############################################## # Configuration for the Prelude NIDS Sensor # ############################################## [Prelude NIDS] # Address where the Prelude Manager Server is listening on. # if value is "127.0.0.1", the connection will occur throught # an UNIX socket. # # This entry is disabled. The default is to use the entry # located in sensors-default.conf... You may overwrite the # default address for this sensor by uncommenting this entry. # manager-addr = 192.168.0.2:5554; # Set this entry if you want Prelude NIDS to use a specific user. # # user = prelude; #[Tcp-Reasm] # # TCP stream reassembly option # # Only analyse TCP packet that are part of a stream, # this defeat stick/snot against TCP signatures. # # statefull-only; # # Only reassemble TCP data sent by the client (default). # # client-only; # # Only reassemble TCP data sent by the server. # # server-only; # # Reassemble TCP data sent by client and server. # # both; # # Don't reassemble data until we queued a minimum of byte (default is 8192). # # min-length = 8192; # # Only reassemble data to specific port (default is to reassemble everything). # # If this option is used with the statefull-only option, packet that are not # going to theses specified port will be analyzed anyway. # # port-list = 1 2 3 4; #################################### # Here start plugins configuration # #################################### [SnortRules] ruleset=/usr/local/etc/prelude-nids/ruleset/prelude.rules; [ScanDetect] # Number of connection attempt to get from the same # host and targeted on different port before the scan # detection plugin issue an alert. # high-port-cnx-count = 50; low-port-cnx-count = 5; # Window of time without getting any activity the scan # detection plugin should wait before issuing an alert # for a given host. # cnx-ttl = 60; # [Shellcode] # # This plugin allow for polymorphic shellcode detection. # It may consume a lot of CPU time, so it's disabled by # default. Uncomment the section name to enable it, or # specify --shellcode on the command line. nops_raise_alert = 60; # # If a port-list is specified, the Shellcode plugin # will only analyse data going to theses port (when # the protocol used have have dst port). # # port-list = 1 2 3 4; # [Debug] # # This plugin issue an alert for each packet. # Carefull to the loging activity it generate. [HttpMod] # # Normalize HTTP request. # The "codepage-file" option contains the name of the file containing # Unicode to ASCII convertion tables for WIN32 machines. # # The "codepage-number" option is the codepage number your WIN32 servers use. # # # end-on-param: # Stop parsing the URL when we meet a parameter. # # double-encode: # Check for encoded '%' character. # # max-whitespace: # Maximum number of whitespace allowed before URL begin. # # flip-backslash: # Change '\' to '/' when parsing URL. # double-encode; flip-backslash; max-whitespace = 10; codepage-file = /usr/local/etc/prelude-nids/unitable.txt; codepage-number = 437; port-list = 80 8080; [RpcMod] # # Decode RPC traffic, Also provide the RPC rule key. # port-list = 111; [TelnetMod] # # Normalize telnet negotiation character # port-list = 23 21; [ArpSpoof] # # Search anomaly in ARP request. # # The "directed" option will result in a warn each time an ARP # request is sent to an address other than the broadcast address. # # directed; # arpwatch=<ip> <macaddr>;