[people/stevee/ipfire-2.x.git] / config / oinkmaster / oinkmaster.conf

# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #

# This file is pretty big by default, but don't worry. 
# The only things required are "path" and "update_files". You must also 
# set "url" to point to the correct rules archive for your version of 
# Snort, unless you prefer to specify this on the command line.
# The rest in here is just a few recommended defaults, and examples
# how to use all the other optional features and give some ideas how they 
# could be used.

# Remember not to let untrusted users edit Oinkmaster configuration
# files, as things like the PATH to use during execution is defined
# in here.


# Use "url = <url>" to specify the location of the rules archive to 
# download. The url must begin with http://, https://, ftp://, file:// 
# or scp:// and end with .tar.gz or .tgz, and the file must be a 
# gzipped tarball what contains a directory named "rules".
# You can also point to a local directory with dir://<directory>.
# Multiple "url = <url>" lines can be specified to grab multiple rules
# archives from different locations.
#
# Note: if URL is specified on the command line, it overrides all 
#       possible URLs specified in the configuration file(s).
#
# The location of the official Snort rules you should use depends
# on which Snort version you run. Basically, you should go to
# http://www.snort.org/rules/ and follow the instructions
# there to pick the right URL for your version of Snort
# (and remember to update the URL when upgrading Snort in the
# future). You can of course also specify locations to third party 
# rules.
#
# As of March 2005, you must register on the Snort site to get access 
# to the official Snort rules. This will get you an "oinkcode".
# You then specify the URL as
# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
# For example, if your code is 5a081649c06a277e1022e1284b and
# you use Snort 2.4, the url to use would be (without the wrap):
# http://www.snort.org/pub-bin/oinkmaster.cgi/
# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz
# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for
# more information.


# URL examples follows. Replace <oinkcode> with the code you get on the 
# Snort site in your registered user profile.

# Example for Snort 2.4
# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz
# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz

# Example for Snort-current ("current" means cvs snapshots).
#url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz

# Example for Community rules
# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz

# Example for rules from the Bleeding Snort project
# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz

# If you prefer to download the rules archive from outside Oinkmaster,
# you can then point to the file on your local filesystem by using
# file://<filename>, for example:
# url = file:///tmp/snortrules.tar.gz

# In rare cases you may want to grab the rules directly from a
# local directory (don't confuse this with the output directory).
# url = dir:///etc/snort/src/rules

# Example to use scp to copy the rules archive from another host.
# Only OpenSSH is tested. See the FAQ for more information.
# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz

# If you use -u scp://... and need to specify a private ssh key (passed 
# as -i <key> to the scp command) you can specify it here or add an 
# entry in ~/.ssh/config for the Oinkmaster user as described in the 
# OpenSSH manual. 
# scp_key = /home/oinkmaster/oinkmaster_privkey


# The PATH to use during execution. If you prefer to use external 
# binaries (i.e. use_external_bins=1, see below), tar and gzip must be 
# found, and also wget if downloading via ftp, http or https. All with 
# optional .exe suffix. If you're on Cygwin, make sure that the path 
# contains the Cygwin binaries and not the native Win32 binaries or 
# you will get problems.
# Assume UNIX style by default:
path = /bin:/usr/bin:/usr/local/bin

# Example if running native Win32 or standalone Cygwin:
# path = c:\oinkmaster;c:\oinkmaster\bin

# Example if running standalone Cygwin and you prefer Cygwin style path:
# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin


# We normally use external binaries (wget, tar and gzip) since they're 
# already available on most systems and do a good job. If you have the 
# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
# those instead if you like. You can set use_external_bins below to 
# choose which method you prefer. It's set to 0 by default on Win32 
# (i.e. use Perl modules), and 1 on other systems (i.e. use external 
# binaries). The reason for that is that the required Perl modules
# are included on Windows/ActivePerl 5.8.1+, so it's easier to use 
# those than to install the ported Unix tools. (Note that if you're 
# using scp to download the archive, external scp  binary is still 
# used.) 
# use_external_bins = 0


# Temporary directory to use. This directory must exist when starting and
# Oinkmaster will then create a temporary sub directory in here.
# Keep it as a #comment if you want to use the default.
# The default will be checked for in the environment variables TMP,
# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set.

