API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 25th, 2013
15
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.67 KB | None | 0 0
raw download clone embed print report
  1. #
  2. # Barnyard2 example configuration file
  3. #
  4.  
  5. #
  6. # This file contains a sample barnyard2 configuration.
  7. # You can take the following steps to create your own custom configuration:
  8. #
  9. # 1) Configure the variable declarations
  10. # 2) Setup the input plugins
  11. # 3) Setup the output plugins
  12. #
  13.  
  14. #
  15. # Step 1: configure the variable declarations
  16. #
  17.  
  18. # in order to keep from having a commandline that uses every letter in the
  19. # alphabet most configuration options are set here.
  20.  
  21. # use UTC for timestamps
  22. #
  23. #config utc
  24.  
  25. # set the appropriate paths to the file(s) your Snort process is using.
  26. #
  27. config reference_file: /etc/snort/reference.config
  28. config classification_file: /etc/snort/classification.config
  29. config gen_file: /etc/snort/gen-msg.map
  30. config sid_file: /etc/snort/sid-msg.map
  31.  
  32.  
  33. # Configure signature suppression at the spooler level see doc/README.sig_suppress
  34. #
  35. #
  36. #config sig_suppress: 1:10
  37.  
  38.  
  39. # Set the event cache size to defined max value before recycling of event occur.
  40. #
  41. #
  42. #config event_cache_size: 4096
  43.  
  44. # define dedicated references similar to that of snort.
  45. #
  46. #config reference: mybugs http://www.mybugs.com/?s=
  47.  
  48. # define explicit classifications similar to that of snort.
  49. #
  50. #config classification: shortname, short description, priority
  51.  
  52. # set the directory for any output logging
  53. #
  54. config logdir: /var/log/snort
  55.  
  56. # to ensure that any plugins requiring some level of uniqueness in their output
  57. # the alert_with_interface_name, interface and hostname directives are provided.
  58. # An example of usage would be to configure them to the values of the associated
  59. # snort process whose unified files you are reading.
  60. #
  61. # Example:
  62. # For a snort process as follows:
  63. # snort -i eth0 -c /etc/snort.conf
  64. #
  65. # Typical options would be:
  66. # config hostname: alienvault
  67. # config interface: eth0
  68. # config alert_with_interface_name
  69. #
  70. config hostname: alienvault_eth2
  71. config interface: eth2
  72.  
  73. # enable printing of the interface name when alerting.
  74. #
  75. #config alert_with_interface_name
  76.  
  77. # at times snort will alert on a packet within a stream and dump that stream to
  78. # the unified output. barnyard2 can generate output on each packet of that
  79. # stream or the first packet only.
  80. #
  81. config alert_on_each_packet_in_stream
  82.  
  83. # enable daemon mode
  84. #
  85. #config daemon
  86.  
  87. # make barnyard2 process chroot to directory after initialisation.
  88. #
  89. #config chroot: /var/log/snort
  90.  
  91. # specifiy the group or GID for barnyard2 to run as after initialisation.
  92. #
  93. config set_gid: 113
  94.  
  95. # specifiy the user or UID for barnyard2 to run as after initialisation.
  96. #
  97. config set_uid: 0
  98.  
  99. # specify the directory for the barnyard2 PID file.
  100. #
  101. #config pidpath: /var/run/by2.pid
  102.  
  103. # enable decoding of the data link (or second level headers).
  104. #
  105. #config decode_data_link
  106.  
  107. # dump the application data
  108. #
  109. #config dump_payload
  110.  
  111. # dump the application data as chars only
  112. #
  113. #config dump_chars_only
  114.  
  115. # enable verbose dumping of payload information in log style output plugins.
  116. #
  117. #config dump_payload_verbose
  118.  
  119. # enable obfuscation of logged IP addresses.
  120. #
  121. #config obfuscate
  122.  
  123. # enable the year being shown in timestamps
  124. #
  125. config show_year
  126.  
  127. # set the umask for all files created by the barnyard2 process (eg. log files).
  128. #
  129. #config umask: 066
  130.  
  131. # enable verbose logging
  132. #
  133. #config verbose
  134.  
