]>
Commit | Line | Data |
---|---|---|
c5486ccb SS |
1 | # $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ # |
2 | ||
3 | # This file is pretty big by default, but don't worry. | |
4 | # The only things required are "path" and "update_files". You must also | |
5 | # set "url" to point to the correct rules archive for your version of | |
6 | # Snort, unless you prefer to specify this on the command line. | |
7 | # The rest in here is just a few recommended defaults, and examples | |
8 | # how to use all the other optional features and give some ideas how they | |
9 | # could be used. | |
10 | ||
11 | # Remember not to let untrusted users edit Oinkmaster configuration | |
12 | # files, as things like the PATH to use during execution is defined | |
13 | # in here. | |
14 | ||
15 | ||
16 | # Use "url = <url>" to specify the location of the rules archive to | |
17 | # download. The url must begin with http://, https://, ftp://, file:// | |
18 | # or scp:// and end with .tar.gz or .tgz, and the file must be a | |
19 | # gzipped tarball what contains a directory named "rules". | |
20 | # You can also point to a local directory with dir://<directory>. | |
21 | # Multiple "url = <url>" lines can be specified to grab multiple rules | |
22 | # archives from different locations. | |
23 | # | |
24 | # Note: if URL is specified on the command line, it overrides all | |
25 | # possible URLs specified in the configuration file(s). | |
26 | # | |
27 | # The location of the official Snort rules you should use depends | |
28 | # on which Snort version you run. Basically, you should go to | |
29 | # http://www.snort.org/rules/ and follow the instructions | |
30 | # there to pick the right URL for your version of Snort | |
31 | # (and remember to update the URL when upgrading Snort in the | |
32 | # future). You can of course also specify locations to third party | |
33 | # rules. | |
34 | # | |
35 | # As of March 2005, you must register on the Snort site to get access | |
36 | # to the official Snort rules. This will get you an "oinkcode". | |
37 | # You then specify the URL as | |
38 | # http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename> | |
39 | # For example, if your code is 5a081649c06a277e1022e1284b and | |
40 | # you use Snort 2.4, the url to use would be (without the wrap): | |
41 | # http://www.snort.org/pub-bin/oinkmaster.cgi/ | |
42 | # 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz | |
43 | # See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for | |
44 | # more information. | |
45 | ||
46 | ||
47 | # URL examples follows. Replace <oinkcode> with the code you get on the | |
48 | # Snort site in your registered user profile. | |
49 | ||
50 | # Example for Snort 2.4 | |
51 | # url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz | |
52 | # url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz | |
53 | ||
54 | # Example for Snort-current ("current" means cvs snapshots). | |
55 | #url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz | |
56 | ||
57 | # Example for Community rules | |
58 | # url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz | |
59 | ||
60 | # Example for rules from the Bleeding Snort project | |
61 | # url = http://www.bleedingsnort.com/bleeding.rules.tar.gz | |
62 | ||
63 | # If you prefer to download the rules archive from outside Oinkmaster, | |
64 | # you can then point to the file on your local filesystem by using | |
65 | # file://<filename>, for example: | |
66 | # url = file:///tmp/snortrules.tar.gz | |
67 | ||
68 | # In rare cases you may want to grab the rules directly from a | |
69 | # local directory (don't confuse this with the output directory). | |
70 | # url = dir:///etc/snort/src/rules | |
71 | ||
72 | # Example to use scp to copy the rules archive from another host. | |
73 | # Only OpenSSH is tested. See the FAQ for more information. | |
74 | # url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz | |
75 | ||
76 | # If you use -u scp://... and need to specify a private ssh key (passed | |
77 | # as -i <key> to the scp command) you can specify it here or add an | |
78 | # entry in ~/.ssh/config for the Oinkmaster user as described in the | |
79 | # OpenSSH manual. | |
80 | # scp_key = /home/oinkmaster/oinkmaster_privkey | |
81 | ||
82 | ||
83 | # The PATH to use during execution. If you prefer to use external | |
84 | # binaries (i.e. use_external_bins=1, see below), tar and gzip must be | |
85 | # found, and also wget if downloading via ftp, http or https. All with | |
