Listing 2. A Sample snort.conf File
# Step #0: Set global options:
config logdir: /var/log/snort
# Step #1: Set the network variables:
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS 192.168.1.250/32
var RULE_PATH ./
# Step #2: Configure preprocessors
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor portscan: $HOME_NET 4 3 portscan.log
# Step #3: Configure output plugins
output database: log, mysql, user=root
dbname=snort host=localhost
# Step #4: Customize your rule set
# Here's a rule:
alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any
(msg:"MISC Cisco Catalyst Remote Access";
reference:cve,CVE-1999-0430;
classtype:bad-unknown; sid:513; rev:1;)
# And here are the paths to text files
# containing additional rules:
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
# (etc. ...)