  135. # quiet down some of the output
  136. #
  137. #config quiet
  138.  
  139. # define the full waldo filepath.
  140. #
  141. config waldo_file: /var/log/snort/waldo
  142.  
  143. # specificy the maximum length of the MPLS label chain
  144. #
  145. #config max_mpls_labelchain_len: 64
  146.  
  147. # specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
  148. #
  149. #config mpls_payload_type: ipv4
  150.  
  151. # set the reference network or homenet which is predominantly used by the
  152. # log_ascii plugin.
  153. #
  154. #config reference_net: 192.168.0.0/24
  155.  
  156. #
  157. # CONTINOUS MODE
  158. #
  159.  
  160. # set the archive directory for use with continous mode
  161. #
  162. config archivedir: /tmp
  163.  
  164. # when in operating in continous mode, only process new records and ignore any
  165. # existing unified files
  166. #
  167. #config process_new_records_only
  168.  
  169.  
  170. #
  171. # Step 2: setup the input plugins
  172. #
  173.  
  174. # this is not hard, only unified2 is supported ;)
  175. input unified2
  176.  
  177.  
  178. #
  179. # Step 3: setup the output plugins
  180. #
  181.  
  182. # alert_cef
  183. # ----------------------------------------------------------------------------
  184. #
  185. # Purpose:
  186. # This output module provides the abilty to output alert information to a
  187. # remote network host as well as the local host using the open standard
  188. # Common Event Format (CEF).
  189. #
  190. # Arguments: host=hostname[:port], severity facility
  191. # arguments should be comma delimited.
  192. # host - specify a remote hostname or IP with optional port number
  193. # this is only specific to WIN32 (and is not yet fully supported)
  194. # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
  195. # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
  196. #
  197. # Examples:
  198. # output alert_cef
  199. # output alert_cef: host=192.168.10.1
  200. # output alert_cef: host=sysserver.com:1001
  201. # output alert_cef: LOG_AUTH LOG_INFO
  202. #
  203.  
  204. # alert_bro
  205. # ----------------------------------------------------------------------------
  206. #
  207. # Purpose: Send alerts to a Bro-IDS instance.
  208. #
  209. # Arguments: hostname:port
  210. #
  211. # Examples:
  212. # output alert_bro: 127.0.0.1:47757
  213.  
  214. # alert_fast
  215. # ----------------------------------------------------------------------------
  216. # Purpose: Converts data to an approximation of Snort's "fast alert" mode.
  217. #
  218. # Arguments: file <file>, stdout
  219. # arguments should be comma delimited.
  220. # file - specifiy alert file
  221. # stdout - no alert file, just print to screen
  222. #
  223. # Examples:
  224. # output alert_fast
  225. # output alert_fast: stdout
  226. #
  227. #output alert_fast: stdout
  228.  
  229.  
  230. # prelude: log to the Prelude Hybrid IDS system
  231. # ----------------------------------------------------------------------------
  232. #
  233. # Purpose:
  234. # This output module provides logging to the Prelude Hybrid IDS system
  235. #
  236. # Arguments: profile=snort-profile
  237. # snort-profile - name of the Prelude profile to use (default is snort).
  238. #
  239. # Snort priority to IDMEF severity mappings:
  240. # high < medium < low < info
  241. #
  242. # These are the default mapped from classification.config:
  243. # info = 4
  244. # low = 3
  245. # medium = 2
  246. # high = anything below medium
  247. #
  248. # Examples:
  249. # output alert_prelude
  250. # output alert_prelude: profile=snort-profile-name
  251. #
  252.  
  253.  
  254. # alert_syslog
  255. # ----------------------------------------------------------------------------
  256. #
  257. # Purpose:
  258. # This output module provides the abilty to output alert information to local syslog
  259. #
  260. # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
  261. # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
  262. #
  263. # Examples:
  264. # output alert_syslog
  265. # output alert_syslog: LOG_AUTH LOG_INFO
  266. #
  267.  