# Example for UNIX.
# tmpdir = /home/oinkmaster/tmp/

# Example if running native Win32 or Cygwin.
# tmpdir = c:\tmp

# Example if running Cygwin and you prefer Cygwin style path.
# tmpdir = /cygdrive/c/tmp


# The umask to use during execution if you want it to be something
# else than the current value when starting Oinkmaster.
# This will affect the mode bits when writing new files.
# Keep it commented out to keep your system's current umask.
# umask = 0027


# Files in the archive(s) matching this regular expression will be 
# checked for changes, and then updated or added if needed.
# All other files will be ignored. You can then choose to skip
# individual files by specifying the "skipfile" keyword below.
# Normally you shouldn't need to change this one.
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$


# Regexp of keywords that starts a Snort rule.
# May be useful if you create your own ruletypes and want those
# lines to be regarded as rules as well.
# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic


# If the number of rules files in the downloaded archive matching the
# 'update_files' regexp is below min_files, or if the number
# of rules is below min_rules, the rules are regarded as broken
# and the update is aborted with an error message.
# Both are set to 1 by default (i.e. the archive is only regarded as
# broken if it's totally empty).
# If you download from multiple URLs, the count is the total number
# of files/rules across all archives.
# min_files = 1
# min_rules = 1


# By default, a basic sanity check is performed on most paths/filenames 
# to see if they contain illegal characters that may screw things up. 
# If this check is too strict for your system (e.g. you get bogus 
# "illegal characters in filename" errors because of your local language 
# etc) and you're sure you want to disable the checks completely,
# set use_path_checks to 0.
# use_path_checks = 1


# If you want Oinkmaster to send a User-Agent HTTP header string
# other than the default one for wget/LWP, set this variable.
# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)


# You can include other files anywhere in here by using
# "include <file>". <file> will be parsed just like a regular 
# oinkmaster.conf as soon as the include statement is seen, and then 
# return and continue parsing the rest of the original file. If an 
# option is redefined, it will override the previous value. You can use 
# as many "include" statements as you wish, and also include even more 
# files from included files. Example to load stuff from "/etc/foo.conf".
# include /etc/foo.conf

# Include file for provider specific includes.
include /var/ipfire/suricata/oinkmaster-provider-includes.conf

# Include file which defines the runmode of suricata.
include /var/ipfire/suricata/oinkmaster-modify-sids.conf

#######################################################################
# Files to totally skip (i.e. never update or check for changes)      #
#                                                                     #
# Syntax: skipfile filename                                           #
# or:     skipfile filename1, filename2, filename3, ...               #
#######################################################################

# Ignore local.rules from the rules archive by default since we might 
# have put some local rules in our own local.rules and we don't want it 
# to get overwritten by the empty one from the archive after each 
# update.
skipfile local.rules

# The file deleted.rules contains rules that have been deleted from 
# other files, so there is usually no point in updating it.
skipfile deleted.rules

# Also skip snort.conf by default since we don't want to overwrite our 
# own snort.conf if we have it in the same directory as the rules. If 
# you have your own production copy of snort.conf in another directory, 
# it may be really nice to check for changes in this file though, 
# especially since variables are sometimes added or modified and 
# new/old files are included/excluded.
#skipfile snort.conf

# You may want to consider ignoring threshold.conf for the same reasons 
# as for snort.conf, i.e. if you customize it locally and don't want it 
# to become overwritten by the default one. It may be better to put 
# local thresholding/suppressing in some local file and still update 
# and use the official one though, in case important stuff is added to 
# it some day. We do update it by default, but it's your call.
skipfile threshold.conf

# If you update from multiple URLs at the same time you may need to 
# ignore the sid-msg.map (and generate it yourself if you need one) as 
# it's usually included in each rules tarball. See the FAQ for more info.
# skipfile sid-msg.map