86 | # optional .exe suffix. If you're on Cygwin, make sure that the path | |
87 | # contains the Cygwin binaries and not the native Win32 binaries or | |
88 | # you will get problems. | |
89 | # Assume UNIX style by default: | |
90 | path = /bin:/usr/bin:/usr/local/bin | |
91 | ||
92 | # Example if running native Win32 or standalone Cygwin: | |
93 | # path = c:\oinkmaster;c:\oinkmaster\bin | |
94 | ||
95 | # Example if running standalone Cygwin and you prefer Cygwin style path: | |
96 | # path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin | |
97 | ||
98 | ||
99 | # We normally use external binaries (wget, tar and gzip) since they're | |
100 | # already available on most systems and do a good job. If you have the | |
101 | # Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use | |
102 | # those instead if you like. You can set use_external_bins below to | |
103 | # choose which method you prefer. It's set to 0 by default on Win32 | |
104 | # (i.e. use Perl modules), and 1 on other systems (i.e. use external | |
105 | # binaries). The reason for that is that the required Perl modules | |
106 | # are included on Windows/ActivePerl 5.8.1+, so it's easier to use | |
107 | # those than to install the ported Unix tools. (Note that if you're | |
108 | # using scp to download the archive, external scp binary is still | |
109 | # used.) | |
110 | # use_external_bins = 0 | |
111 | ||
112 | ||
113 | # Temporary directory to use. This directory must exist when starting and | |
114 | # Oinkmaster will then create a temporary sub directory in here. | |
115 | # Keep it as a #comment if you want to use the default. | |
116 | # The default will be checked for in the environment variables TMP, | |
117 | # TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set. | |
118 | ||
119 | # Example for UNIX. | |
120 | # tmpdir = /home/oinkmaster/tmp/ | |
121 | ||
122 | # Example if running native Win32 or Cygwin. | |
123 | # tmpdir = c:\tmp | |
124 | ||
125 | # Example if running Cygwin and you prefer Cygwin style path. | |
126 | # tmpdir = /cygdrive/c/tmp | |
127 | ||
128 | ||
129 | # The umask to use during execution if you want it to be something | |
130 | # else than the current value when starting Oinkmaster. | |
131 | # This will affect the mode bits when writing new files. | |
132 | # Keep it commented out to keep your system's current umask. | |
133 | # umask = 0027 | |
134 | ||
135 | ||
136 | # Files in the archive(s) matching this regular expression will be | |
137 | # checked for changes, and then updated or added if needed. | |
138 | # All other files will be ignored. You can then choose to skip | |
139 | # individual files by specifying the "skipfile" keyword below. | |
140 | # Normally you shouldn't need to change this one. | |
141 | update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ | |
142 | ||
143 | ||
144 | # Regexp of keywords that starts a Snort rule. | |
145 | # May be useful if you create your own ruletypes and want those | |
146 | # lines to be regarded as rules as well. | |
147 | # rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic | |
148 | ||
149 | ||
150 | # If the number of rules files in the downloaded archive matching the | |
151 | # 'update_files' regexp is below min_files, or if the number | |
152 | # of rules is below min_rules, the rules are regarded as broken | |
153 | # and the update is aborted with an error message. | |
154 | # Both are set to 1 by default (i.e. the archive is only regarded as | |
155 | # broken if it's totally empty). | |
156 | # If you download from multiple URLs, the count is the total number | |
157 | # of files/rules across all archives. | |
158 | # min_files = 1 | |
159 | # min_rules = 1 | |
160 | ||
161 | ||
162 | # By default, a basic sanity check is performed on most paths/filenames | |
163 | # to see if they contain illegal characters that may screw things up. | |
164 | # If this check is too strict for your system (e.g. you get bogus | |
165 | # "illegal characters in filename" errors because of your local language | |
166 | # etc) and you're sure you want to disable the checks completely, | |
167 | # set use_path_checks to 0. | |
168 | # use_path_checks = 1 | |
169 | ||
170 | ||
171 | # If you want Oinkmaster to send a User-Agent HTTP header string | |
172 | # other than the default one for wget/LWP, set this variable. | |
173 | # user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | |
174 | ||
175 | ||
176 | # You can include other files anywhere in here by using | |
177 | # "include <file>". <file> will be parsed just like a regular | |
