid | Evil MP3 sites targeting the kids with malware. Use in Smoothwall 2.0's blackhole.conf file. |
| txt | BlackholeForFirekeeper.txt | manage | 2917.4 K | 27 Oct 2007 - 22:05 | JamesMcQuaid | Snort in the browser evil domain and file blocking |
| txt | BlackholeForFirekeeperInstructions.txt | manage | 0.9 K | 22 Oct 2007 - 04:21 | JamesMcQuaid | Blackhole DNS in Firefox |
 gif | BleedingNetworkTopology.gif | manage | 99.8 K | 11 Nov 2007 - 21:19 | JamesMcQuaid | |
| txt | ChineseAttackIPs.txt | manage | 15.8 K | 06 Nov 2007 - 12:28 | JamesMcQuaid | Note "The Russians Go Chinese": http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829 |
| txt | ChineseAttackIPsForSmoothwall.txt | manage | 13.2 K | 14 Oct 2007 - 20:44 | JamesMcQuaid | Chinese hacking gang ambushed on 10-13-2007. Discussion included. Block list for Smoothwall. |
| txt | RussianBusinessNetworkIPs.txt | manage | 77.2 K | 06 Dec 2007 - 01:26 | JamesMcQuaid | Updated 12-5-2007. |
| txt | RussianBusinessNetworkIPsSmoothwall.txt | manage | 3.9 K | 08 Nov 2007 - 11:11 | JamesMcQuaid | (includes more new addresses): Block the Russian Business Network: |
| txt | SmoothwallSnortHowTo.txt | manage | 2.1 K | 24 Mar 2007 - 15:59 | JamesMcQuaid | This file explains how to set up snort on Smoothwall Express 2.0 Fixes 1-9 |
| conf | blackhole.conf | manage | 2959.7 K | 10 Dec 2007 - 01:54 | JamesMcQuaid | blackhole.conf: 80,000 blacklisted domains for Smoothwall 2.0; leave last line blank. Includes the RBN's Malaysian domains. Updated 12-9-2007. |
| EXT | bogons | manage | 112.2 K | 22 Oct 2007 - 00:22 | JamesMcQuaid | Complete list of bogons on 10-21-2007 |
| txt | clean.pl.txt | manage | 2.1 K | 05 Sep 2007 - 01:01 | JamesMcQuaid | Clean out Honeywall's logging directories on a schedule |
| EXT | config | manage | 34.5 K | 11 Nov 2007 - 21:30 | JamesMcQuaid | IP blocks for Smoothwall 2: includes the RBN, Chinese hackers, trojan servers, viral spam boxes, bogons and hijacked ranges (with descriptions). A base upon which to build a customized home firewall. |
| EXT | config-hosts | manage | 2568.4 K | 10 Dec 2007 - 01:55 | JamesMcQuaid | 80,000 blacklisted domains for Smoothwall 3; leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Includes the RBN's Malaysian domains. Updated 12-9-2007. |
| EXT | config-ipblock_Smoothwall3 | manage | 47.9 K | 11 Nov 2007 - 21:29 | JamesMcQuaid | IP blocks for Smoothwall 3: includes the RBN, Chinese hackers, trojan servers, viral spam boxes, bogons and hijacked ranges (with descriptions). A base upon which to build a customized home firewall. |
| txt | config-ipblock_Smoothwall3.txt | manage | 43.7 K | 27 Oct 2007 - 21:48 | JamesMcQuaid | Some bogon IPs block for Smoothwall 3; includes RBN, Chinese hackers and trojans. Add to your list based upon available RAM and strategy (bad sites, attackers, etc.) |
| txt | config.txt | manage | 30.8 K | 24 Oct 2007 - 11:55 | JamesMcQuaid | Bogon IPs block for Smoothwall; includes RBN, Chinese hackers and trojans. |
| EXT | crontab | manage | 0.6 K | 05 Sep 2007 - 01:00 | JamesMcQuaid | crontab file for Honeywall which schedules reboot.pl and clean.pl |
| txt | dedupe.pl.txt | manage | 1.2 K | 26 Aug 2007 - 19:28 | JamesMcQuaid | Rename to dedupe.pl. Sorts and removes duplicate entries in Smoothwall's blackhole.conf; populates newblackhole.conf file (which you then rename to blackhole.conf). |
| conf | dnsmasq.conf | manage | 0.1 K | 26 Aug 2007 - 19:30 | JamesMcQuaid | DNSMasq config for Smoothwall's blackhole |
| EXT | hosts | manage | 2255.3 K | 10 Dec 2007 - 01:57 | JamesMcQuaid | 80,000 blacklisted domains for Smoothwall 3; also placed in /var/smoothwall/hosts/. Includes the RBN's Malaysian domains. Updated 12-9-2007. |
| txt | reboot.pl.txt | manage | 1.1 K | 05 Sep 2007 - 01:02 | JamesMcQuaid | Reboot Honeywall on a schedule |
| conf | snort.conf | manage | 6.3 K | 23 Sep 2007 - 21:42 | JamesMcQuaid | snort.conf for Smoothwall Express 2.0 Fixes 1-9 |
| in | snort.in | manage | 2.8 K | 23 Sep 2007 - 21:43 | JamesMcQuaid | snort.in for Smoothwall Express 2.0 Fixes 1-9 |
| conf | snort_inline.conf | manage | 13.9 K | 26 Aug 2007 - 19:24 | JamesMcQuaid | Bleeding Snort config for Honeywall Roo 1.1 |
| conf | snort_inline_roo-1.0.hw-139.conf | manage | 15.8 K | 26 Aug 2007 - 19:22 | JamesMcQuaid | Snort.conf for Roo 1.0 |
| conf | tldblackhole.conf | manage | 1.9 K | 03 Oct 2007 - 00:40 | JamesMcQuaid | Top Level Domains for Smoothwall; add to top of blackhole.conf; edit to suit your preferences |
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- CVS View of All Rules
- WebRss Feed
- BleedingFAQ
 |
|
