# Firewall rules for snort
# (c) Sergey V. Gordeychik 2003
# offtopic@mail.ru

#<1>
var DCS [10.1.1.1,10.1.1.254]
var EXCHANGE [10.1.1.2]
var PROXY [10.1.1.10]
var SQL [10.1.1.7]
var WEB [10.1.1.10]
var LINUX [10.1.1.4]
var ADMINS [10.1.1.25]
var FILESRV [10.1.1.5,10.1.1.15,$DCS,$SQL]
# remove $SQL if servers use TCP/IP only

var DNSSRV [$DCS]
var DNSSRV_EXT [$PROXY]
var WINSSRV [$DCS]
var RPC [$DCS,$EXCHANGE]

var SERVERS [$PROXY,$FILESRV,$DNSSRV,$EXCHANGE,$WEB,$SQL]
var PASS [$DCS,$EXCHANGE]
#<1>

#<2>
# Filters for DNS
pass tcp $DNSSRV 1024: -> $DNSSRV 53  
pass udp $HOME_NET 1024: -> $DNSSRV 53 
pass udp $DNSSRV 53 -> $HOME_NET 1024: 
pass udp $DNSSRV 1024: -> $DNSSRV_EXT 53
pass udp $DNSSRV 1024: <- $DNSSRV_EXT 53

# Filters for LDAP
pass tcp $HOME_NET 1024: -> $DCS 389 
pass udp $HOME_NET 1024: -> $DCS 389
pass udp $DCS 389 -> $HOME_NET 1024: 

# Filter for Kerberos
pass tcp $HOME_NET 1024: -> $DCS 88 
pass udp $HOME_NET 1024: -> $DCS 88
pass udp $DCS 88 -> $HOME_NET 1024:

# Filter for SNTP
pass tcp $HOME_NET 1024: -> $DCS 123 
pass udp $HOME_NET 1024: -> $DCS 123
pass udp $DCS 123 -> $HOME_NET 1024:
pass udp $DCS 1024: -> $PROXY 123:
pass udp $PROXY 123 -> $DCS 1024:

# Filter for WINS
pass tcp $HOME_NET 1024: -> $WINSSRV 1512 
pass udp $HOME_NET 1024: -> $WINSSRV 1512
pass udp $WINSSRV 1512 -> $HOME_NET 1024:

# Filters for RPC
pass tcp $HOME_NET 1024: -> $RPC 135 
pass udp $HOME_NET 1024: -> $RPC 135
pass udp $RPC 135 -> $HOME_NET 1024: 
pass tcp $HOME_NET 1024: -> $DCS 1026 
# Filters for Exchange
pass tcp $HOME_NET 1024: -> $EXCHANGE 2000 
pass tcp $HOME_NET 1024: -> $EXCHANGE 2001 
pass tcp $HOME_NET 1024: -> $EXCHANGE 2002 
# New mail notification
pass udp $EXCHANGE 1024: -> $HOME_NET 1024:

# Filter for CIFS/SMB/NETBIOS
pass tcp $HOME_NET 1024: -> $FILESRV 445 
pass udp $HOME_NET 1024: -> $FILESRV 445 
pass udp $FILESRV 445 -> $HOME_NET 1024:
# remove 137,138,139 if you NetBIOS free
pass tcp $HOME_NET 1024: -> $FILESRV 137 
pass udp $HOME_NET 1024: -> $FILESRV 137 
pass udp $FILESRV 137 -> $HOME_NET 1024:
pass udp $HOME_NET 1024: -> $FILESRV 138
pass udp $FILESRV 138 -> $HOME_NET 1024:
pass tcp $HOME_NET 1024: -> $FILESRV 139 
pass udp $HOME_NET 1024: -> $FILESRV 139
pass udp $FILESRV 139 -> $HOME_NET 1024:

# NEBIOS broadcasts
pass udp $HOME_NET 137 -> 255.255.255.255 137
pass udp $HOME_NET 138 -> 255.255.255.255 138

# Filter for HTTP
pass tcp $HOME_NET 1024: -> $WEB 80 

# Filter for SQL
pass tcp $HOME_NET 1024: -> $SQL 1433
pass udp $HOME_NET 1024: -> 255.255.255.255 1434
pass udp $SQL 1434: -> $HOME_NET 1024:

# Filter for SMTP 
pass tcp $EXCHANGE 1024: -> $PROXY 25 
pass tcp $PROXY 1024: -> $EXCHANGE 25

# Filter for remote control (RDP)
pass tcp $ADMINS 1024: -> $SERVERS 3389 

# Filter for remote control (SSH)
pass tcp $ADMINS 1024: -> $LINUX 22 

# Filters for ICMP
pass icmp $HOME_NET any -> $DCS any

# Filters for PROXY
pass tcp $HOME_NET 1024: -> $PROXY 8080
#<2>

#<3>
# Passthrought
pass tcp $PASS any -> $PASS any
pass udp $PASS any -> $PASS any
pass icmp $PASS any -> $PASS any
#<3>

#<4>
alert tcp any any -> any any (flags: !R; msg: ŤBad TCP connectionť; \
 flow: to_server; resp:rst_all;)
alert udp any any -> any any (msg: ŤBad UDP packetť; \
resp: icmp_port,icmp_host;)
alert icmp any any -> any any (msg: ŤBad ICMP packetť;)
#<4>