##########################################################################
# SIDs to modify after each update (only for the skilled/stupid/brave).  #
# Don't use it unless you have to. There is nothing that stops you from  #
# modifying rules in such ways that they become invalid or generally     #
# break things. You have been warned.                                    #
# If you just want to disable SIDs, please skip this section and have a  #
# look at the "disablesid" keyword below.                                #
#                                                                        #
# You may specify multiple modifysid directives for the same SID (they   #
# will be processed in order of appearance), and you may also specify a  #
# list of SIDs on which the substitution should be applied.              #
# If the argument is in the form something.something it's regarded       #
# as a filename and the substitution will apply on all rules in that     #
# file. The wildcard ("*") can be used to apply the substitution on all  #
# rules regardless of the SID or file. Please avoid using #comments      #
# at the end of modifysid lines, they may confuse the parser in some     #
# situations.                                                            #
#                                                                        #
# Syntax:                                                                #
#   modifysid SID "replacethis" | "withthis"                             #    
# or:                                                                    #
#   modifysid SID1, SID2, SID3, ... "replacethis" | "withthis"           #
# or:                                                                    #
#   modifysid file "replacethis" | "withthis"                            #    
# or:                                                                    #
#   modifysid * "replacethis" | "withthis"                               #
#                                                                        #
# The strings within the quotes will basically be passed to a            #
# s/replacethis/withthis/ statement in Perl, so they must be valid       #
# regular expressions. The strings are case-insensitive and only the     #
# first occurrence will be replaced. If there are multiple occurrences   #
# you want to replace, simply repeat the same modifysid line.            #
# As the strings are regular expressions, you MUST escape special        #
# characters like $ \ / ( ) | by prepending a "\" to them.               #
#                                                                        #
# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
# will first translate the rule into a single-line version and then      #
# perform the substitution, so you don't have to care about the trailing #
# backslashes and newlines.                                              #
#                                                                        #
# If you use backreference variables in the substitution expression,     #
# it's strongly recommended to specify them as ${1} instead of $1 and so #
# on, to avoid parsing confusion with unexpected results in some         #
# situations. Note that modifysid statements will process both active    #
# and inactive (disabled) rules.                                         #
#                                                                        #
# You may want to check out README.templates and template-examples.conf  #
# to find how you can simplify the modifysid usage by using templates.   #
##########################################################################

# Example to enable a rule (in this case SID 1325) that is disabled by
# default, by simply replacing leading "#alert" with "alert".
# (You should really use 'enablesid' for this though.)
# Oinkmaster removes whitespaces next to the leading "#" so you don't
# have to worry about that, but be careful about possible whitespace in
# other places when writing the regexps.
# modifysid 1325 "^#alert" | "alert"

# You could also do this to enable it no matter what type of rule it is
# (alert, log, pass, etc).
# modifysid 1325 "^#" | ""

# Example to add "tag" stuff to SID 1325.
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"

# Example to make SID 1378 a 'drop' rule (valid if you're running 
# Snort_inline).
# modifysid 1378 "^alert" | "drop"

# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET 
# in SID 302.
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"

# You can also specify that a substitution should apply on multiple SIDs.
# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"

# You can take advantage of the fact that it's regular expressions and
# do more complex stuff. This example (for Snort_inline) adds a 'replace'
# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
#                "${1} replace:"\/foo\/sh";"

# If you for some reason would like to add a comment inside the actual 
# rules file, like the reason why you disabled this rule, you can do 
# like this (you would normally add such comments in oinkmaster.conf 
# though).
# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"

# Here is an example that is actually useful. Let's say you don't care 
# about incoming welchia pings (detected by SID 483 at the time of 
# writing) but you want to know when infected hosts on your network 
# scans hosts on the outside. (Remember that watching for outgoing 
# malicious packets is often just as important as watching for incoming 
# ones, especially in this case.) The rule currently looks like
# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
# but we want to switch that so it becomes
# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
# Here is how it could be done.
# modifysid 483 \
# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"

# The wildcard (modifysid * ...) can be used to do all kinds of 
# interesting things. The substitution expression will be applied on all 
# matching rules. First, a silly example to replace "foo" with "bar" in 
# all rules (that have the string "foo" in them, that is.) 
# modifysid * "foo" | "bar"

# If you for some reason don't want to use the stream preprocessor to 
# match established streams, you may want to replace the 'flow' 
# statement with 'flags:A+;' in all those rules.
# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"

