libnfc: moved to github
[openwrt.org/packages.git] / net / 150-config-preprocessors-disable.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
--- a/etc/snort.conf
+++ b/etc/snort.conf
@@ -20,6 +20,13 @@
 #     test mode -T you are required to supply an interface -i <interface>
 #     or test mode will fail to fully validate the configuration and
 #     exit with a FATAL error
+#!
+#!  OpenWrt:
+#!    Some options in this config were changed to adapt snort for OpenWrt. Any changes
+#!    made to the original default configuration will start with '#! ' so you can track
+#!    the changes.
+#!
+#!    Most preprocessors and rules were disabled to save memory.
 #--------------------------------------------------
 
 ###################################################
@@ -42,10 +49,12 @@
 ###################################################
 
 # Setup the network addresses you are protecting
-ipvar HOME_NET any
+#! ipvar HOME_NET any
+ipvar HOME_NET 192.168.1.0/24
 
 # Set up the external network addresses. Leave as "any" in most situations
-ipvar EXTERNAL_NET any
+#! ipvar EXTERNAL_NET any
+ipvar EXTERNAL_NET !$HOME_NET
 
 # List of DNS servers on your network 
 ipvar DNS_SERVERS $HOME_NET
@@ -101,17 +110,23 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.2
 # Path to your rules files (this can be a relative path)
 # Note for Windows users:  You are advised to make this an absolute path,
 # such as:  c:\snort\rules
-var RULE_PATH ../rules
-var SO_RULE_PATH ../so_rules
-var PREPROC_RULE_PATH ../preproc_rules
+#! Those paths are relative to this snort.conf file.
+#! var RULE_PATH ../rules
+#! var SO_RULE_PATH ../so_rules
+#! var PREPROC_RULE_PATH ../preproc_rules
+var RULE_PATH ./rules
+var SO_RULE_PATH ./so_rules
+var PREPROC_RULE_PATH ./preproc_rules
 
 # If you are using reputation preprocessor set these
 # Currently there is a bug with relative paths, they are relative to where snort is
 # not relative to snort.conf like the above variables
 # This is completely inconsistent with how other vars work, BUG 89986
 # Set the absolute path appropriately
-var WHITE_LIST_PATH ../rules
-var BLACK_LIST_PATH ../rules
+#! var WHITE_LIST_PATH ../rules
+#! var BLACK_LIST_PATH ../rules
+var WHITE_LIST_PATH ./rules
+var BLACK_LIST_PATH ./rules
 
 ###################################################
 # Step #2: Configure the decoder.  For more information, see README.decode
@@ -244,13 +259,16 @@ config paf_max: 16000
 ###################################################
 
 # path to dynamic preprocessor libraries
-dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
+#! dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
+dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
 
 # path to base preprocessor engine
-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
+#! dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
+#! dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so #! disabled for performance reasons
 
 # path to dynamic rules libraries
-dynamicdetection directory /usr/local/lib/snort_dynamicrules
+#! dynamicdetection directory /usr/local/lib/snort_dynamicrules
+#! dynamicdetection directory /usr/lib/snort_dynamicrules #! disabled for performance reasons
 
 ###################################################
 # Step #5: Configure preprocessors
@@ -294,124 +312,128 @@ preprocessor stream5_udp: timeout 180
 # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
 
 # HTTP normalization and anomaly detection.  For more information, see README.http_inspect
-preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
-preprocessor http_inspect_server: server default \
-    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
-    chunk_length 500000 \
-    server_flow_depth 0 \
-    client_flow_depth 0 \
-    post_depth 65495 \
-    oversize_dir_length 500 \
-    max_header_length 750 \
-    max_headers 100 \
-    max_spaces 0 \
-    small_chunk_length { 10 5 } \
-    ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 } \
-    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
-    enable_cookie \
-    extended_response_inspection \
-    inspect_gzip \
-    normalize_utf \
-    unlimited_decompress \
-    normalize_javascript \
-    apache_whitespace no \
-    ascii no \
-    bare_byte no \
-    directory no \
-    double_decode no \
-    iis_backslash no \
-    iis_delimiter no \
-    iis_unicode no \
-    multi_slash no \
-    utf_8 no \
-    u_encode yes \
-    webroot no
+#! disabled for performance reasons:
+#! preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
+#! preprocessor http_inspect_server: server default \
+#!     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
+#!     chunk_length 500000 \
+#!     server_flow_depth 0 \
+#!     client_flow_depth 0 \
+#!     post_depth 65495 \
+#!     oversize_dir_length 500 \
+#!     max_header_length 750 \
+#!     max_headers 100 \
+#!     max_spaces 0 \
+#!     small_chunk_length { 10 5 } \
+#!     ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 } \
+#!     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
+#!     enable_cookie \
+#!     extended_response_inspection \
+#!     inspect_gzip \
+#!     normalize_utf \
+#!     unlimited_decompress \
+#!     normalize_javascript \
+#!     apache_whitespace no \
+#!     ascii no \
+#!     bare_byte no \
+#!     directory no \
+#!     double_decode no \
+#!     iis_backslash no \
+#!     iis_delimiter no \
+#!     iis_unicode no \
+#!     multi_slash no \
+#!     utf_8 no \
+#!     u_encode yes \
+#!     webroot no
 