  268. # syslog_full
  269. #-------------------------------
  270. # Available as both a log and alert output plugin. Used to output data via TCP/UDP or LOCAL ie(syslog())
  271. # Arguments:
  272. # sensor_name $sensor_name - unique sensor name
  273. # server $server - server the device will report to
  274. # local - if defined, ignore all remote information and use syslog() to send message.
  275. # protocol $protocol - protocol device will report over (tcp/udp)
  276. # port $port - destination port device will report to (default: 514)
  277. # delimiters $delimiters - define a character that will delimit message sections ex: "|", will use | as message section delimiters. (default: |)
  278. # separators $separators - define field separator included in each message ex: " " , will use space as field separator. (default: [:space:])
  279. # operation_mode $operaion_mode - default | complete : default mode is compatible with default snort syslog message, complete prints more information such as the raw packet (hexed)
  280. # log_priority $log_priority - used by local option for syslog priority call. (man syslog(3) for supported options) (default: LOG_INFO)
  281. # log_facility $log_facility - used by local option for syslog facility call. (man syslog(3) for supported options) (default: LOG_USER)
  282. # payload_encoding - (default: hex) support hex/ascii/base64 for log_syslog_full using operation_mode complete only.
  283.  
  284. # Usage Examples:
  285. # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
  286. # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
  287. # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
  288. # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
  289. # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
  290. # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
  291. # output alert_syslog_full: sensor_name snortIds1-eth2, local
  292. output alert_syslog_full: sensor_name alienvault-eth2, local, log_priority LOG_CRIT,log_facility LOG_LOCAL7, operation_mode complete
  293.  
  294. # log_ascii
  295. # ----------------------------------------------------------------------------
  296. #
  297. # Purpose: This output module provides the default packet logging funtionality
  298. #
  299. # Arguments: None.
  300. #
  301. # Examples:
  302. # output log_ascii
  303. #
  304.  
  305.  
  306. # log_tcpdump
  307. # ----------------------------------------------------------------------------
  308. #
  309. # Purpose
  310. # This output module logs packets in binary tcpdump format
  311. #
  312. # Arguments:
  313. # The only argument is the output file name.
  314. #
  315. # Examples:
  316. # output log_tcpdump: tcpdump.log
  317. #
  318.  
  319.  
  320. # sguil
  321. # ----------------------------------------------------------------------------
  322. #
  323. # Purpose: This output module provides logging ability for the sguil interface
  324. # See doc/README.sguil
  325. #
  326. # Arguments: agent_port <port>, sensor_name <name>
  327. # arguments should be comma delimited.
  328. # agent_port - explicitly set the sguil agent listening port
  329. # (default: 7736)
  330. # sensor_name - explicitly set the sensor name
  331. # (default: machine hostname)
  332. #
  333. # Examples:
  334. # output sguil
  335. # output sguil: agent_port=7000
  336. # output sguil: sensor_name=argyle
  337. # output sguil: agent_port=7000, sensor_name=argyle
  338. #
  339.  
  340.  
  341. # database: log to a variety of databases
  342. # ----------------------------------------------------------------------------
  343. #
  344. # Purpose: This output module provides logging ability to a variety of databases
  345. # See doc/README.database for additional information.
  346. #
  347. # Examples:
  348. # output database: log, mysql, user=root password=test dbname=db host=localhost
  349. # output database: alert, postgresql, user=snort dbname=snort
  350. # output database: log, odbc, user=snort dbname=snort
  351. # output database: log, mssql, dbname=snort user=snort password=test
  352. # output database: log, oracle, dbname=snort user=snort password=test
  353. #
  354.  
  355.  
  356. # alert_fwsam: allow blocking of IP's through remote services
  357. # ----------------------------------------------------------------------------
  358. # output alert_fwsam: <SnortSam Station>:<port>/<key>
  359. #
  360. # <FW Mgmt Station>: IP address or host name of the host running SnortSam.
  361. # <port>: Port the remote SnortSam service listens on (default 898).
  362. # <key>: Key used for authentication (encryption really)
  363. # of the communication to the remote service.
  364. #
  365. # Examples:
  366. #
  367. # output alert_fwsam: snortsambox/idspassword
  368. # output alert_fwsam: fw1.domain.tld:898/mykey
  369. # output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw
  370. #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!