# Example to convert all rules of classtype attempted-admin to 'drop' 
# rules (for Snort_inline only, obviously).
# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"

# This one will append some text to the 'msg' string for all rules that 
# have the 'tag' keyword in them.
# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
#             "${1}, going to tag this baby"${2}"

# There may be times when you want to replace multiple occurrences of a 
# certain keyword/string in a rule and not just the first one. To 
# replace the first two occurrences of "foo" with "bar" in SID 100, 
# simply repeat the modifysid statement:
# modifysid 100 "foo" | "bar"
# modifysid 100 "foo" | "bar"
 
# Or you can even specify a SID list but repeat the same SID as many 
# times as required, like:
# modifysid 100,100,100 "foo" | "bar"

# Enable all rules in the file exploit.rules.
# modifysid exploit.rules "^#" | ""

# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""


########################################################################
# SIDs that we don't want to update.                                   #
# If you for some reason don't want a specific rule to be updated      #
# (e.g. you made local modifications to it and you never want to       #
# update it and don't care about changes in the official version), you #
# can specify a "localsid" statement for it. This means that the old   #
# version of the rule (i.e. the one in the rules file on your          #
# harddrive) is always kept, regardless if the official version has    #
# been updated. Please do not use this feature unless in special       #
# cases as it's easy to end up with many signatures that aren't        #
# maintained anymore. See the FAQ for details about this and hints     #
# about better solutions regarding customization of rules.             #
#                                                                      #
# Syntax:  localsid SID                                                #
# or:      localsid SID1, SID2, SID3, ...                              #
########################################################################

# Example to never update SID 1325.
# localsid 1325


########################################################################
# SIDs to enable after each update.                                    #
# Will simply remove all the leading '#' for a specified SID (if it's  #
# a multi-line rule, the leading '#' for all lines are removed.)       #
# These will be processed after all the modifysid and disablesid       #
# statements. Using 'enablesid' on a rule that is not disabled is a    #
# NOOP.                                                                #
#                                                                      #
# Syntax:  enablesid SID                                               #
# or:      enablesid SID1, SID2, SID3, ...                             #
########################################################################

# Example to enable SID 1325.
# enablesid 1325


########################################################################
# SIDs to comment out, i.e. disable, after each update by placing a    #
# '#' in front of the rule (if it's a multi-line rule, it will be put  #
# in front of all lines).                                              #
#                                                                      #
# Syntax:  disablesid SID                                              #
# or:      disablesid SID1, SID2, SID3, ...                            #
########################################################################

