API tools faq
paste
Guest User

PP-Anshuman

a guest
Oct 14th, 2013
449
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.44 KB | None | 0 0
raw download clone embed print report
  1. # Config file for pulledpork
  2. # Be sure to read through the entire configuration file
  3. # If you specify any of these items on the command line, it WILL take
  4. # precedence over any value that you specify in this file!
  5.  
  6. #######
  7. ####### The below section defines what your oinkcode is (required for
  8. ####### VRT rules), defines a temp path (must be writable) and also
  9. ####### defines what version of rules that you are getting (for your
  10. ####### snort version and subscription etc...)
  11. #######
  12.  
  13. # You can specify one or as many rule_urls as you like, they
  14. # must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify
  15. # each on an individual line, or you can specify them in a , separated list
  16. # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
  17. # note that the url, rule file, and oinkcode itself are separated by a pipe |
  18. # i.e. url|tarball|123456789,
  19. ###rule_url=http://www.snort.org/pub-bin/e5454e32094dd017be5907b5cacb387eb55d2152/snortrules-snapshot-2950.tar.gz
  20. # rule_url=http://www.snort.org/pub-bin/snortrules-snapshot-2950.tar.gz/e5454e32094dd017be5907b5cacb387eb55d2152
  21. rule_url=https://www.snort.org/reg-rules/snortrules|snapshot-2950.tar.gz|e5454e32094dd017be5907b5cacb387eb55d2152
  22. rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
  23. ##Evaluate by adding this option and see the difference
  24. #rule_url=http://rules.emergingthreats.net |emerging.rules.tar.gz|open-nogpl (refer: http://comments.gmane.org/gmane.comp.security.ids.snort.general/33954)
  25.  
  26. ####*rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
  27. ## rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
  28. # NEW Community ruleset:
  29. rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
  30. # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
  31. # This format MUST be followed to let pulledpork know that this is a blacklist
  32. ##rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
  33. # URL for rule documentation! (slow to process)
  34. ##rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
  35. #rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
  36. # THE FOLLOWING URL is for etpro downloads, note the tarball name change!
  37. # and the et oinkcode requirement!
  38. #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
  39. # NOTE above that the VRT snortrules-snapshot does not contain the version
  40. # portion of the tarball name, this is because PP now automatically populates
  41. # this value for you, if, however you put the version information in, PP will
  42. # NOT populate this value but will use your value!
  43.  
  44. # Specify rule categories to ignore from the tarball in a comma separated list
  45. # with no spaces. There are four ways to do this:
  46. # 1) Specify the category name with no suffix at all to ignore the category
  47. # regardless of what rule-type it is, ie: netbios
  48. # 2) Specify the category name with a '.rules' suffix to ignore only gid 1
  49. # rulefiles located in the /rules directory of the tarball, ie: policy.rules
  50. # 3) Specify the category name with a '.preproc' suffix to ignore only
  51. # preprocessor rules located in the /preproc_rules directory of the tarball,
  52. # ie: sensitive-data.preproc
  53. # 4) Specify the category name with a '.so' suffix to ignore only shared-object
  54. # rules located in the /so_rules directory of the tarball, ie: netbios.so
  55. # The example below ignores dos rules wherever they may appear, sensitive-
  56. # data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),
  57. # and netbios gid-1 rules (while including netbios so-rules):
  58. # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
  59. # These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
  60. ignore=deleted.rules,experimental.rules,local.rules
  61. # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
  62. # previous ignore line and uncomment the following!
  63. # ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
  64.  
  65. # What is our temp path, be sure this path has a bit of space for rule
  66. # extraction and manipulation, no trailing slash
  67. temp_path=/etc/snort/tmp/
  68.  
  69. #######
  70. ####### The below section is for rule processing. This section is
  71. ####### required if you are not specifying the configuration using
  72. ####### runtime switches. Note that runtime switches do SUPERSEED
  73. ####### any values that you have specified here!
