]>
Commit | Line | Data |
---|---|---|
cd1a2927 MT |
1 | # $Id: oinkmaster.conf,v 1.1.2.2 2005/05/02 17:11:58 franck78 Exp $ # |
2 | ||
3 | # Oinkmaster is a tool to update snort rules, which allow to conserve | |
4 | # a particular setting even after a rules update. | |
5 | # This file is a customised version for IPCop. | |
6 | # Disabling/enabling a particular rule should be made in this file. | |
7 | # In case you want to use some of the rules files commented out in | |
8 | # standard ipcop /etc/snort/snort.conf : | |
9 | # -comment out the corresponding skipfile in this oinkmaster.conf | |
10 | # -uncomment the corresponding include in /etc/snort.conf | |
11 | # -save snort settings to restart snort | |
12 | ||
13 | ||
14 | ################################################ | |
15 | # General options you may want to change # | |
16 | ################################################ | |
17 | ||
18 | ||
19 | ||
20 | # The PATH to use during execution. If you prefer to use external | |
21 | # binaries (i.e. use_external_bins=1, see below), tar and gzip must be | |
22 | # found, and also wget if downloading via ftp, http or https. All with | |
23 | # optional .exe suffix. If you're on Cygwin, make sure that the path | |
24 | # contains the Cygwin binaries and not the native Win32 binaries or | |
25 | # you will get problems. | |
26 | # Assume UNIX style by default: | |
27 | #path = /bin:/usr/bin:/usr/local/bin | |
28 | path = /bin | |
29 | ||
30 | # Files in the archive(s) matching this regular expression will be | |
31 | # checked for changes, and then updated or added if needed. | |
32 | # All other files will be ignored. You can then choose to skip | |
33 | # individual files by specifying the "skipfile" keyword below. | |
34 | # Normally you shouldn't need to change this one. | |
35 | update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ | |
36 | ||
37 | ||
38 | # Regexp of keywords that starts a snort rule. | |
39 | # May be useful if you create your own ruletypes and want those | |
40 | # lines to be regarded as rules as well. | |
41 | # rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic | |
42 | ||
43 | ||
44 | ####################################################################### | |
45 | # Files to totally skip (i.e. never update or check for changes) # | |
46 | # # | |
47 | # Syntax: skipfile filename # | |
48 | # or: skipfile filename1, filename2, filename3, ... # | |
49 | ####################################################################### | |
50 | ||
51 | # Ignore local.rules from the rules archive by default since we might | |
52 | # have put some local rules in our own local.rules and we don't want it | |
53 | # to get overwritten by the empty one from the archive after each | |
54 | # update. | |
55 | skipfile local.rules | |
56 | ||
57 | # The file deleted.rules contains rules that have been deleted from | |
58 | # other files, so there is usually no point in updating it. | |
59 | skipfile deleted.rules | |
60 | ||
61 | # Also skip snort.conf by default since we don't want to overwrite our | |
62 | # own snort.conf if we have it in the same directory as the rules. If | |
63 | # you have your own production copy of snort.conf in another directory, | |
64 | # it may be really nice to check for changes in this file though, | |
65 | # especially since variables are sometimes added or modified and | |
66 | # new/old files are included/excluded. | |
67 | skipfile snort.conf | |
68 | ||
69 | # You may want to consider ignoring threshold.conf for the same reasons | |
70 | # as for snort.conf, i.e. if you customize it locally and don't want it | |
71 | # to become overwritten by the default one. It may be better to put | |
72 | # local thresholding/suppressing in some local file and still update | |
73 | # and use the official one though, in case important stuff is added to | |
74 | # it some day. We do update it by default, but it's your call. | |
75 | # skipfile threshold.conf | |
76 | ||
77 | # If you update from multiple URLs at the same time you must ignore | |
78 | # the sid-msg.map (and generate it yourself if you need one) as it's | |
79 | # usually included in each rules tarball. See the FAQ for more info. | |
80 | # skipfile sid-msg.map | |
81 | skipfile web-attacks.rules | |
82 | skipfile backdoor.rules | |
83 | skipfile shellcode.rules | |
84 | skipfile policy.rules | |
85 | skipfile porn.rules | |
86 | skipfile info.rules | |
87 | skipfile icmp-info.rules | |
88 | skipfile virus.rules | |
89 | skipfile chat.rules | |
90 | skipfile multimedia.rules | |
91 | skipfile p2p.rules | |
92 | skipfile experimental.rules | |
93 | ||
94 | ||
95 | ########################################################################## | |
96 | # SIDs to modify after each update (only for the skilled/stupid/brave). # | |
97 | # Don't use it unless you have to. There is nothing that stops you from # | |
98 | # modifying rules in such ways that they become invalid or generally # | |
99 | # break things. You have been warned. # | |
100 | # If you just want to disable SIDs, please skip this section and have a # | |