 # ONC-RPC normalization and anomaly detection.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
-preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
+#! disabled for performance reasons:
+#! preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
 
 # Back Orifice detection.
-preprocessor bo
+#! preprocessor bo #! disabled for performance reasons
 
 # FTP / Telnet normalization and anomaly detection.  For more information, see README.ftptelnet
-preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no
-preprocessor ftp_telnet_protocol: telnet \
-    ayt_attack_thresh 20 \
-    normalize ports { 23 } \
-    detect_anomalies
-preprocessor ftp_telnet_protocol: ftp server default \
-    def_max_param_len 100 \
-    ports { 21 2100 3535 } \
-    telnet_cmds yes \
-    ignore_telnet_erase_cmds yes \
-    ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
-    ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
-    ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
-    ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
-    ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
-    ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
-    ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
-    ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
-    ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
-    ftp_cmds { XSEN XSHA1 XSHA256 } \
-    alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
-    alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
-    alt_max_param_len 256 { CWD RNTO } \
-    alt_max_param_len 400 { PORT } \
-    alt_max_param_len 512 { SIZE } \
-    chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
-    chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
-    chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
-    chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
-    chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
-    chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
-    chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ 
-    chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
-    cmd_validity ALLO < int [ char R int ] > \    
-    cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
-    cmd_validity MACB < string > \
-    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
-    cmd_validity MODE < char ASBCZ > \
-    cmd_validity PORT < host_port > \
-    cmd_validity PROT < char CSEP > \
-    cmd_validity STRU < char FRPO [ string ] > \    
-    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
-preprocessor ftp_telnet_protocol: ftp client default \
-    max_resp_len 256 \
-    bounce yes \
-    ignore_telnet_erase_cmds yes \
-    telnet_cmds yes
+#! disabled for performance reasons:
+#! preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
+#! preprocessor ftp_telnet_protocol: telnet \
+#!     ayt_attack_thresh 20 \
+#!     normalize ports { 23 } \
+#!     detect_anomalies
+#! preprocessor ftp_telnet_protocol: ftp server default \
+#!     def_max_param_len 100 \
+#!     ports { 21 2100 3535 } \
+#!     telnet_cmds yes \
+#!     ignore_telnet_erase_cmds yes \
+#!     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
+#!     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
+#!     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
+#!     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
+#!     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
+#!     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
+#!     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
+#!     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
+#!     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
+#!     ftp_cmds { XSEN XSHA1 XSHA256 } \
+#!     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
+#!     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
+#!     alt_max_param_len 256 { CWD RNTO } \
+#!     alt_max_param_len 400 { PORT } \
+#!     alt_max_param_len 512 { SIZE } \
+#!     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
+#!     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
+#!     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
+#!     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
+#!     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
+#!     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
+#!     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ 
+#!     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
+#!     cmd_validity ALLO < int [ char R int ] > \    
+#!     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
+#!     cmd_validity MACB < string > \
+#!     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
+#!     cmd_validity MODE < char ASBCZ > \
+#!     cmd_validity PORT < host_port > \
+#!     cmd_validity PROT < char CSEP > \
+#!     cmd_validity STRU < char FRPO [ string ] > \    
+#!     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
+#! preprocessor ftp_telnet_protocol: ftp client default \
+#!     max_resp_len 256 \
+#!     bounce yes \
+#!     ignore_telnet_erase_cmds yes \
+#!     telnet_cmds yes
 