# You can specify one SID per line.
# disablesid 1
# disablesid 2
# disablesid 3

# And also as comma-separated lists.
# disablesid 4,5,6

# It's a good idea to also add comment about why you disable the sid:
# disablesid 1324    # 20020101: disabled this SID just because I can
Commit	Line	Data
c5486ccb SS	1	# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
	2
	3	# This file is pretty big by default, but don't worry.
	4	# The only things required are "path" and "update_files". You must also
	5	# set "url" to point to the correct rules archive for your version of
	6	# Snort, unless you prefer to specify this on the command line.
	7	# The rest in here is just a few recommended defaults, and examples
	8	# how to use all the other optional features and give some ideas how they
	9	# could be used.
	10
	11	# Remember not to let untrusted users edit Oinkmaster configuration
	12	# files, as things like the PATH to use during execution is defined
	13	# in here.
	14
	15
	16	# Use "url = <url>" to specify the location of the rules archive to
	17	# download. The url must begin with http://, https://, ftp://, file://
	18	# or scp:// and end with .tar.gz or .tgz, and the file must be a
	19	# gzipped tarball what contains a directory named "rules".
	20	# You can also point to a local directory with dir://<directory>.
	21	# Multiple "url = <url>" lines can be specified to grab multiple rules
	22	# archives from different locations.
	23	#
	24	# Note: if URL is specified on the command line, it overrides all
	25	# possible URLs specified in the configuration file(s).
	26	#
	27	# The location of the official Snort rules you should use depends
	28	# on which Snort version you run. Basically, you should go to
	29	# http://www.snort.org/rules/ and follow the instructions
	30	# there to pick the right URL for your version of Snort
	31	# (and remember to update the URL when upgrading Snort in the
	32	# future). You can of course also specify locations to third party
	33	# rules.
	34	#
	35	# As of March 2005, you must register on the Snort site to get access
	36	# to the official Snort rules. This will get you an "oinkcode".
	37	# You then specify the URL as
	38	# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
	39	# For example, if your code is 5a081649c06a277e1022e1284b and
	40	# you use Snort 2.4, the url to use would be (without the wrap):
	41	# http://www.snort.org/pub-bin/oinkmaster.cgi/
	42	# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz
	43	# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for
	44	# more information.
	45
	46
	47	# URL examples follows. Replace <oinkcode> with the code you get on the
	48	# Snort site in your registered user profile.
	49
	50	# Example for Snort 2.4
	51	# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz
	52	# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz
	53
	54	# Example for Snort-current ("current" means cvs snapshots).
	55	#url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz
	56
	57	# Example for Community rules
	58	# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz
	59
	60	# Example for rules from the Bleeding Snort project
	61	# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
	62
	63	# If you prefer to download the rules archive from outside Oinkmaster,
	64	# you can then point to the file on your local filesystem by using
65	# file://<filename>, for example:
66	# url = file:///tmp/snortrules.tar.gz
67
68	# In rare cases you may want to grab the rules directly from a
69	# local directory (don't confuse this with the output directory).
70	# url = dir:///etc/snort/src/rules
71
72	# Example to use scp to copy the rules archive from another host.
73	# Only OpenSSH is tested. See the FAQ for more information.
74	# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
75
76	# If you use -u scp://... and need to specify a private ssh key (passed
77	# as -i <key> to the scp command) you can specify it here or add an
78	# entry in ~/.ssh/config for the Oinkmaster user as described in the
79	# OpenSSH manual.
80	# scp_key = /home/oinkmaster/oinkmaster_privkey
81
82
83	# The PATH to use during execution. If you prefer to use external
84	# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
85	# found, and also wget if downloading via ftp, http or https. All with
86	# optional .exe suffix. If you're on Cygwin, make sure that the path
87	# contains the Cygwin binaries and not the native Win32 binaries or
88	# you will get problems.
89	# Assume UNIX style by default:
90	path = /bin:/usr/bin:/usr/local/bin
91
92	# Example if running native Win32 or standalone Cygwin:
93	# path = c:\oinkmaster;c:\oinkmaster\bin
94
95	# Example if running standalone Cygwin and you prefer Cygwin style path:
96	# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
97
98
99	# We normally use external binaries (wget, tar and gzip) since they're
100	# already available on most systems and do a good job. If you have the
101	# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
102	# those instead if you like. You can set use_external_bins below to
103	# choose which method you prefer. It's set to 0 by default on Win32
