Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 116 lines (101 sloc) 4.915 kb
6e45d9c @mrash added the fwsnort.conf config file
authored
1 #
2 ###########################################################################
3 #
3ce905b @mrash updated to cipherdyne.org, removed version numbers from directories i…
authored
4 # This is the configuration file for fwsnort. There are some similarities
5 # between this file and the configuration file for Snort.
6e45d9c @mrash added the fwsnort.conf config file
authored
6 #
7 ###########################################################################
8 #
9
b159856 @mrash updated comment wording
authored
10 ### Fwsnort treats all traffic directed to / originating from the local
11 ### machine as going to / coming from the HOME_NET in Snort rule parlance.
12 ### If there is only one interface on the local system, then there will be
13 ### no rules processed via the FWSNORT_FORWARD chain because no traffic
6ffdb9a @mrash minor wording update
authored
14 ### would make it into the iptables FORWARD chain.
b8266f1 @mrash removed interface variables for the fwsnort chain restructuring, fwsn…
authored
15 HOME_NET any;
16 EXTERNAL_NET any;
5f12464 @mrash removed variable expansion
authored
17
b159856 @mrash updated comment wording
authored
18 ### List of servers. Fwsnort supports the same variable resolution as
19 ### Snort.
b8266f1 @mrash removed interface variables for the fwsnort chain restructuring, fwsn…
authored
20 HTTP_SERVERS $HOME_NET;
21 SMTP_SERVERS $HOME_NET;
22 DNS_SERVERS $HOME_NET;
23 SQL_SERVERS $HOME_NET;
24 TELNET_SERVERS $HOME_NET;
3d5814a @mrash added IGNOREIP and IGNORENET
authored
25
cce2f9d @mrash - Added several variables that exist in snort signatures such as
authored
26 ### AOL AIM server nets
b8266f1 @mrash removed interface variables for the fwsnort chain restructuring, fwsn…
authored
27 AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
cce2f9d @mrash - Added several variables that exist in snort signatures such as
authored
28
29 ### Configurable port numbers
d8d0407 @mrash Added the SSH_PORTS variable
authored
30 SSH_PORTS 22;
b8266f1 @mrash removed interface variables for the fwsnort chain restructuring, fwsn…
authored
31 HTTP_PORTS 80;
32 SHELLCODE_PORTS !80;
33 ORACLE_PORTS 1521;
34
409b784 @mrash Added support for rules updates from several URL's
authored
35 ### Default update URL for new rules. This variable can be given multiple
36 ### times on separate lines in order to specify multiple update URL's:
37 #UPDATE_RULES_URL <url1>
38 #UPDATE_RULES_URL <url2>
39 UPDATE_RULES_URL http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules;
40
ff215b0 @mrash added average packet header length vars for Netfilter length match em…
authored
41 ### define average packet lengths and maximum frame length. This is
6ffdb9a @mrash minor wording update
authored
42 ### used for iptables length match emulation of the Snort dsize option.
ff215b0 @mrash added average packet header length vars for Netfilter length match em…
authored
43 AVG_IP_HEADER_LEN 20; ### IP options are not usually used.
1e024f1 @mrash minor comment wording update for TCP options
authored
44 AVG_TCP_HEADER_LEN 30; ### Include 10 bytes for options
ff215b0 @mrash added average packet header length vars for Netfilter length match em…
authored
45 MAX_FRAME_LEN 1500;
46
0f5df0d @mrash From: Franck Joncourt <franck.mail@dthconnex.com>
authored
47 ### define the max length of the content (null terminated string) that
570111e @mrash - Updated to automatically check for the maximum length string that the
authored
48 ### can be passed to either the --hex-string or --string iptables matches.
49 ### Note that as of fwsnort-1.5, the max string length supported by the
50 ### local iptables instance is automatically determined, so this variable
51 ### is not really needed, and just allows a max value to be set
52 ### independently of what iptables supports.
