core130: update pakfire database after version change

[ipfire-2.x.git] / config / cfgroot / oinkmaster.conf

# $Id: oinkmaster.conf,v 1.1.2.2 2005/05/02 17:11:58 franck78 Exp $ #

# Oinkmaster is a tool to update snort rules, which allow to conserve
# a particular setting even after a rules update.
# This file is a customised version for IPCop.
# Disabling/enabling a particular rule should be made in this file.
# In case you want to use some of the rules files commented out in 
# standard ipcop /etc/snort/snort.conf :
# -comment out the corresponding skipfile in this oinkmaster.conf
# -uncomment the corresponding include in /etc/snort.conf
# -save snort settings to restart snort


################################################
#    General options you may want to change    #
################################################



# The PATH to use during execution. If you prefer to use external 
# binaries (i.e. use_external_bins=1, see below), tar and gzip must be 
# found, and also wget if downloading via ftp, http or https. All with 
# optional .exe suffix. If you're on Cygwin, make sure that the path 
# contains the Cygwin binaries and not the native Win32 binaries or 
# you will get problems.
# Assume UNIX style by default:
#path = /bin:/usr/bin:/usr/local/bin
path = /bin

# Files in the archive(s) matching this regular expression will be 
# checked for changes, and then updated or added if needed.
# All other files will be ignored. You can then choose to skip
# individual files by specifying the "skipfile" keyword below.
# Normally you shouldn't need to change this one.
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$


# Regexp of keywords that starts a snort rule.
# May be useful if you create your own ruletypes and want those
# lines to be regarded as rules as well.
# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic


#######################################################################
# Files to totally skip (i.e. never update or check for changes)      #
#                                                                     #
# Syntax: skipfile filename                                           #
# or:     skipfile filename1, filename2, filename3, ...               #
#######################################################################

# Ignore local.rules from the rules archive by default since we might 
# have put some local rules in our own local.rules and we don't want it 
# to get overwritten by the empty one from the archive after each 
# update.
skipfile local.rules

# The file deleted.rules contains rules that have been deleted from 
# other files, so there is usually no point in updating it.
skipfile deleted.rules

# Also skip snort.conf by default since we don't want to overwrite our 
# own snort.conf if we have it in the same directory as the rules. If 
# you have your own production copy of snort.conf in another directory, 
# it may be really nice to check for changes in this file though, 
# especially since variables are sometimes added or modified and 
# new/old files are included/excluded.
skipfile snort.conf

# You may want to consider ignoring threshold.conf for the same reasons 
# as for snort.conf, i.e. if you customize it locally and don't want it 
# to become overwritten by the default one. It may be better to put 
# local thresholding/suppressing in some local file and still update 
# and use the official one though, in case important stuff is added to 
# it some day. We do update it by default, but it's your call.
# skipfile threshold.conf

# If you update from multiple URLs at the same time you must ignore
# the sid-msg.map (and generate it yourself if you need one) as it's
# usually included in each rules tarball. See the FAQ for more info.
# skipfile sid-msg.map
skipfile web-attacks.rules
skipfile backdoor.rules
skipfile shellcode.rules
skipfile policy.rules
skipfile porn.rules
skipfile info.rules
skipfile icmp-info.rules
skipfile virus.rules
skipfile chat.rules
skipfile multimedia.rules
skipfile p2p.rules
skipfile experimental.rules


##########################################################################
# SIDs to modify after each update (only for the skilled/stupid/brave).  #
# Don't use it unless you have to. There is nothing that stops you from  #
# modifying rules in such ways that they become invalid or generally     #
# break things. You have been warned.                                    #
# If you just want to disable SIDs, please skip this section and have a  #
# look at the "disablesid" keyword below.                                #
#                                                                        #
# You may specify multiple modifysid directives for the same SID (they   #
# will be processed in order of appearance), and you may also specify a  #
# list of SIDs on which the substitution should be applied.              #
# If the argument is in the form something.something it is regarded      #
# as a filename and the substitution will apply on all rules in that     #
# file. The wildcard ("*") can be used to apply the substitution on all  #
# rules regardless of the SID or file. Please avoid using #comments      #
# at the end of modifysid lines, they may confuse the parser in some     #
# situations.                                                            #
#                                                                        #
# Syntax:                                                                #
#   modifysid SID "replacethis" | "withthis"                             #    
# or:                                                                    #
#   modifysid SID1, SID2, SID3, ... "replacethis" | "withthis"           #
# or:                                                                    #
#   modifysid file "replacethis" | "withthis"                            #    
# or:                                                                    #
#   modifysid * "replacethis" | "withthis"                               #
#                                                                        #
# The strings within the quotes will simply be passed to a               #
# s/replacethis/withthis/ statement in Perl, so they must be valid       #
# regular expressions. The strings are case-sensitive and only the first #
# occurrence will be replaced. If there are multiple occurrences you     #
# want to replace, simply repeat the same modifysid line.                #
#                                                                        #
# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
# will first translate the rule into a single-line version and then      #
# perform the substitution, so you don't have to care about the trailing #
# backslashes and newlines.                                              #
#                                                                        #
# If you use variables in the substitution expression, it is strongly    #
# recommended to always specify them like ${varname} instead of          #
# $varname (like ${1} instead of $1 for example) to avoid parsing        #
# confusion in some situations. Note that modifysid statements           #
# will process both active and inactive (disabled) rules.                #
#                                                                        #
# You may want to check out README.templates and template-examples.conf  #
# to find how you can simplify the modifysid usage by using templates.   #
##########################################################################