104	# (i.e. use Perl modules), and 1 on other systems (i.e. use external
105	# binaries). The reason for that is that the required Perl modules
106	# are included on Windows/ActivePerl 5.8.1+, so it's easier to use
107	# those than to install the ported Unix tools. (Note that if you're
108	# using scp to download the archive, external scp binary is still
109	# used.)
110	# use_external_bins = 0
111
112
113	# Temporary directory to use. This directory must exist when starting and
114	# Oinkmaster will then create a temporary sub directory in here.
115	# Keep it as a #comment if you want to use the default.
116	# The default will be checked for in the environment variables TMP,
117	# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set.
118
119	# Example for UNIX.
120	# tmpdir = /home/oinkmaster/tmp/
121
122	# Example if running native Win32 or Cygwin.
123	# tmpdir = c:\tmp
124
125	# Example if running Cygwin and you prefer Cygwin style path.
126	# tmpdir = /cygdrive/c/tmp
127
128
129	# The umask to use during execution if you want it to be something
130	# else than the current value when starting Oinkmaster.
131	# This will affect the mode bits when writing new files.
132	# Keep it commented out to keep your system's current umask.
133	# umask = 0027
134
135
136	# Files in the archive(s) matching this regular expression will be
137	# checked for changes, and then updated or added if needed.
138	# All other files will be ignored. You can then choose to skip
139	# individual files by specifying the "skipfile" keyword below.
140	# Normally you shouldn't need to change this one.
141	update_files = \.rules$\|\.config$\|\.conf$\|\.txt$\|\.map$
142
143
144	# Regexp of keywords that starts a Snort rule.
145	# May be useful if you create your own ruletypes and want those
146	# lines to be regarded as rules as well.
147	# rule_actions = alert\|drop\|log\|pass\|reject\|sdrop\|activate\|dynamic
148
149
150	# If the number of rules files in the downloaded archive matching the
151	# 'update_files' regexp is below min_files, or if the number
152	# of rules is below min_rules, the rules are regarded as broken
153	# and the update is aborted with an error message.
154	# Both are set to 1 by default (i.e. the archive is only regarded as
155	# broken if it's totally empty).
156	# If you download from multiple URLs, the count is the total number
157	# of files/rules across all archives.
158	# min_files = 1
159	# min_rules = 1
160
161
162	# By default, a basic sanity check is performed on most paths/filenames
163	# to see if they contain illegal characters that may screw things up.
164	# If this check is too strict for your system (e.g. you get bogus
165	# "illegal characters in filename" errors because of your local language
166	# etc) and you're sure you want to disable the checks completely,
167	# set use_path_checks to 0.
168	# use_path_checks = 1
169
170
171	# If you want Oinkmaster to send a User-Agent HTTP header string
172	# other than the default one for wget/LWP, set this variable.
173	# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
174
175
176	# You can include other files anywhere in here by using
177	# "include <file>". <file> will be parsed just like a regular
178	# oinkmaster.conf as soon as the include statement is seen, and then
179	# return and continue parsing the rest of the original file. If an
180	# option is redefined, it will override the previous value. You can use
181	# as many "include" statements as you wish, and also include even more
182	# files from included files. Example to load stuff from "/etc/foo.conf".
183	# include /etc/foo.conf
184
15832b10 SS	185	# Include file for provider specific includes.
15832b10 SS	186	include /var/ipfire/suricata/oinkmaster-provider-includes.conf
c5486ccb SS	187
	188	# Include file which defines the runmode of suricata.
	189	include /var/ipfire/suricata/oinkmaster-modify-sids.conf
	190
	191	#######################################################################
	192	# Files to totally skip (i.e. never update or check for changes) #
	193	# #
	194	# Syntax: skipfile filename #
	195	# or: skipfile filename1, filename2, filename3, ... #
	196	#######################################################################
	197
	198	# Ignore local.rules from the rules archive by default since we might
	199	# have put some local rules in our own local.rules and we don't want it
	200	# to get overwritten by the empty one from the archive after each
	201	# update.
	202	skipfile local.rules
	203
	204	# The file deleted.rules contains rules that have been deleted from
	205	# other files, so there is usually no point in updating it.
	206	skipfile deleted.rules
	207
	208	# Also skip snort.conf by default since we don't want to overwrite our
	209	# own snort.conf if we have it in the same directory as the rules. If
	210	# you have your own production copy of snort.conf in another directory,
	211	# it may be really nice to check for changes in this file though,
	212	# especially since variables are sometimes added or modified and
	213	# new/old files are included/excluded.
	214	#skipfile snort.conf
