etc/snort.conf | 226 ++++++++++++++++++++++++++++++--------------------------- src/snort.c | 2 +- src/snort.h | 2 +- src/util.c | 2 +- 4 files changed, 123 insertions(+), 109 deletions(-) diff --git a/etc/snort.conf b/etc/snort.conf index 38d45e7..b7d7814 100644 --- a/etc/snort.conf +++ b/etc/snort.conf @@ -515,6 +515,8 @@ preprocessor reputation: \ # For more information, see Snort Manual, Configuring Snort - Output Modules ################################################### +output unified2: filename snort.u2, limit 128, mpls_event_types, vlan_event_types + # unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types @@ -542,112 +544,124 @@ include reference.config ################################################### # site specific rules -include $RULE_PATH/local.rules - -include $RULE_PATH/app-detect.rules -include $RULE_PATH/attack-responses.rules -include $RULE_PATH/backdoor.rules -include $RULE_PATH/bad-traffic.rules -include $RULE_PATH/blacklist.rules -include $RULE_PATH/botnet-cnc.rules -include $RULE_PATH/browser-chrome.rules -include $RULE_PATH/browser-firefox.rules -include $RULE_PATH/browser-ie.rules -include $RULE_PATH/browser-other.rules -include $RULE_PATH/browser-plugins.rules -include $RULE_PATH/browser-webkit.rules -include $RULE_PATH/chat.rules -include $RULE_PATH/content-replace.rules -include $RULE_PATH/ddos.rules -include $RULE_PATH/dns.rules -include $RULE_PATH/dos.rules -include $RULE_PATH/experimental.rules -include $RULE_PATH/exploit-kit.rules -include $RULE_PATH/exploit.rules -include $RULE_PATH/file-executable.rules -include $RULE_PATH/file-flash.rules -include $RULE_PATH/file-identify.rules -include $RULE_PATH/file-image.rules -include $RULE_PATH/file-multimedia.rules -include $RULE_PATH/file-office.rules -include $RULE_PATH/file-other.rules -include $RULE_PATH/file-pdf.rules -include $RULE_PATH/finger.rules -include $RULE_PATH/ftp.rules -include $RULE_PATH/icmp-info.rules -include $RULE_PATH/icmp.rules -include $RULE_PATH/imap.rules -include $RULE_PATH/indicator-compromise.rules -include $RULE_PATH/indicator-obfuscation.rules -include $RULE_PATH/indicator-shellcode.rules -include $RULE_PATH/info.rules -include $RULE_PATH/malware-backdoor.rules -include $RULE_PATH/malware-cnc.rules -include $RULE_PATH/malware-other.rules -include $RULE_PATH/malware-tools.rules -include $RULE_PATH/misc.rules -include $RULE_PATH/multimedia.rules -include $RULE_PATH/mysql.rules -include $RULE_PATH/netbios.rules -include $RULE_PATH/nntp.rules -include $RULE_PATH/oracle.rules -include $RULE_PATH/os-linux.rules -include $RULE_PATH/os-other.rules -include $RULE_PATH/os-solaris.rules -include $RULE_PATH/os-windows.rules -include $RULE_PATH/other-ids.rules -include $RULE_PATH/p2p.rules -include $RULE_PATH/phishing-spam.rules -include $RULE_PATH/policy-multimedia.rules -include $RULE_PATH/policy-other.rules -include $RULE_PATH/policy.rules -include $RULE_PATH/policy-social.rules -include $RULE_PATH/policy-spam.rules -include $RULE_PATH/pop2.rules -include $RULE_PATH/pop3.rules -include $RULE_PATH/protocol-finger.rules -include $RULE_PATH/protocol-ftp.rules -include $RULE_PATH/protocol-icmp.rules -include $RULE_PATH/protocol-imap.rules -include $RULE_PATH/protocol-pop.rules -include $RULE_PATH/protocol-services.rules -include $RULE_PATH/protocol-voip.rules -include $RULE_PATH/pua-adware.rules -include $RULE_PATH/pua-other.rules -include $RULE_PATH/pua-p2p.rules -include $RULE_PATH/pua-toolbars.rules -include $RULE_PATH/rpc.rules -include $RULE_PATH/rservices.rules -include $RULE_PATH/scada.rules -include $RULE_PATH/scan.rules -include $RULE_PATH/server-apache.rules -include $RULE_PATH/server-iis.rules -include $RULE_PATH/server-mail.rules -include $RULE_PATH/server-mssql.rules -include $RULE_PATH/server-mysql.rules -include $RULE_PATH/server-oracle.rules -include $RULE_PATH/server-other.rules -include $RULE_PATH/server-webapp.rules -include $RULE_PATH/shellcode.rules -include $RULE_PATH/smtp.rules -include $RULE_PATH/snmp.rules -include $RULE_PATH/specific-threats.rules -include $RULE_PATH/spyware-put.rules -include $RULE_PATH/sql.rules -include $RULE_PATH/telnet.rules -include $RULE_PATH/tftp.rules -include $RULE_PATH/virus.rules -include $RULE_PATH/voip.rules -include $RULE_PATH/web-activex.rules -include $RULE_PATH/web-attacks.rules -include $RULE_PATH/web-cgi.rules -include $RULE_PATH/web-client.rules -include $RULE_PATH/web-coldfusion.rules -include $RULE_PATH/web-frontpage.rules -include $RULE_PATH/web-iis.rules -include $RULE_PATH/web-misc.rules -include $RULE_PATH/web-php.rules -include $RULE_PATH/x11.rules + +# include $RULE_PATH/local.rules + +# include $RULE_PATH/app-detect.rules +# include $RULE_PATH/attack-responses.rules +# include $RULE_PATH/backdoor.rules +# include $RULE_PATH/bad-traffic.rules +# include $RULE_PATH/blacklist.rules +# include $RULE_PATH/botnet-cnc.rules +# include $RULE_PATH/browser-chrome.rules +# include $RULE_PATH/browser-firefox.rules +# include $RULE_PATH/browser-ie.rules +# include $RULE_PATH/browser-other.rules +# include $RULE_PATH/browser-plugins.rules +# include $RULE_PATH/browser-webkit.rules +# include $RULE_PATH/chat.rules +# include $RULE_PATH/content-replace.rules +# include $RULE_PATH/ddos.rules +# include $RULE_PATH/dns.rules +# include $RULE_PATH/dos.rules +# include $RULE_PATH/experimental.rules +# include $RULE_PATH/exploit-kit.rules +# include $RULE_PATH/exploit.rules +# include $RULE_PATH/file-executable.rules +# include $RULE_PATH/file-flash.rules +# include $RULE_PATH/file-identify.rules +# include $RULE_PATH/file-image.rules +# include $RULE_PATH/file-java.rules +# include $RULE_PATH/file-multimedia.rules +# include $RULE_PATH/file-office.rules +# include $RULE_PATH/file-other.rules +# include $RULE_PATH/file-pdf.rules +# include $RULE_PATH/finger.rules +# include $RULE_PATH/ftp.rules +# include $RULE_PATH/icmp-info.rules +# include $RULE_PATH/icmp.rules +# include $RULE_PATH/imap.rules +# include $RULE_PATH/indicator-compromise.rules +# include $RULE_PATH/indicator-obfuscation.rules +# include $RULE_PATH/indicator-scan.rules +# include $RULE_PATH/indicator-shellcode.rules +# include $RULE_PATH/info.rules +# include $RULE_PATH/malware-backdoor.rules +# include $RULE_PATH/malware-cnc.rules +# include $RULE_PATH/malware-other.rules +# include $RULE_PATH/malware-tools.rules +# include $RULE_PATH/misc.rules +# include $RULE_PATH/multimedia.rules +# include $RULE_PATH/mysql.rules +# include $RULE_PATH/netbios.rules +# include $RULE_PATH/nntp.rules +# include $RULE_PATH/oracle.rules +# include $RULE_PATH/os-linux.rules +# include $RULE_PATH/os-mobile.rules +# include $RULE_PATH/os-other.rules +# include $RULE_PATH/os-solaris.rules +# include $RULE_PATH/os-windows.rules +# include $RULE_PATH/other-ids.rules +# include $RULE_PATH/p2p.rules +# include $RULE_PATH/phishing-spam.rules +# include $RULE_PATH/policy-multimedia.rules +# include $RULE_PATH/policy-other.rules +# include $RULE_PATH/policy.rules +# include $RULE_PATH/policy-social.rules +# include $RULE_PATH/policy-spam.rules +# include $RULE_PATH/pop2.rules +# include $RULE_PATH/pop3.rules +# include $RULE_PATH/protocol-dns.rules +# include $RULE_PATH/protocol-finger.rules +# include $RULE_PATH/protocol-ftp.rules +# include $RULE_PATH/protocol-icmp.rules +# include $RULE_PATH/protocol-imap.rules +# include $RULE_PATH/protocol-nntp.rules +# include $RULE_PATH/protocol-pop.rules +# include $RULE_PATH/protocol-rpc.rules +# include $RULE_PATH/protocol-scada.rules +# include $RULE_PATH/protocol-services.rules +# include $RULE_PATH/protocol-snmp.rules +# include $RULE_PATH/protocol-telnet.rules +# include $RULE_PATH/protocol-tftp.rules +# include $RULE_PATH/protocol-voip.rules +# include $RULE_PATH/pua-adware.rules +# include $RULE_PATH/pua-other.rules +# include $RULE_PATH/pua-p2p.rules +# include $RULE_PATH/pua-toolbars.rules +# include $RULE_PATH/rpc.rules +# include $RULE_PATH/rservices.rules +# include $RULE_PATH/scada.rules +# include $RULE_PATH/scan.rules +# include $RULE_PATH/server-apache.rules +# include $RULE_PATH/server-iis.rules +# include $RULE_PATH/server-mail.rules +# include $RULE_PATH/server-mssql.rules +# include $RULE_PATH/server-mysql.rules +# include $RULE_PATH/server-oracle.rules +# include $RULE_PATH/server-other.rules +# include $RULE_PATH/server-samba.rules +# include $RULE_PATH/server-webapp.rules +# include $RULE_PATH/shellcode.rules +# include $RULE_PATH/smtp.rules +# include $RULE_PATH/snmp.rules +# include $RULE_PATH/specific-threats.rules +# include $RULE_PATH/spyware-put.rules +# include $RULE_PATH/sql.rules +# include $RULE_PATH/telnet.rules +# include $RULE_PATH/tftp.rules +# include $RULE_PATH/virus.rules +# include $RULE_PATH/voip.rules +# include $RULE_PATH/web-activex.rules +# include $RULE_PATH/web-attacks.rules +# include $RULE_PATH/web-cgi.rules +# include $RULE_PATH/web-client.rules +# include $RULE_PATH/web-coldfusion.rules +# include $RULE_PATH/web-frontpage.rules +# include $RULE_PATH/web-iis.rules +# include $RULE_PATH/web-misc.rules +# include $RULE_PATH/web-php.rules +# include $RULE_PATH/x11.rules ################################################### # Step #8: Customize your preprocessor and decoder alerts diff --git a/src/snort.c b/src/snort.c index 8981756..bbf1062 100644 --- a/src/snort.c +++ b/src/snort.c @@ -3413,7 +3413,7 @@ static char *ConfigFileSearch(void) { struct stat st; int i; - char *conf_files[]={"/etc/snort.conf", "./snort.conf", NULL}; + char *conf_files[]={"/etc/snort/snort.conf", "./snort.conf", NULL}; char *fname = NULL; char *rval = NULL; diff --git a/src/snort.h b/src/snort.h index 25b4485..eece323 100644 --- a/src/snort.h +++ b/src/snort.h @@ -39,7 +39,7 @@ #include "sfdaq.h" #include "sf_types.h" #include "sfutil/sflsq.h" -#include "sfutil//sfActionQueue.h" +#include "sfutil/sfActionQueue.h" #include "profiler.h" #include "rules.h" #include "treenodes.h" diff --git a/src/util.c b/src/util.c index 5627830..9dba808 100644 --- a/src/util.c +++ b/src/util.c @@ -1525,7 +1525,7 @@ void GoDaemon(void) #ifdef DEBUG /* redirect stdin/stdout/stderr to a file */ - open("/tmp/snort.debug", O_CREAT | O_RDWR); /* stdin, fd 0 */ + open("/tmp/snort.debug", O_CREAT, 0660 | O_RDWR); /* stdin, fd 0 */ /* Change ownership to that which we will drop privileges to */ if ((snort_conf->user_id != -1) || (snort_conf->group_id != -1))