# Example to enable a rule (in this case SID 1325) that is disabled by
# default, by simply replacing leading "#alert" with "alert".
# (You should really use 'enablesid' for this though.)
# Oinkmaster removes whitespaces next to the leading "#" so you don't
# have to worry about that, but be careful about possible whitespace in
# other places when writing the regexps.
# modifysid 1325 "^#alert" | "alert"

# You could also do this to enable it no matter what type of rule it is 
# (alert, log, pass, etc).
# modifysid 1325 "^#" | ""

# Example to add "tag" stuff to SID 1325.
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"

# Example to make SID 1378 a 'drop' rule (valid if you're running 
# Snort_inline).
# modifysid 1378 "^alert" | "drop"

# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET 
# in SID 302. Remember that the strings are regular expressions, so you 
# must escape special characters like $.
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"

# You can also specify that a substitution should apply on multiple SIDs.
# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"

# You can take advantage of the fact that it's regular expressions and
# do more complex stuff. This example (for Snort_inline) adds a 'replace'
# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
#                "${1} replace:"\/foo\/sh";"

# If you for some reason would like to add a comment inside the actual 
# rules file, like the reason why you disabled this rule, you can do 
# like this (you would normally add such comments in oinkmaster.conf 
# though).
# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"

# Here is an example that is actually useful. Let's say you don't care 
# about incoming welchia pings (detected by SID 483 at the time of 
# writing) but you want to know when infected hosts on your network 
# scans hosts on the outside. (Remember that watching for outgoing 
# malicious packets is often just as important as watching for incoming 
# ones, especially in this case.) The rule currently looks like
# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
# but we want to switch that so it becomes
# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
# Here is how it could be done.
# modifysid 483 \
# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"

# The wildcard (modifysid * ...) can be used to do all kinds of 
# interesting things. The substitution expression will be applied on all 
# matching rules. First, a silly example to replace "foo" with "bar" in 
# all rules (that have the string "foo" in them, that is.) 
# modifysid * "foo" | "bar"

# If you for some reason don't want to use the stream preprocessor to 
# match established streams, you may want to replace the 'flow' 
# statement with 'flags:A+;' in all those rules.
# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"

# Example to convert all rules of classtype attempted-admin to 'drop' 
# rules (for Snort_inline only, obviously).
# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"

# This one will append some text to the 'msg' string for all rules that 
# have the 'tag' keyword in them.
# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
#             "${1}, going to tag this baby"${2}"

# There may be times when you want to replace multiple occurrences of a 
# certain keyword/string in a rule and not just the first one. To 
# replace the first two occurrences of "foo" with "bar" in SID 100, 
# simply repeat the modifysid statement:
# modifysid 100 "foo" | "bar"
# modifysid 100 "foo" | "bar"
 
# Or you can even specify a SID list but repeat the same SID as many 
# times as required, like:
# modifysid 100,100,100 "foo" | "bar"

# Enable all rules in the file exploit.rules.
# modifysid exploit.rules "^#" | ""

# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""



########################################################################
# SIDs that we don't want to update.                                   #
# If you for some reason don't want a specific rule to be updated      #
# (e.g. you made local modifications to it and you never want to       #
# update it and don't care about changes in the official version), you #
# can specify a "localsid" statement for it. This means that the old   #
# version of the rule (i.e. the one in the rules file on your          #
# harddrive) is always kept, regardless if the official version has    #
# been updated. Please do not use this feature unless in special       #
# cases as it's easy to end up with many signatures that aren't        #
# maintained anymore. See the FAQ for details about this and hints     #
# about better solutions regarding customization of rules.             #
#                                                                      #
# Syntax:  localsid SID                                                #
# or:      localsid SID1, SID2, SID3, ...                              #
########################################################################

# Example to never update SID 1325.
# localsid 1325



########################################################################
# SIDs to enable after each update.                                    #
# Will simply remove all the leading '#' for a specified SID (if it's  #
# a multi-line rule, the leading '#' for all lines are removed.)       #
# These will be processed after all the modifysid and disablesid       #
# statements. Using 'enablesid' on a rule that is not disabled is a    #
# NOOP.                                                                #
#                                                                      #
# Syntax:  enablesid SID                                               #
# or:      enablesid SID1, SID2, SID3, ...                             #
########################################################################

# Example to enable SID 1325.
# enablesid 1325



########################################################################
# SIDs to comment out, i.e. disable, after each update by placing a    #
# '#' in front of the rule (if it's a multi-line rule, it will be put  #
# in front of all lines).                                              #
#                                                                      #
# Syntax:  disablesid SID                                              #
# or:      disablesid SID1, SID2, SID3, ...                            #
########################################################################

# You can specify one SID per line.
# disablesid 1
# disablesid 2
# disablesid 3

# And also as comma-separated lists.
# disablesid 4,5,6

# It's a good idea to also add comment about why you disable the sid:
# disablesid 1324    # 20020101: disabled this SID just because I can