	215
	216	# You may want to consider ignoring threshold.conf for the same reasons
	217	# as for snort.conf, i.e. if you customize it locally and don't want it
	218	# to become overwritten by the default one. It may be better to put
	219	# local thresholding/suppressing in some local file and still update
	220	# and use the official one though, in case important stuff is added to
	221	# it some day. We do update it by default, but it's your call.
1d84b352	222	skipfile threshold.conf
c5486ccb SS	223
	224	# If you update from multiple URLs at the same time you may need to
	225	# ignore the sid-msg.map (and generate it yourself if you need one) as
	226	# it's usually included in each rules tarball. See the FAQ for more info.
	227	# skipfile sid-msg.map
	228
	229
	230
	231	##########################################################################
	232	# SIDs to modify after each update (only for the skilled/stupid/brave). #
	233	# Don't use it unless you have to. There is nothing that stops you from #
	234	# modifying rules in such ways that they become invalid or generally #
	235	# break things. You have been warned. #
	236	# If you just want to disable SIDs, please skip this section and have a #
	237	# look at the "disablesid" keyword below. #
	238	# #
	239	# You may specify multiple modifysid directives for the same SID (they #
	240	# will be processed in order of appearance), and you may also specify a #
	241	# list of SIDs on which the substitution should be applied. #
	242	# If the argument is in the form something.something it's regarded #
	243	# as a filename and the substitution will apply on all rules in that #
	244	# file. The wildcard ("*") can be used to apply the substitution on all #
	245	# rules regardless of the SID or file. Please avoid using #comments #
	246	# at the end of modifysid lines, they may confuse the parser in some #
	247	# situations. #
	248	# #
	249	# Syntax: #
	250	# modifysid SID "replacethis" \| "withthis" #
	251	# or: #
	252	# modifysid SID1, SID2, SID3, ... "replacethis" \| "withthis" #
	253	# or: #
	254	# modifysid file "replacethis" \| "withthis" #
	255	# or: #
	256	# modifysid * "replacethis" \| "withthis" #
	257	# #
	258	# The strings within the quotes will basically be passed to a #
	259	# s/replacethis/withthis/ statement in Perl, so they must be valid #
	260	# regular expressions. The strings are case-insensitive and only the #
	261	# first occurrence will be replaced. If there are multiple occurrences #
	262	# you want to replace, simply repeat the same modifysid line. #
	263	# As the strings are regular expressions, you MUST escape special #
	264	# characters like $ \ / ( ) \| by prepending a "\" to them. #
	265	# #
	266	# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
	267	# will first translate the rule into a single-line version and then #
	268	# perform the substitution, so you don't have to care about the trailing #
	269	# backslashes and newlines. #
	270	# #
	271	# If you use backreference variables in the substitution expression, #
	272	# it's strongly recommended to specify them as ${1} instead of $1 and so #
	273	# on, to avoid parsing confusion with unexpected results in some #
	274	# situations. Note that modifysid statements will process both active #
	275	# and inactive (disabled) rules. #
	276	# #
	277	# You may want to check out README.templates and template-examples.conf #
	278	# to find how you can simplify the modifysid usage by using templates. #
	279	##########################################################################
	280
	281	# Example to enable a rule (in this case SID 1325) that is disabled by
	282	# default, by simply replacing leading "#alert" with "alert".
	283	# (You should really use 'enablesid' for this though.)
	284	# Oinkmaster removes whitespaces next to the leading "#" so you don't
	285	# have to worry about that, but be careful about possible whitespace in
	286	# other places when writing the regexps.
287	# modifysid 1325 "^#alert" \| "alert"
288
289	# You could also do this to enable it no matter what type of rule it is
290	# (alert, log, pass, etc).
291	# modifysid 1325 "^#" \| ""
292
293	# Example to add "tag" stuff to SID 1325.
294	# modifysid 1325 "sid:1325;" \| "sid:1325; tag: host, src, 300, seconds;"
295
296	# Example to make SID 1378 a 'drop' rule (valid if you're running
297	# Snort_inline).
298	# modifysid 1378 "^alert" \| "drop"
299
300	# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
301	# in SID 302.
302	# modifysid 302 "\$EXTERNAL_NET" \| "\$HOME_NET"
303
304	# You can also specify that a substitution should apply on multiple SIDs.
305	# modifysid 302,429,1821 "\$EXTERNAL_NET" \| "\$HOME_NET"
306
307	# You can take advantage of the fact that it's regular expressions and
308	# do more complex stuff. This example (for Snort_inline) adds a 'replace'
309	# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
310	# modifysid 1324 "(content\s:\s"\/bin\/sh"\s*;)" \| \
311	# "${1} replace:"\/foo\/sh";"
312
313	# If you for some reason would like to add a comment inside the actual
314	# rules file, like the reason why you disabled this rule, you can do