53 MAX_STRING_LEN 1024;
0f5df0d @mrash From: Franck Joncourt <franck.mail@dthconnex.com>
authored
54
585c15b @mrash implemented true whitelist/blacklist functionality that is driven by …
authored
55 ### Use the WHITELIST variable to define a list of hosts/networks
b8266f1 @mrash removed interface variables for the fwsnort chain restructuring, fwsn…
authored
56 ### that should be completely ignored by fwsnort. For example, if you
57 ### want to whitelist the IP 192.168.10.1 and the network 10.1.1.0/24,
585c15b @mrash implemented true whitelist/blacklist functionality that is driven by …
authored
58 ### you would use (note that you can also specify multiple WHITELIST
59 ### variables, one per line):
60 #WHITELIST 192.168.10.1, 10.1.1.0/24;
61 WHITELIST NONE;
62
63 ### Use the BLACKLIST variable to define a list of hosts/networks
64 ### that for which fwsnort should DROP or REJECT all traffic. For
65 ### example, to DROP all traffic from the 192.168.10.0/24 network, you
66 ### can use:
67 ### BLACKLIST 192.168.10.0/24 DROP;
68 ### To have fwsnort REJECT all traffic from 192.168.10.0/24, you would
69 ### use:
70 ### BLACKLIST 192.168.10.0/24 REJECT;
71 BLACKLIST NONE;
6e45d9c @mrash added the fwsnort.conf config file
authored
72
7e5f0e2 @mrash added FWSNORT_<chain>_JUMP variables to allow the admin to control wh…
authored
73 ### define the jump position in the built-in chains to jump to the
74 ### fwsnort chains
75 FWSNORT_INPUT_JUMP 1;
76 FWSNORT_OUTPUT_JUMP 1;
77 FWSNORT_FORWARD_JUMP 1;
78
6ffdb9a @mrash minor wording update
authored
79 ### iptables chains (these do not normally need to be changed).
72547df @mrash added added chain keywords
authored
80 FWSNORT_INPUT FWSNORT_INPUT;
81 FWSNORT_INPUT_ESTAB FWSNORT_INPUT_ESTAB;
82 FWSNORT_OUTPUT FWSNORT_OUTPUT;
83 FWSNORT_OUTPUT_ESTAB FWSNORT_OUTPUT_ESTAB;
84 FWSNORT_FORWARD FWSNORT_FORWARD;
85 FWSNORT_FORWARD_ESTAB FWSNORT_FORWARD_ESTAB;
86
29ef878 @mrash Updated to import perl modules from /usr/lib/fwsnort, but only if this
authored
87 ### fwsnort library path
a161a0d @mrash - Updated fwsnort to create logs in the /var/log/fwsnort/ directory
authored
88 CONF_DIR /etc/fwsnort;
89 RULES_DIR $CONF_DIR/snort_rules;
90 LOG_DIR /var/log/fwsnort;
724f75a @mrash Switched --no-ipt-sync to default to not syncing with the iptables po…
authored
91 LIBS_DIR /usr/lib/fwsnort; ### for perl modules
92 STATE_DIR /var/lib/fwsnort;
cb48ba0 @mrash updated QUEUE_RULES_DIR path to a sub-dir of /var/lib/fwsnort/
authored
93 QUEUE_RULES_DIR $STATE_DIR/snort_rules_queue;
724f75a @mrash Switched --no-ipt-sync to default to not syncing with the iptables po…
authored
94 ARCHIVE_DIR $STATE_DIR/archive;
a161a0d @mrash - Updated fwsnort to create logs in the /var/log/fwsnort/ directory
authored
95
96 CONF_FILE $CONF_DIR/fwsnort.conf;
97 LOG_FILE $LOG_DIR/fwsnort.log;
724f75a @mrash Switched --no-ipt-sync to default to not syncing with the iptables po…
authored
98 FWSNORT_SCRIPT $STATE_DIR/fwsnort_iptcmds.sh; ### slow version
99 FWSNORT_SAVE_EXEC_FILE $STATE_DIR/fwsnort.sh; ### main fwsnort.sh script
100 FWSNORT_SAVE_FILE $STATE_DIR/fwsnort.save; ### main fwsnort.save file
101 IPT_BACKUP_SAVE_FILE $STATE_DIR/iptables.save; ### iptables policy backup
29ef878 @mrash Updated to import perl modules from /usr/lib/fwsnort, but only if this
authored
102
6e45d9c @mrash added the fwsnort.conf config file
authored
103 ### system binaries
5205587 @mrash Major update to being moving to using the iptables-save format instea…
authored
104 shCmd /bin/sh;
105 echoCmd /bin/echo;
106 tarCmd /bin/tar;
107 wgetCmd /usr/bin/wget;
108 unameCmd /usr/bin/uname;
109 ifconfigCmd /sbin/ifconfig;
110 iptablesCmd /sbin/iptables;
111 iptables-saveCmd /sbin/iptables-save;
db5a1b4 @mrash moved to instantiate the fwsnort iptables-save policy via /etc/fwsnor…
authored
112 iptables-restoreCmd /sbin/iptables-restore;
5205587 @mrash Major update to being moving to using the iptables-save format instea…
authored
113 ip6tablesCmd /sbin/ip6tables;
1e7ae3a @mrash added the ability to build ip6tables policies in ip6tables-save format
authored
114 ip6tables-saveCmd /sbin/ip6tables-save;
115 ip6tables-restoreCmd /sbin/ip6tables-restore;
Something went wrong with that request. Please try again.