101 | # look at the "disablesid" keyword below. # | |
102 | # # | |
103 | # You may specify multiple modifysid directives for the same SID (they # | |
104 | # will be processed in order of appearance), and you may also specify a # | |
105 | # list of SIDs on which the substitution should be applied. # | |
106 | # If the argument is in the form something.something it is regarded # | |
107 | # as a filename and the substitution will apply on all rules in that # | |
108 | # file. The wildcard ("*") can be used to apply the substitution on all # | |
109 | # rules regardless of the SID or file. Please avoid using #comments # | |
110 | # at the end of modifysid lines, they may confuse the parser in some # | |
111 | # situations. # | |
112 | # # | |
113 | # Syntax: # | |
114 | # modifysid SID "replacethis" | "withthis" # | |
115 | # or: # | |
116 | # modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" # | |
117 | # or: # | |
118 | # modifysid file "replacethis" | "withthis" # | |
119 | # or: # | |
120 | # modifysid * "replacethis" | "withthis" # | |
121 | # # | |
122 | # The strings within the quotes will simply be passed to a # | |
123 | # s/replacethis/withthis/ statement in Perl, so they must be valid # | |
124 | # regular expressions. The strings are case-sensitive and only the first # | |
125 | # occurrence will be replaced. If there are multiple occurrences you # | |
126 | # want to replace, simply repeat the same modifysid line. # | |
127 | # # | |
128 | # If you specify a modifysid statement for a multi-line rule, Oinkmaster # | |
129 | # will first translate the rule into a single-line version and then # | |
130 | # perform the substitution, so you don't have to care about the trailing # | |
131 | # backslashes and newlines. # | |
132 | # # | |
133 | # If you use variables in the substitution expression, it is strongly # | |
134 | # recommended to always specify them like ${varname} instead of # | |
135 | # $varname (like ${1} instead of $1 for example) to avoid parsing # | |
136 | # confusion in some situations. Note that modifysid statements # | |
137 | # will process both active and inactive (disabled) rules. # | |
138 | # # | |
139 | # You may want to check out README.templates and template-examples.conf # | |
140 | # to find how you can simplify the modifysid usage by using templates. # | |
141 | ########################################################################## | |
142 | ||
143 | # Example to enable a rule (in this case SID 1325) that is disabled by | |
144 | # default, by simply replacing leading "#alert" with "alert". | |
145 | # (You should really use 'enablesid' for this though.) | |
146 | # Oinkmaster removes whitespaces next to the leading "#" so you don't | |
147 | # have to worry about that, but be careful about possible whitespace in | |
148 | # other places when writing the regexps. | |
149 | # modifysid 1325 "^#alert" | "alert" | |
150 | ||
151 | # You could also do this to enable it no matter what type of rule it is | |
152 | # (alert, log, pass, etc). | |
153 | # modifysid 1325 "^#" | "" | |
154 | ||
155 | # Example to add "tag" stuff to SID 1325. | |
156 | # modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;" | |
157 | ||
158 | # Example to make SID 1378 a 'drop' rule (valid if you're running | |
159 | # Snort_inline). | |
160 | # modifysid 1378 "^alert" | "drop" | |
161 | ||
162 | # Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET | |
163 | # in SID 302. Remember that the strings are regular expressions, so you | |
164 | # must escape special characters like $. | |
165 | # modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET" | |
166 | ||
167 | # You can also specify that a substitution should apply on multiple SIDs. | |
168 | # modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET" | |
169 | ||
170 | # You can take advantage of the fact that it's regular expressions and | |
171 | # do more complex stuff. This example (for Snort_inline) adds a 'replace' | |
172 | # statement to SID 1324 that replaces "/bin/sh" with "/foo/sh". | |
173 | # modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \ | |
174 | # "${1} replace:"\/foo\/sh";" | |
175 | ||
176 | # If you for some reason would like to add a comment inside the actual | |
177 | # rules file, like the reason why you disabled this rule, you can do | |
178 | # like this (you would normally add such comments in oinkmaster.conf | |
179 | # though). | |
180 | # modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}" | |
181 | ||
182 | # Here is an example that is actually useful. Let's say you don't care | |
183 | # about incoming welchia pings (detected by SID 483 at the time of | |
184 | # writing) but you want to know when infected hosts on your network | |
185 | # scans hosts on the outside. (Remember that watching for outgoing | |
186 | # malicious packets is often just as important as watching for incoming | |
187 | # ones, especially in this case.) The rule currently looks like | |
188 | # "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..." | |
