<?xml version="1.0" standalone="no"?> <!DOCTYPE Configuration SYSTEM "Configuration.dtd"> <Configuration> <Generic> <AgentDescriptionFile>/etc/LogTrend/snortagentdescription.xml</AgentDescriptionFile> <Source>15</Source> <Agent Number="2" Version="5" /> <!-- Used for -d mode only --> <Time Between_Collections="1m" Between_Deliveries="5m" Before_Warn_If_Server_Not_Responding="1h" /> <Mail SMTP="serveur.orsay.atrid.fr" Admin="fdesar@atrid.fr" Sender="a.user@mydomain.com"/> <DataFuture> <!-- Make you choice : --> <Send Host="logtrend.mydomain.com" Port="9999" GPGHome="/etc/LogTrend/.gnupg" /> <!-- MailForBridge="s.lhullier@atrid.fr"/> --> <!-- <Save FileName="cache.xml" /> --> </DataFuture> </Generic> <Specific> <!-- ********************************* --> <!-- SnortAgent specific configuration --> <!-- ********************************* --> <SnortAgent> <Executable name="/usr/local/bin/snort" /> <!-- Defines alarms --> <Alarms> <SnortDeath label="Unexpected death of snort process" type="error" /> <Threshold label="Low-risk traffic" value="1" type="info" /> <Threshold label="Medium-risk traffic" value="7" type="warning" /> <Threshold label="High-risk traffic" value="16" type="error" /> </Alarms> <!-- Define parameters of interface to "sniff" --> <Interface dev="eth0" /> <!-- Define Network adresses --> <!-- $INTERNAL defaults to '$<intname>_ADDRESS' --> <!-- $EXTERNAL defaults to '!$INTERNAL' --> <Networks internal="192.168.20.48/32" external="192.168.20.35/32" /> <!-- Define Snort variables needed by Rulesets --> <Variables> <Variable name="HOME_NET" value="$INTERNAL" /> <Variable name="EXTERNAL_NET" value="$EXTERNAL" /> <Variable name="SMTP" value="$INTERNAL" /> <Variable name="HTTP_SERVERS" value="$INTERNAL" /> <Variable name="SQL_SERVERS" value="$INTERNAL" /> <Variable name="DNS_SERVERS" value="$INTERNAL" /> </Variables> <!-- Classifications from whitehats --> <Classification> <!-- low risk: [0..6] --> <Level label="not-suspicious" tag="policy traffic that is not suspicious" /> <Level label="suspicious" tag="suspicious miscellaneous traffic" /> <Level label="info-failed" tag="failed information gathering attempt" /> <Level label="relay-failed" tag="failed relay attempt" /> <Level label="data-failed" tag="failed data integrity attempt" /> <Level label="system-failed" tag="failed system integrity attempt" /> <Level label="client-failed" tag="failed client integrity attempt" /> <!-- med risk: [7..15] --> <Level label="denialofservice" tag="denial of service" /> <Level label="info-attempt" tag="information gathering attempt" /> <Level label="relay-attempt" tag="relay attempt" /> <Level label="data-attempt" tag="data integrity attempt" /> <Level label="system-attempt" tag="system integrity attempt" /> <Level label="client-attempt" tag="client integrity attempt" /> <Level label="data-or-info-attempt" tag="data integrity or information gathering attempt" /> <Level label="system-or-info-attempt" tag="system integrity or information gathering attempt" /> <Level label="relay-or-info-attempt" tag="relay of information gathering attempt" /> <!-- high risk: [16..20] --> <Level label="info-success" tag="successful information gathering attempt" /> <Level label="relay-success" tag="successful relay attempt" /> <Level label="data-success" tag="successful data integrity attempt" /> <Level label="system-success" tag="successful system integrity attempt" /> <Level label="client-success" tag="successful client integrity attempt" /> </Classification> <Filters> <!-- preprocessor SIDs are from file "generators.h" --> <!-- 100: portscan --> <Filter sid="100:1:-" classification="info-attempt" priority="2"/> <Filter sid="100:-,!1:-" /> <!-- 101: minfrag --> <Filter sid="101:-:-" classification="suspicious" /> <!-- 102: http_decode --> <Filter sid="102:-:-" classification="system-attempt" /> <!-- 103: defrag --> <Filter sid="103:1:-" classification="denialofservice" /> <Filter sid="103:2:-" classification="suspicious" /> <!-- 105: bo --> <Filter sid="105:-:-" classification="system-success" /> <Filter sid="111:-,!1-5:-" classification="info-attempt" /> <Filter sid="111:-,1-5:-" classification="suspicious" /> </Filters> <!-- Define preprocessors to use --> <!-- defrag and stream2 are HIGHLY recommended --> <Preprocessors> <!-- Processor name="defrag" /--> <Processor name="frag2" /> <!-- Processor name="stream2" options="timeout 23, ports 21 23 25 80 110 143, maxbytes 16384" / --> <Processor name="stream4" /> <Processor name="http_decode" options="80 2301" /> <Processor name="rpc_decode" options="111 32771" /> <Processor name="bo" options="-nobrute" /> <Processor name="telnet_decode" /> <Processor name="portscan" options="$INTERNAL 5 5 portscan" /> <Processor name="portscan-ignorehosts" options="$INTERNAL" /> </Preprocessors> <!-- Define logging parameters --> <Logs path="/var/log/snort/eth0" logpackets="y" /> <!-- Define rule files to load relative to path --> <Rules path="/etc/snort.d" order="pass, activation, dynamic, alert, log" > <RulesFile file="rules" /> </Rules> </SnortAgent> </Specific> </Configuration>