178 | # oinkmaster.conf as soon as the include statement is seen, and then | |
179 | # return and continue parsing the rest of the original file. If an | |
180 | # option is redefined, it will override the previous value. You can use | |
181 | # as many "include" statements as you wish, and also include even more | |
182 | # files from included files. Example to load stuff from "/etc/foo.conf". | |
183 | # include /etc/foo.conf | |
184 | ||
185 | # Include file for enabled sids. | |
186 | include /var/ipfire/suricata/oinkmaster-enabled-sids.conf | |
187 | ||
188 | # Include file for disabled sids. | |
189 | include /var/ipfire/suricata/oinkmaster-disabled-sids.conf | |
190 | ||
191 | # Include file which defines the runmode of suricata. | |
192 | include /var/ipfire/suricata/oinkmaster-modify-sids.conf | |
193 | ||
194 | ####################################################################### | |
195 | # Files to totally skip (i.e. never update or check for changes) # | |
196 | # # | |
197 | # Syntax: skipfile filename # | |
198 | # or: skipfile filename1, filename2, filename3, ... # | |
199 | ####################################################################### | |
200 | ||
201 | # Ignore local.rules from the rules archive by default since we might | |
202 | # have put some local rules in our own local.rules and we don't want it | |
203 | # to get overwritten by the empty one from the archive after each | |
204 | # update. | |
205 | skipfile local.rules | |
206 | ||
207 | # The file deleted.rules contains rules that have been deleted from | |
208 | # other files, so there is usually no point in updating it. | |
209 | skipfile deleted.rules | |
210 | ||
211 | # Also skip snort.conf by default since we don't want to overwrite our | |
212 | # own snort.conf if we have it in the same directory as the rules. If | |
213 | # you have your own production copy of snort.conf in another directory, | |
214 | # it may be really nice to check for changes in this file though, | |
215 | # especially since variables are sometimes added or modified and | |
216 | # new/old files are included/excluded. | |
217 | #skipfile snort.conf | |
218 | ||
219 | # You may want to consider ignoring threshold.conf for the same reasons | |
220 | # as for snort.conf, i.e. if you customize it locally and don't want it | |
221 | # to become overwritten by the default one. It may be better to put | |
222 | # local thresholding/suppressing in some local file and still update | |
223 | # and use the official one though, in case important stuff is added to | |
224 | # it some day. We do update it by default, but it's your call. | |
225 | # skipfile threshold.conf | |
226 | ||
227 | # If you update from multiple URLs at the same time you may need to | |
228 | # ignore the sid-msg.map (and generate it yourself if you need one) as | |
229 | # it's usually included in each rules tarball. See the FAQ for more info. | |
230 | # skipfile sid-msg.map | |
231 | ||
232 | ||
233 | ||
234 | ########################################################################## | |
235 | # SIDs to modify after each update (only for the skilled/stupid/brave). # | |
236 | # Don't use it unless you have to. There is nothing that stops you from # | |
237 | # modifying rules in such ways that they become invalid or generally # | |
238 | # break things. You have been warned. # | |
239 | # If you just want to disable SIDs, please skip this section and have a # | |
240 | # look at the "disablesid" keyword below. # | |
241 | # # | |
242 | # You may specify multiple modifysid directives for the same SID (they # | |
243 | # will be processed in order of appearance), and you may also specify a # | |
244 | # list of SIDs on which the substitution should be applied. # | |
245 | # If the argument is in the form something.something it's regarded # | |
246 | # as a filename and the substitution will apply on all rules in that # | |
247 | # file. The wildcard ("*") can be used to apply the substitution on all # | |
248 | # rules regardless of the SID or file. Please avoid using #comments # | |
249 | # at the end of modifysid lines, they may confuse the parser in some # | |
250 | # situations. # | |
251 | # # | |
252 | # Syntax: # | |
253 | # modifysid SID "replacethis" | "withthis" # | |
254 | # or: # | |
255 | # modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" # | |
256 | # or: # | |
257 | # modifysid file "replacethis" | "withthis" # | |
258 | # or: # | |
259 | # modifysid * "replacethis" | "withthis" # | |
