]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blame - config/cfgroot/oinkmaster.conf
Merge branch 'next' into fifteen
[people/teissler/ipfire-2.x.git] / config / cfgroot / oinkmaster.conf
CommitLineData
cd1a2927
MT
1# $Id: oinkmaster.conf,v 1.1.2.2 2005/05/02 17:11:58 franck78 Exp $ #
2
3# Oinkmaster is a tool to update snort rules, which allow to conserve
4# a particular setting even after a rules update.
5# This file is a customised version for IPCop.
6# Disabling/enabling a particular rule should be made in this file.
7# In case you want to use some of the rules files commented out in
8# standard ipcop /etc/snort/snort.conf :
9# -comment out the corresponding skipfile in this oinkmaster.conf
10# -uncomment the corresponding include in /etc/snort.conf
11# -save snort settings to restart snort
12
13
14################################################
15# General options you may want to change #
16################################################
17
18
19
20# The PATH to use during execution. If you prefer to use external
21# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
22# found, and also wget if downloading via ftp, http or https. All with
23# optional .exe suffix. If you're on Cygwin, make sure that the path
24# contains the Cygwin binaries and not the native Win32 binaries or
25# you will get problems.
26# Assume UNIX style by default:
27#path = /bin:/usr/bin:/usr/local/bin
28path = /bin
29
30# Files in the archive(s) matching this regular expression will be
31# checked for changes, and then updated or added if needed.
32# All other files will be ignored. You can then choose to skip
33# individual files by specifying the "skipfile" keyword below.
34# Normally you shouldn't need to change this one.
35update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
36
37
38# Regexp of keywords that starts a snort rule.
39# May be useful if you create your own ruletypes and want those
40# lines to be regarded as rules as well.
41# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic
42
43
44#######################################################################
45# Files to totally skip (i.e. never update or check for changes) #
46# #
47# Syntax: skipfile filename #
48# or: skipfile filename1, filename2, filename3, ... #
49#######################################################################
50
51# Ignore local.rules from the rules archive by default since we might
52# have put some local rules in our own local.rules and we don't want it
53# to get overwritten by the empty one from the archive after each
54# update.
55skipfile local.rules
56
57# The file deleted.rules contains rules that have been deleted from
58# other files, so there is usually no point in updating it.
59skipfile deleted.rules
60
61# Also skip snort.conf by default since we don't want to overwrite our
62# own snort.conf if we have it in the same directory as the rules. If
63# you have your own production copy of snort.conf in another directory,
64# it may be really nice to check for changes in this file though,
65# especially since variables are sometimes added or modified and
66# new/old files are included/excluded.
67skipfile snort.conf
68
69# You may want to consider ignoring threshold.conf for the same reasons
70# as for snort.conf, i.e. if you customize it locally and don't want it
71# to become overwritten by the default one. It may be better to put
72# local thresholding/suppressing in some local file and still update
73# and use the official one though, in case important stuff is added to
74# it some day. We do update it by default, but it's your call.
75# skipfile threshold.conf
76
77# If you update from multiple URLs at the same time you must ignore
78# the sid-msg.map (and generate it yourself if you need one) as it's
79# usually included in each rules tarball. See the FAQ for more info.
80# skipfile sid-msg.map
81skipfile web-attacks.rules
82skipfile backdoor.rules
83skipfile shellcode.rules
84skipfile policy.rules
85skipfile porn.rules
86skipfile info.rules
87skipfile icmp-info.rules
88skipfile virus.rules
89skipfile chat.rules
90skipfile multimedia.rules
91skipfile p2p.rules
92skipfile experimental.rules
93
94
95##########################################################################
96# SIDs to modify after each update (only for the skilled/stupid/brave). #
97# Don't use it unless you have to. There is nothing that stops you from #
98# modifying rules in such ways that they become invalid or generally #
99# break things. You have been warned. #
100# If you just want to disable SIDs, please skip this section and have a #
101# look at the "disablesid" keyword below. #
102# #
103# You may specify multiple modifysid directives for the same SID (they #
104# will be processed in order of appearance), and you may also specify a #
105# list of SIDs on which the substitution should be applied. #
106# If the argument is in the form something.something it is regarded #
107# as a filename and the substitution will apply on all rules in that #
108# file. The wildcard ("*") can be used to apply the substitution on all #
109# rules regardless of the SID or file. Please avoid using #comments #
110# at the end of modifysid lines, they may confuse the parser in some #
111# situations. #
112# #
113# Syntax: #
114# modifysid SID "replacethis" | "withthis" #
115# or: #
116# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" #
117# or: #
118# modifysid file "replacethis" | "withthis" #
119# or: #
120# modifysid * "replacethis" | "withthis" #
121# #
122# The strings within the quotes will simply be passed to a #
123# s/replacethis/withthis/ statement in Perl, so they must be valid #
124# regular expressions. The strings are case-sensitive and only the first #
125# occurrence will be replaced. If there are multiple occurrences you #
126# want to replace, simply repeat the same modifysid line. #
127# #
128# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
129# will first translate the rule into a single-line version and then #
130# perform the substitution, so you don't have to care about the trailing #
131# backslashes and newlines. #
132# #
133# If you use variables in the substitution expression, it is strongly #
134# recommended to always specify them like ${varname} instead of #
135# $varname (like ${1} instead of $1 for example) to avoid parsing #
136# confusion in some situations. Note that modifysid statements #
137# will process both active and inactive (disabled) rules. #
138# #
139# You may want to check out README.templates and template-examples.conf #
140# to find how you can simplify the modifysid usage by using templates. #
141##########################################################################
142
143# Example to enable a rule (in this case SID 1325) that is disabled by
144# default, by simply replacing leading "#alert" with "alert".
