Sample PulledPork configuration file

1. # Config file for pulledpork
2. # Be sure to read through the entire configuration file
3. # If you specify any of these items on the command line, it WILL take
4. # precedence over any value that you specify in this file!
5.  
6. #######
7. ####### The below section defines what your oinkcode is (required for
8. ####### VRT rules), defines a temp path (must be writable) and also
9. ####### defines what version of rules that you are getting (for your
10. ####### snort version and subscription etc...)
11. #######
12.  
13. # You can specify one or as many rule_urls as you like, they
14. # must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify
15. # each on an individual line, or you can specify them in a , separated list
16. # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
17. # note that the url, rule file, and oinkcode itself are separated by a pipe |
18. # i.e. url|tarball|123456789,
19. rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
20. # NEW Community ruleset:
21. rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
22. # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
23. # This format MUST be followed to let pulledpork know that this is a blacklist
24. rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|<oinkcode>
25. # URL for rule documentation! (slow to process)
26. rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
27. rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
28. # THE FOLLOWING URL is for etpro downloads, note the tarball name change!
29. # and the et oinkcode requirement!
30. #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
31. # NOTE above that the VRT snortrules-snapshot does not contain the version
32. # portion of the tarball name, this is because PP now automatically populates
33. # this value for you, if, however you put the version information in, PP will
34. # NOT populate this value but will use your value!
35.  
36. # Specify rule categories to ignore from the tarball in a comma separated list
37. # with no spaces. There are four ways to do this:
38. # 1) Specify the category name with no suffix at all to ignore the category
39. # regardless of what rule-type it is, ie: netbios
40. # 2) Specify the category name with a '.rules' suffix to ignore only gid 1
41. # rulefiles located in the /rules directory of the tarball, ie: policy.rules
42. # 3) Specify the category name with a '.preproc' suffix to ignore only
43. # preprocessor rules located in the /preproc_rules directory of the tarball,
44. # ie: sensitive-data.preproc
45. # 4) Specify the category name with a '.so' suffix to ignore only shared-object
46. # rules located in the /so_rules directory of the tarball, ie: netbios.so
47. # The example below ignores dos rules wherever they may appear, sensitive-
48. # data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),
49. # and netbios gid-1 rules (while including netbios so-rules):
50. # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
51. # These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
52. ignore=deleted.rules,experimental.rules,local.rules
53. # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
54. # previous ignore line and uncomment the following!
55. # ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
56.  
57. # What is our temp path, be sure this path has a bit of space for rule
58. # extraction and manipulation, no trailing slash
59. temp_path=/tmp
60.  
61. #######
62. ####### The below section is for rule processing. This section is
63. ####### required if you are not specifying the configuration using
64. ####### runtime switches. Note that runtime switches do SUPERSEED
65. ####### any values that you have specified here!
66. #######
67.  
68. # What path you want the .rules file containing all of the processed
69. # rules? (this value has changed as of 0.4.0, previously we copied
70. # all of the rules, now we are creating a single large rules file
71. # but still keeping a separate file for your so_rules!
72. rule_path=/etc/snort/rules/snort.rules
73.  
74. # What path you want the .rules files to be written to, this is UNIQUE
75. # from the rule_path and cannot be used in conjunction, this is to be used with the
76. # -k runtime flag, this can be set at runtime using the -K flag or specified
77. # here. If specified here, the -k option must also be passed at runtime, however
78. # specifying -K <path> at runtime forces the -k option to also be set
79. # out_path=/etc/snort/rules/
80.  
81. # If you are running any rules in your local.rules file, we need to
82. # know about them to properly build a sid-msg.map that will contain your
83. # local.rules metadata (msg) information. You can specify other rules
84. # files that are local to your system here by adding a comma and more paths...
85. # remember that the FULL path must be specified for EACH value.
86. # local_rules=/path/to/these.rules,/path/to/those.rules
87. local_rules=/etc/snort/rules/local.rules
88.  
89. # Where should I put the sid-msg.map file?
90. sid_msg=/etc/snort/rules/community-rules/sid-msg.map
91.  
92. # New for by2 and more advanced msg mapping. Valid options are 1 or 2
93. # specify version 2 if you are running barnyard2.2+. Otherwise use 1
94. sid_msg_version=1
95.  
96. # Where do you want me to put the sid changelog? This is a changelog
97. # that pulledpork maintains of all new sids that are imported
98. sid_changelog=/var/log/sid_changes.log
99. # this value is optional
100.  
101. #######
102. ####### The below section is for so_rule processing only. If you don't
103. ####### need to use them.. then comment this section out!
104. ####### Alternately, if you are not using pulledpork to process
105. ####### so_rules, you can specify -T at runtime to bypass this altogether
106. #######
107.  