315	# like this (you would normally add such comments in oinkmaster.conf
316	# though).
317	# modifysid 1324 "(.+)" \| "# 20020101: disabled this rule just for fun:\n#${1}"
318
319	# Here is an example that is actually useful. Let's say you don't care
320	# about incoming welchia pings (detected by SID 483 at the time of
321	# writing) but you want to know when infected hosts on your network
322	# scans hosts on the outside. (Remember that watching for outgoing
323	# malicious packets is often just as important as watching for incoming
324	# ones, especially in this case.) The rule currently looks like
325	# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
326	# but we want to switch that so it becomes
327	# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
328	# Here is how it could be done.
329	# modifysid 483 \
330	# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" \| \
331	# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
332
333	# The wildcard (modifysid * ...) can be used to do all kinds of
334	# interesting things. The substitution expression will be applied on all
335	# matching rules. First, a silly example to replace "foo" with "bar" in
336	# all rules (that have the string "foo" in them, that is.)
337	# modifysid * "foo" \| "bar"
338
339	# If you for some reason don't want to use the stream preprocessor to
340	# match established streams, you may want to replace the 'flow'
341	# statement with 'flags:A+;' in all those rules.
342	# modifysid * "flow:[a-z,_ ]+;" \| "flags:A+;"
343
344	# Example to convert all rules of classtype attempted-admin to 'drop'
345	# rules (for Snort_inline only, obviously).
346	# modifysid * "^alert (.classtype\s:\s*attempted-admin)" \| "drop ${1}"
347
348	# This one will append some text to the 'msg' string for all rules that
349	# have the 'tag' keyword in them.
350	# modifysid * "(.msg:\s".+?)"(\s;.+;\stag:.*)" \| \
351	# "${1}, going to tag this baby"${2}"
352
353	# There may be times when you want to replace multiple occurrences of a
354	# certain keyword/string in a rule and not just the first one. To
355	# replace the first two occurrences of "foo" with "bar" in SID 100,
356	# simply repeat the modifysid statement:
357	# modifysid 100 "foo" \| "bar"
358	# modifysid 100 "foo" \| "bar"
359
360	# Or you can even specify a SID list but repeat the same SID as many
361	# times as required, like:
362	# modifysid 100,100,100 "foo" \| "bar"
363
364	# Enable all rules in the file exploit.rules.
365	# modifysid exploit.rules "^#" \| ""
366
367	# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
368	# modifysid exploit.rules, snmp.rules, 1171 "^#" \| ""
369
370
371
372	########################################################################
373	# SIDs that we don't want to update. #
374	# If you for some reason don't want a specific rule to be updated #
375	# (e.g. you made local modifications to it and you never want to #
376	# update it and don't care about changes in the official version), you #
377	# can specify a "localsid" statement for it. This means that the old #
378	# version of the rule (i.e. the one in the rules file on your #
379	# harddrive) is always kept, regardless if the official version has #
380	# been updated. Please do not use this feature unless in special #
381	# cases as it's easy to end up with many signatures that aren't #
382	# maintained anymore. See the FAQ for details about this and hints #
383	# about better solutions regarding customization of rules. #
384	# #
385	# Syntax: localsid SID #
386	# or: localsid SID1, SID2, SID3, ... #
387	########################################################################
388
389	# Example to never update SID 1325.
390	# localsid 1325
391
392
393
394	########################################################################
395	# SIDs to enable after each update. #
396	# Will simply remove all the leading '#' for a specified SID (if it's #
397	# a multi-line rule, the leading '#' for all lines are removed.) #
398	# These will be processed after all the modifysid and disablesid #
399	# statements. Using 'enablesid' on a rule that is not disabled is a #
400	# NOOP. #
401	# #
402	# Syntax: enablesid SID #
403	# or: enablesid SID1, SID2, SID3, ... #
404	########################################################################
405
406	# Example to enable SID 1325.
407	# enablesid 1325
408
409
410
411	########################################################################
412	# SIDs to comment out, i.e. disable, after each update by placing a #
413	# '#' in front of the rule (if it's a multi-line rule, it will be put #
414	# in front of all lines). #
415	# #
416	# Syntax: disablesid SID #
417	# or: disablesid SID1, SID2, SID3, ... #
418	########################################################################
419
420	# You can specify one SID per line.
421	# disablesid 1
422	# disablesid 2
423	# disablesid 3
424
425	# And also as comma-separated lists.
426	# disablesid 4,5,6
427
428	# It's a good idea to also add comment about why you disable the sid:
429	# disablesid 1324 # 20020101: disabled this SID just because I can