Ticket #42858: oinkmaster-suricata.conf

File oinkmaster-suricata.conf, 20.1 KB (added by jul_bsd@…, 11 years ago)
Line 
1# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
2
3# This file is pretty big by default, but don't worry.
4# The only things required are "path" and "update_files". You must also
5# set "url" to point to the correct rules archive for your version of
6# Snort, unless you prefer to specify this on the command line.
7# The rest in here is just a few recommended defaults, and examples
8# how to use all the other optional features and give some ideas how they
9# could be used.
10
11# Remember not to let untrusted users edit Oinkmaster configuration
12# files, as things like the PATH to use during execution is defined
13# in here.
14
15
16
17# Use "url = <url>" to specify the location of the rules archive to
18# download. The url must begin with http://, https://, ftp://, file://
19# or scp:// and end with .tar.gz or .tgz, and the file must be a
20# gzipped tarball what contains a directory named "rules".
21# You can also point to a local directory with dir://<directory>.
22# Multiple "url = <url>" lines can be specified to grab multiple rules
23# archives from different locations.
24#
25# Note: if URL is specified on the command line, it overrides all
26#       possible URLs specified in the configuration file(s).
27#
28# The location of the official Snort rules you should use depends
29# on which Snort version you run. Basically, you should go to
30# http://www.snort.org/rules/ and follow the instructions
31# there to pick the right URL for your version of Snort
32# (and remember to update the URL when upgrading Snort in the
33# future). You can of course also specify locations to third party
34# rules.
35#
36# As of March 2005, you must register on the Snort site to get access
37# to the official Snort rules. This will get you an "oinkcode".
38# You then specify the URL as
39# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
40# For example, if your code is 5a081649c06a277e1022e1284b and
41# you use Snort 2.4, the url to use would be (without the wrap):
42# http://www.snort.org/pub-bin/oinkmaster.cgi/
43# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz
44# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for
45# more information.
46
47url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
48
49# URL examples follows. Replace <oinkcode> with the code you get on the
50# Snort site in your registered user profile.
51
52# Example for Snort 2.4
53# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz
54
55# Example for Snort-current ("current" means cvs snapshots).
56# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz
57
58# Example for Community rules
59# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz
60
61# Example for rules from the Bleeding Snort project
62# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
63
64# If you prefer to download the rules archive from outside Oinkmaster,
65# you can then point to the file on your local filesystem by using
66# file://<filename>, for example:
67# url = file:///tmp/snortrules.tar.gz
68
69# In rare cases you may want to grab the rules directly from a
70# local directory (don't confuse this with the output directory).
71# url = dir:///etc/snort/src/rules
72
73# Example to use scp to copy the rules archive from another host.
74# Only OpenSSH is tested. See the FAQ for more information.
75# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
76
77# If you use -u scp://... and need to specify a private ssh key (passed
78# as -i <key> to the scp command) you can specify it here or add an
79# entry in ~/.ssh/config for the Oinkmaster user as described in the
80# OpenSSH manual.
81# scp_key = /home/oinkmaster/oinkmaster_privkey
82
83
84# The PATH to use during execution. If you prefer to use external
85# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
86# found, and also wget if downloading via ftp, http or https. All with
87# optional .exe suffix. If you're on Cygwin, make sure that the path
88# contains the Cygwin binaries and not the native Win32 binaries or
89# you will get problems.
90# Assume UNIX style by default:
91path = /bin:/usr/bin:/usr/local/bin:%%PREFIX%%/bin
92
93# Example if running native Win32 or standalone Cygwin:
94# path = c:\oinkmaster;c:\oinkmaster\bin
95
96# Example if running standalone Cygwin and you prefer Cygwin style path:
97# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
98
99
100# We normally use external binaries (wget, tar and gzip) since they're
101# already available on most systems and do a good job. If you have the
102# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
103# those instead if you like. You can set use_external_bins below to
104# choose which method you prefer. It's set to 0 by default on Win32
105# (i.e. use Perl modules), and 1 on other systems (i.e. use external
106# binaries). The reason for that is that the required Perl modules
107# are included on Windows/ActivePerl 5.8.1+, so it's easier to use
108# those than to install the ported Unix tools. (Note that if you're
109# using scp to download the archive, external scp  binary is still
110# used.)
