## name: firestorm.conf ## version: 0.5.2 ## rcsid: $Id: firestorm.conf 77 2003-11-14 10:26:45Z scara $ ## desc: This file is for configuring firestorm ### EFFECTIVE_UGID #################################################### # SYNOPSIS: Lower privileges if started as root # SYNTAX: effective_(uid|gid) (uid|gid) # NOTES: Ignored when run unprivileged. Ignored if zero. Firestorm # does not resolve names to numbers... effective_uid 303 effective_gid 303 ####################################################################### ### FIRESTORM_ROOT #################################################### # SYNOPSIS: Tell firestorm what directory to live in # SYNTAX: capture type args... # NOTES: All paths are relative to this one firestorm_root /var/firestorm ####################################################################### ### CHROOT ############################################################ # SYNOPSIS: Chroot to the working directory during operation # SYNTAX: chroot yes|no # NOTES: Ignored when run unprivileged. If ommitted or left blank # firestorm will default to "yes" chroot yes ####################################################################### ### LOGFILE ########################################################### # SYNOPSIS: Daemonise and output debugging messages to a file # SYNTAX: logfile /path/to/logfile # NOTES: If you miss this out, firestorm will run in the foreground logfile firestorm.log ####################################################################### ### LOAD_PLUGINS ###################################################### # SYNOPSIS: Locate plugins # SYNTAX: load_plugins /path/to/dir # NOTES: Firestorm will NOT recurse directories. Any failures will # be ignored (but complained about). load_plugins /usr/lib/firestorm/capture load_plugins /usr/lib/firestorm/protocols load_plugins /usr/lib/firestorm/detection ####################################################################### ### LOAD_PLUGIN ####################################################### # SYNOPSIS: Locate an individually named plugin # SYNTAX: load_plugins /path/to/plugin.so # NOTES: Loading a plugin individually implicitly requires it. That # is to say, if any load_plugin fails to load, firestorm will # bail. Be careful. #load_plugin /usr/lib/another-plugin.so ####################################################################### ### CAPTURE ########################################################### # SYNOPSIS: Tell firestorm where to aquire packets from # SYNTAX: capture type args... # NOTES: You can reference files that live outside the chroot capture pcap if='any' ####################################################################### ### PREPROCESSOR ###################################################### # SYNOPSIS: Initialise a preprocessor # SYNTAX: preprocessor name args... # NOTES: Preprocessors wont run at all unless they are specified # here. Current preprocessors are: # ipfrag : IPv4 defragmentation # tcpstream : TCP stateful inspection / stream reassembly preprocessor ipfrag mem_hi=1024k mem_lo=768k minttl=0 timeout=30 preprocessor tcpstream num_streams=32k num_flows=16k reassemble=yes ####################################################################### ### OUTPUT ############################################################ # SYNOPSIS: Configure alert logging parameters # SYNTAX: output size=NN minutes=NN stormwall=(none|wait|fail) # NOTES: This directive can only be specified once. The 'dir' # option is the path of the log directory. The 'minutes' # option specifies an upper bound on the amount of time # between log rotations in minutes. The 'size' directive sets # the maximum size of a logfile before rotating. output dir='log' minutes=60 size=1024k stormwall=none ####################################################################### ### SIGNATURES ######################################################## # SYNOPSIS: Loads a signature file # SYNTAX: signatures type filename # NOTES: Available types are "snort" signatures snort ./firestorm.rules signatures snort ./snort-rules/classification.config signatures snort ./snort-rules/finger.rules signatures snort ./snort-rules/virus.rules signatures snort ./snort-rules/dns.rules signatures snort ./snort-rules/scan.rules signatures snort ./snort-rules/x11.rules signatures snort ./snort-rules/web-frontpage.rules signatures snort ./snort-rules/shellcode.rules signatures snort ./snort-rules/web-misc.rules signatures snort ./snort-rules/policy.rules signatures snort ./snort-rules/ftp.rules signatures snort ./snort-rules/sql.rules signatures snort ./snort-rules/smtp.rules signatures snort ./snort-rules/web-coldfusion.rules signatures snort ./snort-rules/web-cgi.rules signatures snort ./snort-rules/exploit.rules signatures snort ./snort-rules/rservices.rules signatures snort ./snort-rules/web-iis.rules signatures snort ./snort-rules/telnet.rules signatures snort ./snort-rules/netbios.rules signatures snort ./snort-rules/attack-responses.rules signatures snort ./snort-rules/tftp.rules signatures snort ./snort-rules/web-attacks.rules signatures snort ./snort-rules/ddos.rules signatures snort ./snort-rules/dos.rules signatures snort ./snort-rules/backdoor.rules signatures snort ./snort-rules/info.rules signatures snort ./snort-rules/porn.rules signatures snort ./snort-rules/misc.rules signatures snort ./snort-rules/bad-traffic.rules signatures snort ./snort-rules/oracle.rules signatures snort ./snort-rules/p2p.rules signatures snort ./snort-rules/chat.rules signatures snort ./snort-rules/multimedia.rules signatures snort ./snort-rules/experimental.rules signatures snort ./snort-rules/imap.rules signatures snort ./snort-rules/snmp.rules signatures snort ./snort-rules/web-php.rules signatures snort ./snort-rules/web-client.rules signatures snort ./snort-rules/pop3.rules signatures snort ./snort-rules/mysql.rules signatures snort ./snort-rules/nntp.rules signatures snort ./snort-rules/other-ids.rules signatures snort ./snort-rules/icmp.rules signatures snort ./snort-rules/icmp-info.rules signatures snort ./snort-rules/rpc.rules #######################################################################