189 | # but we want to switch that so it becomes | |
190 | # "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...". | |
191 | # Here is how it could be done. | |
192 | # modifysid 483 \ | |
193 | # "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \ | |
194 | # "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}" | |
195 | ||
196 | # The wildcard (modifysid * ...) can be used to do all kinds of | |
197 | # interesting things. The substitution expression will be applied on all | |
198 | # matching rules. First, a silly example to replace "foo" with "bar" in | |
199 | # all rules (that have the string "foo" in them, that is.) | |
200 | # modifysid * "foo" | "bar" | |
201 | ||
202 | # If you for some reason don't want to use the stream preprocessor to | |
203 | # match established streams, you may want to replace the 'flow' | |
204 | # statement with 'flags:A+;' in all those rules. | |
205 | # modifysid * "flow:[a-z,_ ]+;" | "flags:A+;" | |
206 | ||
207 | # Example to convert all rules of classtype attempted-admin to 'drop' | |
208 | # rules (for Snort_inline only, obviously). | |
209 | # modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}" | |
210 | ||
211 | # This one will append some text to the 'msg' string for all rules that | |
212 | # have the 'tag' keyword in them. | |
213 | # modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \ | |
214 | # "${1}, going to tag this baby"${2}" | |
215 | ||
216 | # There may be times when you want to replace multiple occurrences of a | |
217 | # certain keyword/string in a rule and not just the first one. To | |
218 | # replace the first two occurrences of "foo" with "bar" in SID 100, | |
219 | # simply repeat the modifysid statement: | |
220 | # modifysid 100 "foo" | "bar" | |
221 | # modifysid 100 "foo" | "bar" | |
222 | ||
223 | # Or you can even specify a SID list but repeat the same SID as many | |
224 | # times as required, like: | |
225 | # modifysid 100,100,100 "foo" | "bar" | |
226 | ||
227 | # Enable all rules in the file exploit.rules. | |
228 | # modifysid exploit.rules "^#" | "" | |
229 | ||
230 | # Enable all rules in exploit.rules, icmp-info.rules and also SID 1171. | |
231 | # modifysid exploit.rules, snmp.rules, 1171 "^#" | "" | |
232 | ||
233 | ||
234 | ||
235 | ######################################################################## | |
236 | # SIDs that we don't want to update. # | |
237 | # If you for some reason don't want a specific rule to be updated # | |
238 | # (e.g. you made local modifications to it and you never want to # | |
239 | # update it and don't care about changes in the official version), you # | |
240 | # can specify a "localsid" statement for it. This means that the old # | |
241 | # version of the rule (i.e. the one in the rules file on your # | |
242 | # harddrive) is always kept, regardless if the official version has # | |
243 | # been updated. Please do not use this feature unless in special # | |
244 | # cases as it's easy to end up with many signatures that aren't # | |
245 | # maintained anymore. See the FAQ for details about this and hints # | |
246 | # about better solutions regarding customization of rules. # | |
247 | # # | |
248 | # Syntax: localsid SID # | |
249 | # or: localsid SID1, SID2, SID3, ... # | |
250 | ######################################################################## | |
251 | ||
252 | # Example to never update SID 1325. | |
253 | # localsid 1325 | |
254 | ||
255 | ||
256 | ||
257 | ######################################################################## | |
258 | # SIDs to enable after each update. # | |
259 | # Will simply remove all the leading '#' for a specified SID (if it's # | |
260 | # a multi-line rule, the leading '#' for all lines are removed.) # | |
261 | # These will be processed after all the modifysid and disablesid # | |
262 | # statements. Using 'enablesid' on a rule that is not disabled is a # | |
263 | # NOOP. # | |
264 | # # | |
265 | # Syntax: enablesid SID # | |
266 | # or: enablesid SID1, SID2, SID3, ... # | |
267 | ######################################################################## | |
268 | ||
269 | # Example to enable SID 1325. | |
270 | # enablesid 1325 | |
271 | ||
272 | ||
273 | ||
274 | ######################################################################## | |
275 | # SIDs to comment out, i.e. disable, after each update by placing a # | |
276 | # '#' in front of the rule (if it's a multi-line rule, it will be put # | |
277 | # in front of all lines). # | |
278 | # # | |
279 | # Syntax: disablesid SID # | |
280 | # or: disablesid SID1, SID2, SID3, ... # | |
281 | ######################################################################## | |
282 | ||
283 | # You can specify one SID per line. | |
284 | # disablesid 1 | |
285 | # disablesid 2 | |
286 | # disablesid 3 | |
287 | ||
288 | # And also as comma-separated lists. | |
289 | # disablesid 4,5,6 | |
290 | ||
291 | # It's a good idea to also add comment about why you disable the sid: | |
292 | # disablesid 1324 # 20020101: disabled this SID just because I can |