 
 # SMTP normalization and anomaly detection.  For more information, see README.SMTP
-preprocessor smtp: ports { 25 465 587 691 } \
-    inspection_type stateful \
-    b64_decode_depth 0 \
-    qp_decode_depth 0 \
-    bitenc_decode_depth 0 \
-    uu_decode_depth 0 \
-    log_mailfrom \
-    log_rcptto \
-    log_filename \
-    log_email_hdrs \
-    normalize cmds \
-    normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
-    normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
-    normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
-    normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
-    max_command_line_len 512 \
-    max_header_line_len 1000 \
-    max_response_line_len 512 \
-    alt_max_command_line_len 260 { MAIL } \
-    alt_max_command_line_len 300 { RCPT } \
-    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
-    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
-    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
-    valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ 
-    valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
-    valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
-    valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
-    xlink2state { enabled }
+#! disabled for performance reasons:
+#! preprocessor smtp: ports { 25 465 587 691 } \
+#!     inspection_type stateful \
+#!     b64_decode_depth 0 \
+#!     qp_decode_depth 0 \
+#!     bitenc_decode_depth 0 \
+#!     uu_decode_depth 0 \
+#!     log_mailfrom \
+#!     log_rcptto \
+#!     log_filename \
+#!     log_email_hdrs \
+#!     normalize cmds \
+#!     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
+#!     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
+#!     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
+#!     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
+#!     max_command_line_len 512 \
+#!     max_header_line_len 1000 \
+#!     max_response_line_len 512 \
+#!     alt_max_command_line_len 260 { MAIL } \
+#!     alt_max_command_line_len 300 { RCPT } \
+#!     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
+#!     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
+#!     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
+#!     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ 
+#!     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
+#!     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
+#!     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
+#!     xlink2state { enabled }
 
 # Portscan detection.  For more information, see README.sfportscan
 # preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { low }
@@ -430,17 +452,19 @@ preprocessor ssh: server_ports { 22 } \
                   enable_srvoverflow enable_protomismatch
 
 # SMB / DCE-RPC normalization and anomaly detection.  For more information, see README.dcerpc2
-preprocessor dcerpc2: memcap 102400, events [co ]
-preprocessor dcerpc2_server: default, policy WinXP, \
-    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
-    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
-    smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
+#! disabled for performance reasons:
+#! preprocessor dcerpc2: memcap 102400, events [co ]
+#! preprocessor dcerpc2_server: default, policy WinXP, \
+#!     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
+#!     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
+#!     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
 
 # DNS anomaly detection.  For more information, see README.dns
-preprocessor dns: ports { 53 } enable_rdata_overflow
+#! preprocessor dns: ports { 53 } enable_rdata_overflow #! disabled for performance reasons
 
 # SSL anomaly detection and traffic bypass.  For more information, see README.ssl
-preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
+#! disabled for performance reasons:
+#! preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
 
 # SDF sensitive data preprocessor.  For more information see README.sensitive_data
 preprocessor sensitive_data: alert_threshold 25
@@ -503,12 +527,13 @@ preprocessor dnp3: ports { 20000 } \
    check_crc
 
 # Reputation preprocessor. For more information see README.reputation
-preprocessor reputation: \
-   memcap 500, \
-   priority whitelist, \
-   nested_ip inner, \
-   whitelist $WHITE_LIST_PATH/white_list.rules, \
-   blacklist $BLACK_LIST_PATH/black_list.rules 
+#! disabled for performance reasons:
+#! preprocessor reputation: \
+#!    memcap 500, \
+#!    priority whitelist, \
+#!    nested_ip inner, \
+#!    whitelist $WHITE_LIST_PATH/white_list.rules, \
+#!    blacklist $BLACK_LIST_PATH/black_list.rules 
 
 ###################################################
 # Step #6: Configure output plugins
@@ -551,60 +576,71 @@ include reference.config
 # site specific rules
 include $RULE_PATH/local.rules
 