111# use_external_bins = 0
112
113
114# Temporary directory to use. This directory must exist when starting and
115# Oinkmaster will then create a temporary sub directory in here.
116# Keep it as a #comment if you want to use the default.
117# The default will be checked for in the environment variables TMP,
118# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set.
119
120# Example for UNIX.
121# tmpdir = /home/oinkmaster/tmp/
122
123# Example if running native Win32 or Cygwin.
124# tmpdir = c:\tmp
125
126# Example if running Cygwin and you prefer Cygwin style path.
127# tmpdir = /cygdrive/c/tmp
128
129
130# The umask to use during execution if you want it to be something
131# else than the current value when starting Oinkmaster.
132# This will affect the mode bits when writing new files.
133# Keep it commented out to keep your system's current umask.
134# umask = 0027
135
136
137# Files in the archive(s) matching this regular expression will be
138# checked for changes, and then updated or added if needed.
139# All other files will be ignored. You can then choose to skip
140# individual files by specifying the "skipfile" keyword below.
141# Normally you shouldn't need to change this one.
142update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
143
144
145# Regexp of keywords that starts a Snort rule.
146# May be useful if you create your own ruletypes and want those
147# lines to be regarded as rules as well.
148# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic
149
150
151# If the number of rules files in the downloaded archive matching the
152# 'update_files' regexp is below min_files, or if the number
153# of rules is below min_rules, the rules are regarded as broken
154# and the update is aborted with an error message.
155# Both are set to 1 by default (i.e. the archive is only regarded as
156# broken if it's totally empty).
157# If you download from multiple URLs, the count is the total number
158# of files/rules across all archives.
159# min_files = 1
160# min_rules = 1
161
162
163# By default, a basic sanity check is performed on most paths/filenames
164# to see if they contain illegal characters that may screw things up.
165# If this check is too strict for your system (e.g. you get bogus
166# "illegal characters in filename" errors because of your local language
167# etc) and you're sure you want to disable the checks completely,
168# set use_path_checks to 0.
169# use_path_checks = 1
170
171
172# If you want Oinkmaster to send a User-Agent HTTP header string
173# other than the default one for wget/LWP, set this variable.
174# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
175
176
177# You can include other files anywhere in here by using
178# "include <file>". <file> will be parsed just like a regular
179# oinkmaster.conf as soon as the include statement is seen, and then
180# return and continue parsing the rest of the original file. If an
181# option is redefined, it will override the previous value. You can use
182# as many "include" statements as you wish, and also include even more
183# files from included files. Example to load stuff from "/etc/foo.conf".
184# include /etc/foo.conf
185
186
187
188#######################################################################
189# Files to totally skip (i.e. never update or check for changes)      #
190#                                                                     #
191# Syntax: skipfile filename                                           #
192# or:     skipfile filename1, filename2, filename3, ...               #
193#######################################################################
194
195# Ignore local.rules from the rules archive by default since we might
196# have put some local rules in our own local.rules and we don't want it
197# to get overwritten by the empty one from the archive after each
198# update.
199skipfile local.rules
200
201# The file deleted.rules contains rules that have been deleted from
202# other files, so there is usually no point in updating it.
203skipfile deleted.rules
204
205# Also skip snort.conf by default since we don't want to overwrite our
206# own snort.conf if we have it in the same directory as the rules. If
207# you have your own production copy of snort.conf in another directory,
208# it may be really nice to check for changes in this file though,
209# especially since variables are sometimes added or modified and
210# new/old files are included/excluded.
211skipfile snort.conf
212
213# You may want to consider ignoring threshold.conf for the same reasons
214# as for snort.conf, i.e. if you customize it locally and don't want it
215# to become overwritten by the default one. It may be better to put
216# local thresholding/suppressing in some local file and still update
217# and use the official one though, in case important stuff is added to
218# it some day. We do update it by default, but it's your call.