145# (You should really use 'enablesid' for this though.)
146# Oinkmaster removes whitespaces next to the leading "#" so you don't
147# have to worry about that, but be careful about possible whitespace in
148# other places when writing the regexps.
149# modifysid 1325 "^#alert" | "alert"
150
151# You could also do this to enable it no matter what type of rule it is
152# (alert, log, pass, etc).
153# modifysid 1325 "^#" | ""
154
155# Example to add "tag" stuff to SID 1325.
156# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
157
158# Example to make SID 1378 a 'drop' rule (valid if you're running
159# Snort_inline).
160# modifysid 1378 "^alert" | "drop"
161
162# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
163# in SID 302. Remember that the strings are regular expressions, so you
164# must escape special characters like $.
165# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
166
167# You can also specify that a substitution should apply on multiple SIDs.
168# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"
169
170# You can take advantage of the fact that it's regular expressions and
171# do more complex stuff. This example (for Snort_inline) adds a 'replace'
172# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
173# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
174# "${1} replace:"\/foo\/sh";"
175
176# If you for some reason would like to add a comment inside the actual
177# rules file, like the reason why you disabled this rule, you can do
178# like this (you would normally add such comments in oinkmaster.conf
179# though).
180# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
181
182# Here is an example that is actually useful. Let's say you don't care
183# about incoming welchia pings (detected by SID 483 at the time of
184# writing) but you want to know when infected hosts on your network
185# scans hosts on the outside. (Remember that watching for outgoing
186# malicious packets is often just as important as watching for incoming
187# ones, especially in this case.) The rule currently looks like
188# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
189# but we want to switch that so it becomes
190# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
191# Here is how it could be done.
192# modifysid 483 \
193# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
194# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
195
196# The wildcard (modifysid * ...) can be used to do all kinds of
197# interesting things. The substitution expression will be applied on all
198# matching rules. First, a silly example to replace "foo" with "bar" in
199# all rules (that have the string "foo" in them, that is.)
200# modifysid * "foo" | "bar"
201
202# If you for some reason don't want to use the stream preprocessor to
203# match established streams, you may want to replace the 'flow'
204# statement with 'flags:A+;' in all those rules.
205# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
206
207# Example to convert all rules of classtype attempted-admin to 'drop'
208# rules (for Snort_inline only, obviously).
209# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
210
211# This one will append some text to the 'msg' string for all rules that
212# have the 'tag' keyword in them.
213# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
214# "${1}, going to tag this baby"${2}"
215
216# There may be times when you want to replace multiple occurrences of a
217# certain keyword/string in a rule and not just the first one. To
218# replace the first two occurrences of "foo" with "bar" in SID 100,
219# simply repeat the modifysid statement:
220# modifysid 100 "foo" | "bar"
221# modifysid 100 "foo" | "bar"
222
223# Or you can even specify a SID list but repeat the same SID as many
224# times as required, like:
225# modifysid 100,100,100 "foo" | "bar"
226
227# Enable all rules in the file exploit.rules.
228# modifysid exploit.rules "^#" | ""
229
230# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
231# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""
232
233
234
235########################################################################
236# SIDs that we don't want to update. #
237# If you for some reason don't want a specific rule to be updated #
238# (e.g. you made local modifications to it and you never want to #
239# update it and don't care about changes in the official version), you #
240# can specify a "localsid" statement for it. This means that the old #
241# version of the rule (i.e. the one in the rules file on your #
242# harddrive) is always kept, regardless if the official version has #
243# been updated. Please do not use this feature unless in special #
244# cases as it's easy to end up with many signatures that aren't #
245# maintained anymore. See the FAQ for details about this and hints #
246# about better solutions regarding customization of rules. #
247# #
248# Syntax: localsid SID #
249# or: localsid SID1, SID2, SID3, ... #
250########################################################################
251
252# Example to never update SID 1325.
253# localsid 1325
254
255
256
257########################################################################
258# SIDs to enable after each update. #
259# Will simply remove all the leading '#' for a specified SID (if it's #
260# a multi-line rule, the leading '#' for all lines are removed.) #
261# These will be processed after all the modifysid and disablesid #
262# statements. Using 'enablesid' on a rule that is not disabled is a #
263# NOOP. #
264# #
265# Syntax: enablesid SID #
266# or: enablesid SID1, SID2, SID3, ... #
267########################################################################
268
269# Example to enable SID 1325.
270# enablesid 1325
271
272
273
274########################################################################
275# SIDs to comment out, i.e. disable, after each update by placing a #
276# '#' in front of the rule (if it's a multi-line rule, it will be put #
277# in front of all lines). #
278# #
279# Syntax: disablesid SID #
280# or: disablesid SID1, SID2, SID3, ... #
281########################################################################
282
283# You can specify one SID per line.
284# disablesid 1
285# disablesid 2
286# disablesid 3
287
288# And also as comma-separated lists.
289# disablesid 4,5,6
290
291# It's a good idea to also add comment about why you disable the sid:
292# disablesid 1324 # 20020101: disabled this SID just because I can