# $Id: snort-lib,v 1.18 2000/03/17 06:28:01 roesch Exp $ 
# These rules are trying to log data to "sensitive" ports, plus alert on truly
# suspicious activity.  Note that you must change the addresses to reflect
# your local network, these rules are currently setup for an RFC 1918 address
# space.

# Some of these rules may not be suspicious in your network environment, and
# using all of the rules at the same time may lead to serious packet loss
# on slower machines.  YMMV, use with caution, standard disclaimers apply. :)

# If you need help writing a specific rule, feel free to drop me a line!

#  -Marty (roesch@clark.net) 

# Credits:

# Ron Gula <rgula@securitywizards.com> of Network Security Wizards
# Martin Markgraf <martin@mail.du.gtn.com>  
# CyberPsychotic <fygrave@tigerteam.net>
# Nick Rogness <nick@rapidnet.com>
# Jim Forster <jforster@rapidnet.com>
# Scott McIntyre <scott@whoi.edu>
# Tom Vandepoel <Tom.Vandepoel@ubizen.com>

# syslog alert plugin
# format=>  plugin_name: syslog_facilities (multiple entries ok)

# output alert_syslog: LOG_AUTH LOG_ALERT

# tcpdump format binary logging plugin
# format => plugin_name: output_file_name

# output log_tcpdump: snort.log

# http_decode takes the port numbers that it's going to analyze as arguments
# traffic on these ports will be sent through the http_decode routine for
# normalization

preprocessor http_decode: 80 8080

# minfrag takes the minimum fragment size (in bytes) threshold as its argument
# fragmented packets at of below this size will cause an alert to be generated

preprocessor minfrag: 128


# set the HOME_NET variable for your own network

var HOME_NET 10.1.1.0/24

# portscan plugin by Patrick Mullen <p_mullen@linuxrc.net>

# This detects UDP packets or TCP SYN packets
# going to seven different ports in less than two seconds.
# "Stealth" TCP packets are always detected, regardless
# of these settings.
preprocessor portscan: $HOME_NET 7 2 /var/log/portscan.log

# ignorehosts is set to ignore TCP SYN and UDP "scans" from
# your home net by default to reduce false alerts.  However,
# for maximum benefit it should be tweaked to only include a
# whitespace-delimited list of only your noisiest servers/hosts.

preprocessor portscan-ignorehosts: $HOME_NET

include web-lib
include overflow-lib
include misc-lib
include scan-lib
include backdoor-lib

##################################
# alert on interesting packets
##################################

# new rules for detection source port traffic
alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";)
alert tcp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
alert tcp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";)
alert udp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
alert udp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";)

alert tcp any any -> $HOME_NET 6667 (flags: PA; content: "USER "; nocase; offset:0; depth:5; content: " "; offset:11; depth:1; content: " "; offset: 18; depth:1; content: " :"; offset: 26; depth: 2; msg: "PrettyPark activity!";)