260 | # # | |
261 | # The strings within the quotes will basically be passed to a # | |
262 | # s/replacethis/withthis/ statement in Perl, so they must be valid # | |
263 | # regular expressions. The strings are case-insensitive and only the # | |
264 | # first occurrence will be replaced. If there are multiple occurrences # | |
265 | # you want to replace, simply repeat the same modifysid line. # | |
266 | # As the strings are regular expressions, you MUST escape special # | |
267 | # characters like $ \ / ( ) | by prepending a "\" to them. # | |
268 | # # | |
269 | # If you specify a modifysid statement for a multi-line rule, Oinkmaster # | |
270 | # will first translate the rule into a single-line version and then # | |
271 | # perform the substitution, so you don't have to care about the trailing # | |
272 | # backslashes and newlines. # | |
273 | # # | |
274 | # If you use backreference variables in the substitution expression, # | |
275 | # it's strongly recommended to specify them as ${1} instead of $1 and so # | |
276 | # on, to avoid parsing confusion with unexpected results in some # | |
277 | # situations. Note that modifysid statements will process both active # | |
278 | # and inactive (disabled) rules. # | |
279 | # # | |
280 | # You may want to check out README.templates and template-examples.conf # | |
281 | # to find how you can simplify the modifysid usage by using templates. # | |
282 | ########################################################################## | |
283 | ||
284 | # Example to enable a rule (in this case SID 1325) that is disabled by | |
285 | # default, by simply replacing leading "#alert" with "alert". | |
286 | # (You should really use 'enablesid' for this though.) | |
287 | # Oinkmaster removes whitespaces next to the leading "#" so you don't | |
288 | # have to worry about that, but be careful about possible whitespace in | |
289 | # other places when writing the regexps. | |
290 | # modifysid 1325 "^#alert" | "alert" | |
291 | ||
292 | # You could also do this to enable it no matter what type of rule it is | |
293 | # (alert, log, pass, etc). | |
294 | # modifysid 1325 "^#" | "" | |
295 | ||
296 | # Example to add "tag" stuff to SID 1325. | |
297 | # modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;" | |
298 | ||
299 | # Example to make SID 1378 a 'drop' rule (valid if you're running | |
300 | # Snort_inline). | |
301 | # modifysid 1378 "^alert" | "drop" | |
302 | ||
303 | # Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET | |
304 | # in SID 302. | |
305 | # modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET" | |
306 | ||
307 | # You can also specify that a substitution should apply on multiple SIDs. | |
308 | # modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET" | |
309 | ||
310 | # You can take advantage of the fact that it's regular expressions and | |
311 | # do more complex stuff. This example (for Snort_inline) adds a 'replace' | |
312 | # statement to SID 1324 that replaces "/bin/sh" with "/foo/sh". | |
313 | # modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \ | |
314 | # "${1} replace:"\/foo\/sh";" | |
315 | ||
316 | # If you for some reason would like to add a comment inside the actual | |
317 | # rules file, like the reason why you disabled this rule, you can do | |
318 | # like this (you would normally add such comments in oinkmaster.conf | |
319 | # though). | |
320 | # modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}" | |
321 | ||
322 | # Here is an example that is actually useful. Let's say you don't care | |
323 | # about incoming welchia pings (detected by SID 483 at the time of | |
324 | # writing) but you want to know when infected hosts on your network | |
325 | # scans hosts on the outside. (Remember that watching for outgoing | |
326 | # malicious packets is often just as important as watching for incoming | |
327 | # ones, especially in this case.) The rule currently looks like | |
328 | # "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..." | |
329 | # but we want to switch that so it becomes | |
330 | # "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...". | |
331 | # Here is how it could be done. | |
332 | # modifysid 483 \ | |
333 | # "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \ | |
334 | # "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}" | |
335 | ||
336 | # The wildcard (modifysid * ...) can be used to do all kinds of | |
337 | # interesting things. The substitution expression will be applied on all | |
