<?xml version="1.0" standalone="no"?>
<!DOCTYPE Configuration SYSTEM "Configuration.dtd">
<Configuration>
<Generic>
<AgentDescriptionFile>/etc/LogTrend/snortagentdescription.xml</AgentDescriptionFile>
<Source>15</Source>
<Agent Number="2" Version="5" /> <!-- Used for -d mode only -->
<Time Between_Collections="1m"
Between_Deliveries="5m"
Before_Warn_If_Server_Not_Responding="1h" />
<Mail SMTP="serveur.orsay.atrid.fr" Admin="fdesar@atrid.fr" Sender="a.user@mydomain.com"/>
<DataFuture>
<!-- Make you choice : -->
<Send Host="logtrend.mydomain.com" Port="9999" GPGHome="/etc/LogTrend/.gnupg" />
<!-- MailForBridge="s.lhullier@atrid.fr"/> -->
<!-- <Save FileName="cache.xml" /> -->
</DataFuture>
</Generic>
<Specific>
<!-- ********************************* -->
<!-- SnortAgent specific configuration -->
<!-- ********************************* -->
<SnortAgent>
<Executable name="/usr/local/bin/snort" />
<!-- Defines alarms -->
<Alarms>
<SnortDeath label="Unexpected death of snort process" type="error" />
<Threshold label="Low-risk traffic" value="1" type="info" />
<Threshold label="Medium-risk traffic" value="7" type="warning" />
<Threshold label="High-risk traffic" value="16" type="error" />
</Alarms>
<!-- Define parameters of interface to "sniff" -->
<Interface dev="eth0" />
<!-- Define Network adresses -->
<!-- $INTERNAL defaults to '$<intname>_ADDRESS' -->
<!-- $EXTERNAL defaults to '!$INTERNAL' -->
<Networks internal="192.168.20.48/32" external="192.168.20.35/32" />
<!-- Define Snort variables needed by Rulesets -->
<Variables>
<Variable name="HOME_NET" value="$INTERNAL" />
<Variable name="EXTERNAL_NET" value="$EXTERNAL" />
<Variable name="SMTP" value="$INTERNAL" />
<Variable name="HTTP_SERVERS" value="$INTERNAL" />
<Variable name="SQL_SERVERS" value="$INTERNAL" />
<Variable name="DNS_SERVERS" value="$INTERNAL" />
</Variables>
<!-- Classifications from whitehats -->
<Classification>
<!-- low risk: [0..6] -->
<Level label="not-suspicious"
tag="policy traffic that is not suspicious" />
<Level label="suspicious"
tag="suspicious miscellaneous traffic" />
<Level label="info-failed"
tag="failed information gathering attempt" />
<Level label="relay-failed"
tag="failed relay attempt" />
<Level label="data-failed"
tag="failed data integrity attempt" />
<Level label="system-failed"
tag="failed system integrity attempt" />
<Level label="client-failed"
tag="failed client integrity attempt" />
<!-- med risk: [7..15] -->
<Level label="denialofservice"
tag="denial of service" />
<Level label="info-attempt"
tag="information gathering attempt" />
<Level label="relay-attempt"
tag="relay attempt" />
<Level label="data-attempt"
tag="data integrity attempt" />
<Level label="system-attempt"
tag="system integrity attempt" />
<Level label="client-attempt"
tag="client integrity attempt" />
<Level label="data-or-info-attempt"
tag="data integrity or information gathering attempt" />
<Level label="system-or-info-attempt"
tag="system integrity or information gathering attempt" />
<Level label="relay-or-info-attempt"
tag="relay of information gathering attempt" />
<!-- high risk: [16..20] -->
<Level label="info-success"
tag="successful information gathering attempt" />
<Level label="relay-success"
tag="successful relay attempt" />
<Level label="data-success"
tag="successful data integrity attempt" />
<Level label="system-success"
tag="successful system integrity attempt" />
<Level label="client-success"
tag="successful client integrity attempt" />
</Classification>
<Filters>
<!-- preprocessor SIDs are from file "generators.h" -->
<!-- 100: portscan -->
<Filter sid="100:1:-"
classification="info-attempt"
priority="2"/>
<Filter sid="100:-,!1:-" />
<!-- 101: minfrag -->
<Filter sid="101:-:-"
classification="suspicious" />
<!-- 102: http_decode -->
<Filter sid="102:-:-"
classification="system-attempt" />
<!-- 103: defrag -->
<Filter sid="103:1:-"
classification="denialofservice" />
<Filter sid="103:2:-"
classification="suspicious" />
<!-- 105: bo -->
<Filter sid="105:-:-"
classification="system-success" />
<Filter sid="111:-,!1-5:-"
classification="info-attempt" />
<Filter sid="111:-,1-5:-"
classification="suspicious" />
</Filters>
<!-- Define preprocessors to use -->
<!-- defrag and stream2 are HIGHLY recommended -->
<Preprocessors>
<!-- Processor name="defrag" /-->
<Processor name="frag2" />
<!-- Processor
name="stream2"
options="timeout 23, ports 21 23 25 80 110 143, maxbytes 16384" / -->
<Processor name="stream4" />
<Processor
name="http_decode"
options="80 2301" />
<Processor
name="rpc_decode"
options="111 32771" />
<Processor
name="bo"
options="-nobrute" />
<Processor
name="telnet_decode" />
<Processor
name="portscan"
options="$INTERNAL 5 5 portscan" />
<Processor
name="portscan-ignorehosts"
options="$INTERNAL" />
</Preprocessors>
<!-- Define logging parameters -->
<Logs path="/var/log/snort/eth0" logpackets="y" />
<!-- Define rule files to load relative to path -->
<Rules path="/etc/snort.d"
order="pass, activation, dynamic, alert, log" >
<RulesFile file="rules" />
</Rules>
</SnortAgent>
</Specific>
</Configuration>