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/backdoor.rules
-include $RULE_PATH/bad-traffic.rules
-include $RULE_PATH/blacklist.rules
-include $RULE_PATH/botnet-cnc.rules
-include $RULE_PATH/chat.rules
-include $RULE_PATH/content-replace.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/dos.rules
-include $RULE_PATH/exploit.rules
-include $RULE_PATH/file-identify.rules
-include $RULE_PATH/finger.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/icmp.rules
-include $RULE_PATH/icmp-info.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/info.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/multimedia.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/netbios.rules
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/other-ids.rules
-include $RULE_PATH/p2p.rules
-include $RULE_PATH/phishing-spam.rules
-include $RULE_PATH/policy.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
-include $RULE_PATH/scada.rules
-include $RULE_PATH/scan.rules
-include $RULE_PATH/shellcode.rules
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/snmp.rules
-include $RULE_PATH/specific-threats.rules
-include $RULE_PATH/spyware-put.rules
-include $RULE_PATH/sql.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/tftp.rules
-include $RULE_PATH/virus.rules
-include $RULE_PATH/voip.rules
-include $RULE_PATH/web-activex.rules
-include $RULE_PATH/web-attacks.rules
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-php.rules
-include $RULE_PATH/x11.rules
+#! include $RULE_PATH/attack-responses.rules
+#! include $RULE_PATH/backdoor.rules
+#! include $RULE_PATH/bad-traffic.rules
+#! include $RULE_PATH/blacklist.rules
+#! include $RULE_PATH/botnet-cnc.rules
+#! include $RULE_PATH/chat.rules
+#! include $RULE_PATH/content-replace.rules
+#! include $RULE_PATH/ddos.rules
+#! include $RULE_PATH/dns.rules
+#! include $RULE_PATH/dos.rules
+#! include $RULE_PATH/exploit.rules
+#! include $RULE_PATH/file-identify.rules
+#! include $RULE_PATH/file-office.rules
+#! include $RULE_PATH/file-other.rules
+#! include $RULE_PATH/file-pdf.rules
+#! include $RULE_PATH/finger.rules
+#! include $RULE_PATH/ftp.rules
+#! include $RULE_PATH/icmp.rules
+#! include $RULE_PATH/icmp-info.rules
+#! include $RULE_PATH/imap.rules
+#! include $RULE_PATH/indicator-compromise.rules
+#! include $RULE_PATH/indicator-obfuscation.rules
+#! include $RULE_PATH/info.rules
+#! include $RULE_PATH/misc.rules
+#! include $RULE_PATH/multimedia.rules
+#! include $RULE_PATH/mysql.rules
+#! include $RULE_PATH/netbios.rules
+#! include $RULE_PATH/nntp.rules
+#! include $RULE_PATH/oracle.rules
+#! include $RULE_PATH/other-ids.rules
+#! include $RULE_PATH/p2p.rules
+#! include $RULE_PATH/phishing-spam.rules
+#! include $RULE_PATH/policy.rules
+#! include $RULE_PATH/policy-multimedia.rules
+#! include $RULE_PATH/policy-other.rules
+#! include $RULE_PATH/policy-social.rules
+#! include $RULE_PATH/pop2.rules
+#! include $RULE_PATH/pop3.rules
+#! include $RULE_PATH/pua-p2p.rules
+#! include $RULE_PATH/pua-toolbars.rules
+#! include $RULE_PATH/rpc.rules
+#! include $RULE_PATH/rservices.rules
+#! include $RULE_PATH/scada.rules
+#! include $RULE_PATH/scan.rules
+#! include $RULE_PATH/server-mail.rules
+#! include $RULE_PATH/shellcode.rules
+#! include $RULE_PATH/smtp.rules
+#! include $RULE_PATH/snmp.rules
+#! include $RULE_PATH/specific-threats.rules
+#! include $RULE_PATH/spyware-put.rules
+#! include $RULE_PATH/sql.rules
+#! include $RULE_PATH/telnet.rules
+#! include $RULE_PATH/tftp.rules
+#! include $RULE_PATH/virus.rules
+#! include $RULE_PATH/voip.rules
+#! include $RULE_PATH/web-activex.rules
+#! include $RULE_PATH/web-attacks.rules
+#! include $RULE_PATH/web-cgi.rules
+#! include $RULE_PATH/web-client.rules
+#! include $RULE_PATH/web-coldfusion.rules
+#! include $RULE_PATH/web-frontpage.rules
+#! include $RULE_PATH/web-iis.rules
+#! include $RULE_PATH/web-misc.rules
+#! include $RULE_PATH/web-php.rules
+#! include $RULE_PATH/x11.rules
 
 ###################################################
 # Step #8: Customize your preprocessor and decoder alerts
 
comments