108. # What path you want the .so files to actually go to *i.e. where is it
109. # defined in your snort.conf, needs a trailing slash
110. sorule_path=/usr/local/lib/snort_dynamicrules/
111.  
112. # Path to the snort binary, we need this to generate the stub files
113. snort_path=/usr/sbin/snort
114.  
115. # We need to know where your snort.conf file lives so that we can
116. # generate the stub files
117. config_path=/etc/snort/snort.conf
118.  
119. ##### Deprecated - The stubs are now categorically written to the single rule file!
120. # sostub_path=/usr/local/etc/snort/rules/so_rules.rules
121.  
122. # Define your distro, this is for the precompiled shared object libs!
123. # Valid Distro Types:
124. # Debian-5-0, Debian-6-0,
125. # Ubuntu-8.04, Ubuntu-10-4
126. # Centos-4-8, Centos-5-4
127. # FC-12, FC-14, RHEL-5-5, RHEL-6-0
128. # FreeBSD-7-3, FreeBSD-8-1
129. # OpenBSD-4-8
130. # Slackware-13-1
131. distro=Centos-5-4
132.  
133. ####### This next section is optional, but probably pretty useful to you.
134. ####### Please read thoroughly!
135.  
136. # If you are using IP Reputation and getting some public lists, you will probably
137. # want to tell pulledpork where your blacklist file lives, PP automagically will
138. # de-dupe any duplicate IPs from different sources.
139. black_list=/etc/snort/rules/blacklist.rules
140.  
141. # IP Reputation does NOT require a full snort HUP, it introduces a concept whereby
142. # the IP list can be reloaded while snort is running through the use of a control
143. # socket. Please be sure that you built snort with the following optins:
144. # -enable-shared-rep and --enable-control-socket. Be sure to read about how to
145. # configure these! The following option tells pulledpork where to place the version
146. # file for use with control socket ip list reloads!
147. # This should be the same path where your black_list lives!
148. #IPRVersion=/usr/local/etc/snort/rules/iplists
149.  
150. # The following option tells snort where the snort_control tool is located.
151. snort_control=/usr/bin/snort_control
152.  
153. # What do you want to backup and archive? This is a comma separated list
154. # of file or directory values. If a directory is specified, PP will recurse
155. # through said directory and all subdirectories to archive all files.
156. # The following example backs up all snort config files, rules, pulledpork
157. # config files, and snort shared object binary rules.
158. # backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/
159.  
160. # what path and filename should we use for the backup tarball?
161. # note that an epoch time value and the .tgz extension is automatically added
162. # to the backup_file name on completeion i.e. the written file is:
163. # pp_backup.1295886020.tgz
164. # backup_file=/tmp/pp_backup
165.  
166. # Where do you want the signature docs to be copied, if this is commented
167. # out then they will not be copied / extracted. Note that extracting them
168. # will add considerable runtime to pulledpork.
169. # docs=/path/to/base/www
170.  
171. # The following option, state_order, allows you to more finely control the order
172. # that pulledpork performs the modify operations, specifically the enablesid
173. # disablesid and dropsid functions. An example use case here would be to
174. # disable an entire category and later enable only a rule or two out of it.
175. # the valid values are disable, drop, and enable.
176. # state_order=disable,drop,enable
177.  
178.  
179. # Define the path to the pid files of any running process that you want to
180. # HUP after PP has completed its run.
181. # pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
182. # and so on...
183. # pid_path=/var/run/snort_eth0.pid
184.  
185. # This defines the version of snort that you are using, for use ONLY if the
186. # proper snort binary is not on the system that you are fetching the rules with
187. # This value MUST contain all 4 minor version
188. # numbers. ET rules are now also dependant on this, verify supported ET versions
189. # prior to simply throwing rubbish in this variable kthx!
190. # snort_version=2.9.0.0
191.  
192. # Here you can specify what rule modification files to run automatically.
193. # simply uncomment and specify the apt path.
194. # enablesid=/etc/snort/enablesid.conf
195. # dropsid=/etc/snort/dropsid.conf
196. # disablesid=/etc/snort/disablesid.conf
197. # modifysid=/etc/snort/modifysid.conf
198.  
199. # What is the base ruleset that you want to use, please uncomment to use
200. # and see the README.RULESETS for a description of the options.
201. # Note that setting this value will disable all ET rulesets if you are
202. # Running such rulesets
203. # ips_policy=security
204.  
205. ####### Remember, a number of these values are optional.. if you don't
206. ####### need to process so_rules, simply comment out the so_rule section
207. ####### you can also specify -T at runtime to process only GID 1 rules.
208.  
209. version=0.7.0