219# skipfile threshold.conf
220
221# If you update from multiple URLs at the same time you may need to
222# ignore the sid-msg.map (and generate it yourself if you need one) as
223# it's usually included in each rules tarball. See the FAQ for more info.
224# skipfile sid-msg.map
225
226
227
228##########################################################################
229# SIDs to modify after each update (only for the skilled/stupid/brave).  #
230# Don't use it unless you have to. There is nothing that stops you from  #
231# modifying rules in such ways that they become invalid or generally     #
232# break things. You have been warned.                                    #
233# If you just want to disable SIDs, please skip this section and have a  #
234# look at the "disablesid" keyword below.                                #
235#                                                                        #
236# You may specify multiple modifysid directives for the same SID (they   #
237# will be processed in order of appearance), and you may also specify a  #
238# list of SIDs on which the substitution should be applied.              #
239# If the argument is in the form something.something it's regarded       #
240# as a filename and the substitution will apply on all rules in that     #
241# file. The wildcard ("*") can be used to apply the substitution on all  #
242# rules regardless of the SID or file. Please avoid using #comments      #
243# at the end of modifysid lines, they may confuse the parser in some     #
244# situations.                                                            #
245#                                                                        #
246# Syntax:                                                                #
247#   modifysid SID "replacethis" | "withthis"                             #   
248# or:                                                                    #
249#   modifysid SID1, SID2, SID3, ... "replacethis" | "withthis"           #
250# or:                                                                    #
251#   modifysid file "replacethis" | "withthis"                            #   
252# or:                                                                    #
253#   modifysid * "replacethis" | "withthis"                               #
254#                                                                        #
255# The strings within the quotes will basically be passed to a            #
256# s/replacethis/withthis/ statement in Perl, so they must be valid       #
257# regular expressions. The strings are case-insensitive and only the     #
258# first occurrence will be replaced. If there are multiple occurrences   #
259# you want to replace, simply repeat the same modifysid line.            #
260# As the strings are regular expressions, you MUST escape special        #
261# characters like $ \ / ( ) | by prepending a "\" to them.               #
262#                                                                        #
263# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
264# will first translate the rule into a single-line version and then      #
265# perform the substitution, so you don't have to care about the trailing #
266# backslashes and newlines.                                              #
267#                                                                        #
268# If you use backreference variables in the substitution expression,     #
269# it's strongly recommended to specify them as ${1} instead of $1 and so #
270# on, to avoid parsing confusion with unexpected results in some         #
271# situations. Note that modifysid statements will process both active    #
272# and inactive (disabled) rules.                                         #
273#                                                                        #
274# You may want to check out README.templates and template-examples.conf  #
275# to find how you can simplify the modifysid usage by using templates.   #
276##########################################################################
277
278# Example to enable a rule (in this case SID 1325) that is disabled by
279# default, by simply replacing leading "#alert" with "alert".
280# (You should really use 'enablesid' for this though.)
281# Oinkmaster removes whitespaces next to the leading "#" so you don't
282# have to worry about that, but be careful about possible whitespace in
283# other places when writing the regexps.
284# modifysid 1325 "^#alert" | "alert"
285
286# You could also do this to enable it no matter what type of rule it is
287# (alert, log, pass, etc).
288# modifysid 1325 "^#" | ""
289
290# Example to add "tag" stuff to SID 1325.
291# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
292
293# Example to make SID 1378 a 'drop' rule (valid if you're running
294# Snort_inline).
295# modifysid 1378 "^alert" | "drop"
296
297# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
298# in SID 302.
299# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
300
301# You can also specify that a substitution should apply on multiple SIDs.
302# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"
303
304# You can take advantage of the fact that it's regular expressions and
305# do more complex stuff. This example (for Snort_inline) adds a 'replace'
306# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
307# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
308#                "${1} replace:"\/foo\/sh";"
309
310# If you for some reason would like to add a comment inside the actual
311# rules file, like the reason why you disabled this rule, you can do
312# like this (you would normally add such comments in oinkmaster.conf
313# though).
314# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
315
316# Here is an example that is actually useful. Let's say you don't care
317# about incoming welchia pings (detected by SID 483 at the time of
318# writing) but you want to know when infected hosts on your network
319# scans hosts on the outside. (Remember that watching for outgoing
320# malicious packets is often just as important as watching for incoming
321# ones, especially in this case.) The rule currently looks like
322# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
323# but we want to switch that so it becomes
324# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
325# Here is how it could be done.
326# modifysid 483 \
327# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
328# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
329
330# The wildcard (modifysid * ...) can be used to do all kinds of
331# interesting things. The substitution expression will be applied on all
332# matching rules. First, a silly example to replace "foo" with "bar" in
333# all rules (that have the string "foo" in them, that is.)
334# modifysid * "foo" | "bar"
335
336# If you for some reason don't want to use the stream preprocessor to
337# match established streams, you may want to replace the 'flow'
338# statement with 'flags:A+;' in all those rules.
339# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
340
341# Example to convert all rules of classtype attempted-admin to 'drop'
342# rules (for Snort_inline only, obviously).
343# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
344
345# This one will append some text to the 'msg' string for all rules that
346# have the 'tag' keyword in them.
347# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
348#             "${1}, going to tag this baby"${2}"
349
350# There may be times when you want to replace multiple occurrences of a
351# certain keyword/string in a rule and not just the first one. To
352# replace the first two occurrences of "foo" with "bar" in SID 100,
353# simply repeat the modifysid statement:
354# modifysid 100 "foo" | "bar"
355# modifysid 100 "foo" | "bar"
356 
357# Or you can even specify a SID list but repeat the same SID as many
358# times as required, like:
359# modifysid 100,100,100 "foo" | "bar"
360
361# Enable all rules in the file exploit.rules.
362# modifysid exploit.rules "^#" | ""
363
364# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
365# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""
366
367
368
369########################################################################
370# SIDs that we don't want to update.                                   #
371# If you for some reason don't want a specific rule to be updated      #
372# (e.g. you made local modifications to it and you never want to       #
373# update it and don't care about changes in the official version), you #
374# can specify a "localsid" statement for it. This means that the old   #
375# version of the rule (i.e. the one in the rules file on your          #
376# harddrive) is always kept, regardless if the official version has    #
377# been updated. Please do not use this feature unless in special       #
378# cases as it's easy to end up with many signatures that aren't        #
379# maintained anymore. See the FAQ for details about this and hints     #
380# about better solutions regarding customization of rules.             #
381#                                                                      #
382# Syntax:  localsid SID                                                #
383# or:      localsid SID1, SID2, SID3, ...                              #
384########################################################################
385
386# Example to never update SID 1325.
387# localsid 1325
388
389
390
391########################################################################
392# SIDs to enable after each update.                                    #
393# Will simply remove all the leading '#' for a specified SID (if it's  #
394# a multi-line rule, the leading '#' for all lines are removed.)       #
395# These will be processed after all the modifysid and disablesid       #
396# statements. Using 'enablesid' on a rule that is not disabled is a    #
397# NOOP.                                                                #
398#                                                                      #
399# Syntax:  enablesid SID                                               #
400# or:      enablesid SID1, SID2, SID3, ...                             #
401########################################################################
402
403# Example to enable SID 1325.
404# enablesid 1325
405
406
407
408########################################################################
409# SIDs to comment out, i.e. disable, after each update by placing a    #
410# '#' in front of the rule (if it's a multi-line rule, it will be put  #
411# in front of all lines).                                              #
412#                                                                      #
413# Syntax:  disablesid SID                                              #
414# or:      disablesid SID1, SID2, SID3, ...                            #
415########################################################################
416
417# You can specify one SID per line.
418# disablesid 1
419# disablesid 2
420# disablesid 3
421
422# And also as comma-separated lists.
423# disablesid 4,5,6
424
425# It's a good idea to also add comment about why you disable the sid:
426# disablesid 1324    # 20020101: disabled this SID just because I can