# ########################################################################### # # This is the configuration file for fwsnort. There are some similarities # between this file and the configuration file for Snort. # ########################################################################### # ### Fwsnort treats all traffic directed to / originating from the local ### machine as going to / coming from the HOME_NET in Snort rule parlance. ### If there is only one interface on the local system, then there will be ### no rules processed via the FWSNORT_FORWARD chain because no traffic ### would make it into the iptables FORWARD chain. HOME_NET any; EXTERNAL_NET any; ### List of servers. Fwsnort supports the same variable resolution as ### Snort. HTTP_SERVERS $HOME_NET; SMTP_SERVERS $HOME_NET; DNS_SERVERS $HOME_NET; SQL_SERVERS $HOME_NET; TELNET_SERVERS $HOME_NET; ### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; ### Configurable port numbers SSH_PORTS 22; HTTP_PORTS 80; SHELLCODE_PORTS !80; ORACLE_PORTS 1521; ### Default update URL for new rules. This variable can be given multiple ### times on separate lines in order to specify multiple update URL's: #UPDATE_RULES_URL <url1> #UPDATE_RULES_URL <url2> UPDATE_RULES_URL http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules; ### define average packet lengths and maximum frame length. This is ### used for iptables length match emulation of the Snort dsize option. AVG_IP_HEADER_LEN 20; ### IP options are not usually used. AVG_TCP_HEADER_LEN 30; ### Include 10 bytes for options MAX_FRAME_LEN 1500; ### define the max length of the content (null terminated string) that ### can be passed to either the --hex-string or --string iptables matches. ### Note that as of fwsnort-1.5, the max string length supported by the ### local iptables instance is automatically determined, so this variable ### is not really needed, and just allows a max value to be set ### independently of what iptables supports. MAX_STRING_LEN 1024; ### Use the WHITELIST variable to define a list of hosts/networks ### that should be completely ignored by fwsnort. For example, if you ### want to whitelist the IP 192.168.10.1 and the network 10.1.1.0/24, ### you would use (note that you can also specify multiple WHITELIST ### variables, one per line): #WHITELIST 192.168.10.1, 10.1.1.0/24; WHITELIST NONE; ### Use the BLACKLIST variable to define a list of hosts/networks ### that for which fwsnort should DROP or REJECT all traffic. For ### example, to DROP all traffic from the 192.168.10.0/24 network, you ### can use: ### BLACKLIST 192.168.10.0/24 DROP; ### To have fwsnort REJECT all traffic from 192.168.10.0/24, you would ### use: ### BLACKLIST 192.168.10.0/24 REJECT; BLACKLIST NONE; ### define the jump position in the built-in chains to jump to the ### fwsnort chains FWSNORT_INPUT_JUMP 1; FWSNORT_OUTPUT_JUMP 1; FWSNORT_FORWARD_JUMP 1; ### iptables chains (these do not normally need to be changed). FWSNORT_INPUT FWSNORT_INPUT; FWSNORT_INPUT_ESTAB FWSNORT_INPUT_ESTAB; FWSNORT_OUTPUT FWSNORT_OUTPUT; FWSNORT_OUTPUT_ESTAB FWSNORT_OUTPUT_ESTAB; FWSNORT_FORWARD FWSNORT_FORWARD; FWSNORT_FORWARD_ESTAB FWSNORT_FORWARD_ESTAB; ### fwsnort filesystem paths INSTALL_ROOT /; CONF_DIR $INSTALL_ROOT/etc/fwsnort; RULES_DIR $CONF_DIR/snort_rules; LOG_DIR $INSTALL_ROOT/var/log/fwsnort; LIBS_DIR $INSTALL_ROOT/usr/lib/fwsnort; ### for perl modules STATE_DIR $INSTALL_ROOT/var/lib/fwsnort; QUEUE_RULES_DIR $STATE_DIR/snort_rules_queue; ARCHIVE_DIR $STATE_DIR/archive; CONF_FILE $CONF_DIR/fwsnort.conf; LOG_FILE $LOG_DIR/fwsnort.log; FWSNORT_SCRIPT $STATE_DIR/fwsnort_iptcmds.sh; ### slow version FWSNORT_SAVE_EXEC_FILE $STATE_DIR/fwsnort.sh; ### main fwsnort.sh script FWSNORT_SAVE_FILE $STATE_DIR/fwsnort.save; ### main fwsnort.save file IPT_BACKUP_SAVE_FILE $STATE_DIR/iptables.save; ### iptables policy backup ### system binaries shCmd /bin/sh; echoCmd /bin/echo; tarCmd /bin/tar; wgetCmd /usr/bin/wget; unameCmd /usr/bin/uname; ifconfigCmd /sbin/ifconfig; iptablesCmd /sbin/iptables; iptables-saveCmd /sbin/iptables-save; iptables-restoreCmd /sbin/iptables-restore; ip6tablesCmd /sbin/ip6tables; ip6tables-saveCmd /sbin/ip6tables-save; ip6tables-restoreCmd /sbin/ip6tables-restore;