  74. #######
  75.  
  76. # What path you want the .rules file containing all of the processed
  77. # rules? (this value has changed as of 0.4.0, previously we copied
  78. # all of the rules, now we are creating a single large rules file
  79. # but still keeping a separate file for your so_rules!
  80. rule_path=/etc/snort/rules/snort.rules
  81. ##rule_path=/usr/local/etc/snort/rules/snort.rules
  82.  
  83. # What path you want the .rules files to be written to, this is UNIQUE
  84. # from the rule_path and cannot be used in conjunction, this is to be used with the
  85. # -k runtime flag, this can be set at runtime using the -K flag or specified
  86. # here. If specified here, the -k option must also be passed at runtime, however
  87. # specifying -K <path> at runtime forces the -k option to also be set
  88. # out_path=/usr/local/etc/snort/rules/
  89.  
  90. # If you are running any rules in your local.rules file, we need to
  91. # know about them to properly build a sid-msg.map that will contain your
  92. # local.rules metadata (msg) information. You can specify other rules
  93. # files that are local to your system here by adding a comma and more paths...
  94. # remember that the FULL path must be specified for EACH value.
  95. # local_rules=/path/to/these.rules,/path/to/those.rules
  96. ##local_rules=/usr/local/etc/snort/rules/local.rules
  97.  
  98. # Where should I put the sid-msg.map file?
  99. sid_msg=/etc/snort/sid-msg.map
  100. ##sid_msg=/usr/local/etc/snort/sid-msg.map
  101.  
  102. # New for by2 and more advanced msg mapping. Valid options are 1 or 2
  103. # specify version 2 if you are running barnyard2.2+. Otherwise use 1
  104. sid_msg_version=1
  105.  
  106. # Where do you want me to put the sid changelog? This is a changelog
  107. # that pulledpork maintains of all new sids that are imported
  108. sid_changelog=/var/log/sid_changes.log
  109. # this value is optional
  110.  
  111. #######
  112. ####### The below section is for so_rule processing only. If you don't
  113. ####### need to use them.. then comment this section out!
  114. ####### Alternately, if you are not using pulledpork to process
  115. ####### so_rules, you can specify -T at runtime to bypass this altogether
  116. #######
  117.  
  118. # What path you want the .so files to actually go to *i.e. where is it
  119. # defined in your snort.conf, needs a trailing slash
  120. ##sorule_path=/usr/local/lib/snort_dynamicrules/
  121. sorule_path=/usr/local/lib/snort_dynamicrules/
  122. # Path to the snort binary, we need this to generate the stub files
  123. snort_path=/usr/sbin/snort
  124. ##snort_path=/usr/local/bin/snort
  125.  
  126. # We need to know where your snort.conf file lives so that we can
  127. # generate the stub files
  128. ##config_path=/usr/local/etc/snort/snort.conf
  129. config_path=/etc/snort/snort.conf
  130.  
  131. ##### Deprecated - The stubs are now categorically written to the single rule file!
  132. # sostub_path=/usr/local/etc/snort/rules/so_rules.rules
  133. sostub_path==/usr/local/etc/snort/so_rules/so_rules.rules
  134.  
  135. # Define your distro, this is for the precompiled shared object libs!
  136. # Valid Distro Types:
  137. # Debian-5-0, Debian-6-0,
  138. # Ubuntu-8.04, Ubuntu-10-4
  139. # Centos-4-8, Centos-5-4
  140. # FC-12, FC-14, RHEL-5-5, RHEL-6-0
  141. # FreeBSD-7-3, FreeBSD-8-1
  142. # OpenBSD-4-8
  143. # Slackware-13-1
  144. ##distro=FreeBSD-8.1
  145. #*distro=RHEL-6-0
  146. distro=Centos-5-4
  147.  
  148. ####### This next section is optional, but probably pretty useful to you.
  149. ####### Please read thoroughly!