338 | # matching rules. First, a silly example to replace "foo" with "bar" in | |
339 | # all rules (that have the string "foo" in them, that is.) | |
340 | # modifysid * "foo" | "bar" | |
341 | ||
342 | # If you for some reason don't want to use the stream preprocessor to | |
343 | # match established streams, you may want to replace the 'flow' | |
344 | # statement with 'flags:A+;' in all those rules. | |
345 | # modifysid * "flow:[a-z,_ ]+;" | "flags:A+;" | |
346 | ||
347 | # Example to convert all rules of classtype attempted-admin to 'drop' | |
348 | # rules (for Snort_inline only, obviously). | |
349 | # modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}" | |
350 | ||
351 | # This one will append some text to the 'msg' string for all rules that | |
352 | # have the 'tag' keyword in them. | |
353 | # modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \ | |
354 | # "${1}, going to tag this baby"${2}" | |
355 | ||
356 | # There may be times when you want to replace multiple occurrences of a | |
357 | # certain keyword/string in a rule and not just the first one. To | |
358 | # replace the first two occurrences of "foo" with "bar" in SID 100, | |
359 | # simply repeat the modifysid statement: | |
360 | # modifysid 100 "foo" | "bar" | |
361 | # modifysid 100 "foo" | "bar" | |
362 | ||
363 | # Or you can even specify a SID list but repeat the same SID as many | |
364 | # times as required, like: | |
365 | # modifysid 100,100,100 "foo" | "bar" | |
366 | ||
367 | # Enable all rules in the file exploit.rules. | |
368 | # modifysid exploit.rules "^#" | "" | |
369 | ||
370 | # Enable all rules in exploit.rules, icmp-info.rules and also SID 1171. | |
371 | # modifysid exploit.rules, snmp.rules, 1171 "^#" | "" | |
372 | ||
373 | ||
374 | ||
375 | ######################################################################## | |
376 | # SIDs that we don't want to update. # | |
377 | # If you for some reason don't want a specific rule to be updated # | |
378 | # (e.g. you made local modifications to it and you never want to # | |
379 | # update it and don't care about changes in the official version), you # | |
380 | # can specify a "localsid" statement for it. This means that the old # | |
381 | # version of the rule (i.e. the one in the rules file on your # | |
382 | # harddrive) is always kept, regardless if the official version has # | |
383 | # been updated. Please do not use this feature unless in special # | |
384 | # cases as it's easy to end up with many signatures that aren't # | |
385 | # maintained anymore. See the FAQ for details about this and hints # | |
386 | # about better solutions regarding customization of rules. # | |
387 | # # | |
388 | # Syntax: localsid SID # | |
389 | # or: localsid SID1, SID2, SID3, ... # | |
390 | ######################################################################## | |
391 | ||
392 | # Example to never update SID 1325. | |
393 | # localsid 1325 | |
394 | ||
395 | ||
396 | ||
397 | ######################################################################## | |
398 | # SIDs to enable after each update. # | |
399 | # Will simply remove all the leading '#' for a specified SID (if it's # | |
400 | # a multi-line rule, the leading '#' for all lines are removed.) # | |
401 | # These will be processed after all the modifysid and disablesid # | |
402 | # statements. Using 'enablesid' on a rule that is not disabled is a # | |
403 | # NOOP. # | |
404 | # # | |
405 | # Syntax: enablesid SID # | |
406 | # or: enablesid SID1, SID2, SID3, ... # | |
407 | ######################################################################## | |
408 | ||
409 | # Example to enable SID 1325. | |
410 | # enablesid 1325 | |
411 | ||
412 | ||
413 | ||
414 | ######################################################################## | |
415 | # SIDs to comment out, i.e. disable, after each update by placing a # | |
416 | # '#' in front of the rule (if it's a multi-line rule, it will be put # | |
417 | # in front of all lines). # | |
418 | # # | |
419 | # Syntax: disablesid SID # | |
420 | # or: disablesid SID1, SID2, SID3, ... # | |
421 | ######################################################################## | |
422 | ||
423 | # You can specify one SID per line. | |
424 | # disablesid 1 | |
425 | # disablesid 2 | |
426 | # disablesid 3 | |
427 | ||
428 | # And also as comma-separated lists. | |
429 | # disablesid 4,5,6 | |
430 | ||
431 | # It's a good idea to also add comment about why you disable the sid: | |
432 | # disablesid 1324 # 20020101: disabled this SID just because I can |