  150.  
  151. # If you are using IP Reputation and getting some public lists, you will probably
  152. # want to tell pulledpork where your blacklist file lives, PP automagically will
  153. # de-dupe any duplicate IPs from different sources.
  154. ##black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
  155. blackl_list=/etc/snort/rules/blacklist.rules
  156.  
  157. # IP Reputation does NOT require a full snort HUP, it introduces a concept whereby
  158. # the IP list can be reloaded while snort is running through the use of a control
  159. # socket. Please be sure that you built snort with the following optins:
  160. # -enable-shared-rep and --enable-control-socket. Be sure to read about how to
  161. # configure these! The following option tells pulledpork where to place the version
  162. # file for use with control socket ip list reloads!
  163. # This should be the same path where your black_list lives!
  164. ##IPRVersion=/usr/local/etc/snort/rules/iplists
  165.  
  166. # The following option tells snort where the snort_control tool is located.
  167. ##snort_control=/usr/local/bin/snort_control
  168.  
  169. # What do you want to backup and archive? This is a comma separated list
  170. # of file or directory values. If a directory is specified, PP will recurse
  171. # through said directory and all subdirectories to archive all files.
  172. # The following example backs up all snort config files, rules, pulledpork
  173. # config files, and snort shared object binary rules.
  174. # backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/
  175.  
  176. # what path and filename should we use for the backup tarball?
  177. # note that an epoch time value and the .tgz extension is automatically added
  178. # to the backup_file name on completeion i.e. the written file is:
  179. # pp_backup.1295886020.tgz
  180. ## backup_file=/tmp/pp_backup
  181. backup_file=/tmp/pp070_backup
  182.  
  183. # Where do you want the signature docs to be copied, if this is commented
  184. # out then they will not be copied / extracted. Note that extracting them
  185. # will add considerable runtime to pulledpork.
  186. # docs=/path/to/base/www
  187.  
  188. # The following option, state_order, allows you to more finely control the order
  189. # that pulledpork performs the modify operations, specifically the enablesid
  190. # disablesid and dropsid functions. An example use case here would be to
  191. # disable an entire category and later enable only a rule or two out of it.
  192. # the valid values are disable, drop, and enable.
  193. # state_order=disable,drop,enable
  194.  
  195.  
  196. # Define the path to the pid files of any running process that you want to
  197. # HUP after PP has completed its run.
  198. # pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
  199. # and so on...
  200. ## pid_path=/var/run/snort_eth0.pid
  201. pid_path=/var/run/snort_eth2.pid,/var/run/barnyard2.pid
  202.  
  203. # This defines the version of snort that you are using, for use ONLY if the
  204. # proper snort binary is not on the system that you are fetching the rules with
  205. # This value MUST contain all 4 minor version
  206. # numbers. ET rules are now also dependant on this, verify supported ET versions
  207. # prior to simply throwing rubbish in this variable kthx!
  208. ## snort_version=2.9.0.0
  209. snort_version=2.9.5.0
  210. # Here you can specify what rule modification files to run automatically.
  211. # simply uncomment and specify the apt path.
  212. # enablesid=/usr/local/etc/snort/enablesid.conf
  213. # dropsid=/usr/local/etc/snort/dropsid.conf
  214. # disablesid=/usr/local/etc/snort/disablesid.conf
  215. # modifysid=/usr/local/etc/snort/modifysid.conf
  216.  
  217. # What is the base ruleset that you want to use, please uncomment to use
  218. # and see the README.RULESETS for a description of the options.
  219. # Note that setting this value will disable all ET rulesets if you are
  220. # Running such rulesets
  221. # ips_policy=security
  222.  
  223. ####### Remember, a number of these values are optional.. if you don't
  224. ####### need to process so_rules, simply comment out the so_rule section
  225. ####### you can also specify -T at runtime to process only GID 1 rules.
  226.  
  227. version=0.7.0
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!